IPSec Packets dropped on windows. "Bad SPI Pckt" Error
I am working on a TAP device on windows. I use libipsec/kernel_libipsec plugin of strongswan for implementation of IPSec. I am able to successfully send the ESP packets to my server. When I receive response from Server Windows detect the packets as ESP packets and tries to make sense of the SPI Number of the packet.
Since I am not using Window's implementation for IPSec, there are no SA policy set in Kernel IPSec. So Windows fails to find any SA associated with the SPI and discards that packets saying "Bad SPI Pckt"
Hence the application that waiting on Receive socket never receive the packet.
I am able to capture the ESP packets in Wireshark. I can see the SPI number and the ESP header as well.
The netsh command "netsh IPsec dynamic show all" shows the error "Bad SPI Pckts Count" which match the packets captured in Wireshark.
I expect windows to just pass on the packets to the application and interfere with the communication. Is there some way I can disable the IPSec on windows or is this some other issue that I am not able to understand. Can anyone help me out here please.
Note:- I have disable the wfp plugin of strongswan and in the netsh command to show policy I do not see any policies set for Inbound/Outbound traffic.
Thank you in advance.
#2 Updated by Rohit Magdum about 1 month ago
Thank you for your quick reply. Pardon my ignorance, can you please let me know how this encapsulation works? I mean is it expected happen at the server end from where the packets are sent, or at the receiving end on windows we can do anything for the encapsulation. Again pardon me for dumb questions.
#3 Updated by Tobias Brunner about 1 month ago
Pardon my ignorance, can you please let me know how this encapsulation works?
Maybe search for and learn about it?
I mean is it expected happen at the server end from where the packets are sent, or at the receiving end on windows we can do anything for the encapsulation.
Both ends have to use UDP encapsulation.