I am using raccoon tool for IPsec. We have seen some unencrypted packets being transferred between the IPSec configured devices. After configuring the IPSec (via KAME tool racoon on both devices, say A and B) when we ping from A to B, it starts the IPSec handshake for phase 1 and 2. But before handshake completes, we see couple of ping reply from B to A are unencrypted. Also the configuration does not prohibit unencrypted packets from A to reach B even after handshake gets complete. After IPSec handshake if we try to access some app from A to B (for e.g. access B’s web page in A), we see lots of unencrypted packets being sent from B to A (using some Ethernet packet sniffing tool).

Current setkey.conf is somewhat like:

                spdadd <IP A> <IP B> any -P in ipsec esp/transport//use;

I tried to reject unencrypted packets by using ‘require’, instead of ‘use’:

                spdadd <IP A> <IP B> any -P in ipsec esp/transport//require;

But now case even handshake isn’t getting completed. So no IPSec connection could get established b/w A and B. Can somebody help me how can get over this issue?