[strongSwan] Packets not being encapsulated

Andreas Steffen andreas.steffen at strongswan.org
Wed Mar 23 18:47:26 CET 2011

The forceencaps=yes parameter is ignored by the IKEv1 daemon
and applies to IKEv2 only. Because of the NAT router in between
ESP is encapsulated in UDP anyway:

root at granville:~# ip xfrm state
    proto esp spi 0x295edd15 reqid 16385 mode tunnel
    replay-window 32 flag af-unspec
    auth hmac(sha1) 0x0ba38e23a79f79f7f96690d2d166b315f60b60bb
    enc cbc(aes) 0xdf238a47bb128a41d94f60452411cd26
    encap type espinudp sport 4500 dport 4500 addr



On 23.03.2011 18:35, Alexis Salinas wrote:
> Hi Russ,
> I noticed you are using 'forceencaps=yes', so I think your traffic will not be ESP but UDP port 4500.
> Do you see any of those packets?+
> Cheers,
> Alexis

Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

More information about the Users mailing list