Re: ipsec routing question

[Andreas Schuldei <andreas@schuldei.org>]

* Angelos D. Keromytis (angelos@cis.upenn.edu) [010119 01:13]:
> >> Do the ping packets even arrive at the local firewall interface ?
> >
> >Yes, loud and clear.
> 
> And they match the ipsecadm flow -addr argument ? I.e., from
> 192.168.1/24 to 10.0.1/24 ?

THis is an example where I ping from the remote side and the
local side, photo taken on internal interface:
01:16:40.589406 192.168.1.1 > 10.0.1.254: icmp: echo reply
01:16:40.801323 192.168.1.11 > 10.0.1.254: icmp: echo request
01:16:41.801020 192.168.1.11 > 10.0.1.254: icmp: echo request
01:16:42.800726 192.168.1.11 > 10.0.1.254: icmp: echo request
01:16:43.800417 192.168.1.11 > 10.0.1.254: icmp: echo request
01:16:44.800121 192.168.1.11 > 10.0.1.254: icmp: echo request
01:16:45.569301 10.0.1.254 > 192.168.1.1: icmp: echo request
01:16:45.569708 192.168.1.1 > 10.0.1.254: icmp: echo reply
01:16:45.799838 192.168.1.11 > 10.0.1.254: icmp: echo request

this is what I see on the enc0:


t@petrus~> tcpdump -ni enc0
tcpdump: WARNING: enc0: no IPv4 address assigned
tcpdump: listening on enc0
01:19:10.575825 (authentic,confidential): SPI 0x464af055: 195.84.181.91 > 195.84.105.112: ip-proto-4 84
01:19:15.598339 (authentic,confidential): SPI 0x464af055: 195.84.181.91 > 195.84.105.112: ip-proto-4 84
01:19:20.594471 (authentic,confidential): SPI 0x464af055: 195.84.181.91 > 195.84.105.112: ip-proto-4 84
01:19:30.566308 (authentic,confidential): SPI 0x464af055: 195.84.181.91 > 195.84.105.112: ip-proto-4 84

Note that I ping from the remote with ping -i5, so I do not have 
immense package loss.