On May 7, 2024, at 04:21, Phil Nightowl <[email protected]> wrote: > > >> >> Can you share the "ipsec traffic" output after doing a few pings over >> the tunnel? I have a feeling you might not actually have a plaintext >> leak, you just think you do because of the way tcpdump hooks into >> the kernel network/ipsec stack. > > Actually, I did check this one. To be on the safe side, I did even both > > $ ping srv.pp.uu.bb > > (getting responses in plaintext, most likely not from the server itself, but > rather from the NATting router as ICMP is not forwarded) > > and > > $ ping srv.ii.nn.tt > > (getting no response, I assume that packets get out in clear and get dropped > aftterwards as they are intended for an RFC1918 host) > > After giving each of the two a minute or so, the output of the following > > # ipsec traffic > > on the roadwarrior is as expected: > > 006 #2: "main"[1] srv.pp.uu.bb, type=ESP, add_time=1715065841, inBytes=0, > outBytes=0, maxBytes=2^63B, id='C=ZZ, O=Privlan, CN=server.privlan'
Your outgoing bytes never made it to the IPsec stack. If multi homed, use ping -I with your source ip to pick the right source ip? If NATing, disable it for the IPsec ip ranges ? Check ip_forwarding and check rp_filter is disabled ? _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
