Openswan: Works, but... (fwd)
Roger Grosswiler
roger at gwch.net
Sun Feb 8 19:10:02 UTC 2009
Am Sun, 8 Feb 2009 13:31:24 -0500 (EST)
schrieb Paul Wouters <paul at xelerance.com>:
> On Sun, 8 Feb 2009, D. Hugh Redelmeier wrote:
>
> > According to the homepage of openswan, i configured a server and a
> > roadwarrior (think this is host-to-host).
> >
> > Using tcpdump, i see, that traffic between those 2 hosts is
> > encrypted, if the server is the endpoint.
> >
> > this server is a transparent proxy. so, if i surf eg. to google via
> > this server, the traffic seems no longer encrypted to me. (no
> > esp-packets mentionned in tcpdump).
> >
> > Even my mailserver is not on the same machine, so this traffic isn't
> > encrypted either.
>
> Either use a leftsubnet=lan/mask to make the IPsec tunnel cover your
> LAN ip range, or send everything using leftsubnet=0.0.0.0/0.
>
> Paul
Hi,
I changed this on the server-side, but not on the client side.
Result from tcpdump from the client (wenn opening google in the
browser):
20:07:48.742497 IP client > server:
ESP(spi=0x3052e16e,seq=0x27), length 100 20:07:48.744033 IP
server > client: ESP(spi=0x3729843c,seq=0x25), length
100 20:07:48.744033 IP fx-in-f99.google.com.http >
client.49006: . ack 794 win 231 <nop,nop,timestamp 690888417
125678582>
Roger
More information about the fedora-list
mailing list