ipsec 2.5.70 trouble

ipsec 2.5.70 trouble

[Andreas Jellinghaus]

I create a single ping, I can see the packet plain in OUTPUT iptable,
I can see the packet encrypted with tcpdump on the source machine.

but on the target machine (same lan), I see the
packets encrypted, but where is that second packet in tcpdump
comming from?

ping 192.168.1.1

source machine has real ip eth0 192.168.0.10 and for ipsec an additional
192.168.3.2, and a default route with src 192.168.3.2 and an ipsec
policy put everything from/to 192.168.3.2 in a tunnel
192.168.0.10-192.168.0.1.

source machine iptables
May 29 20:36:26 simulacron kernel: iptlog.output IN= OUT=eth0
SRC=192.168.3.2 DST=192.168.1.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF
PROTO=ICMP TYPE=8 CODE=0 ID=32002 SEQ=1 

source machine tcpdump
20:36:26.296466 192.168.0.10 > 192.168.0.1: ESP(spi=0x0dfc33a3,seq=0x7)
(DF)

destination machine tcpdump
tcpdump: listening on eth0
20:35:23.773924 192.168.0.10 > 192.168.0.1: ESP(spi=0x0dfc33a3,seq=0x7)
(DF)
20:35:23.773924 truncated-ip - 24 bytes missing!192.168.0.10 >
192.168.0.1: truncated-ip - 13087 bytes missing!64.4.224.214 >
192.168.0.10: (frag 17664:13167@672) [tos 0xfc]  (ipip)

destination machine iptables
May 29 20:35:23 localhost kernel: iptlog.input IN=eth0 OUT=
MAC=00:e0:7d:01:bb:0d:00:04:76:45:01:6e:08:00 SRC=192.168.0.10
DST=192.168.0.1 LEN=152 TOS=0x00 PREC=0x00 TTL=64 ID=55297 DF PROTO=ESP
SPI=0xdfc33a3 

Regards, Andreas

Re: ipsec 2.5.70 trouble

[David S. Miller]

   From: Andreas Jellinghaus <aj@dungeon.inka.de>
   Date: 29 May 2003 21:05:55 +0200
   
   but on the target machine (same lan), I see the
   packets encrypted, but where is that second packet in tcpdump
   comming from?

After we do the transformation, we stick it back into
the nework stack input to prevent stack exhaustion.

And yes it is on purpose and not changing.

Re: ipsec 2.5.70 trouble

[Andreas Jellinghaus]

On Thu, 2003-05-29 at 23:14, David S. Miller wrote:
> After we do the transformation, we stick it back into
> the nework stack input to prevent stack exhaustion.
> 
> And yes it is on purpose and not changing.

ok. I can't "GET http://www.microsoft.com/" (and lots of other
websites). The setup is laptop -> wlan+ipsec (esp, tunnel mode) ->
firewall+nat -> pppoe -> internet.

01:34:25.500786 212.202.202.151.33369 > 207.46.249.190.80: S
750265125:750265125 (0) win 5840 <mss 1460,sackOK,timestamp 17523110
0,nop,wscale 0> (DF)
01:34:25.661897 207.46.249.190.80 > 212.202.202.151.33369: S
2015313287:2015313287(0) ack 750265126 win 16384 <mss 1460,nop,wscale
0,nop,nop,timestamp 0 0,nop,nop,sackOK>
01:34:25.665581 212.202.202.151.33369 > 207.46.249.190.80: . ack 1 win
5840 <nop,nop,timestamp 17523275 0> (DF)
01:34:25.676682 212.202.202.151.33369 > 207.46.249.190.80: P 1:93(92)
ack 1 win 5840 <nop,nop,timestamp 17523286 0> (DF)
01:34:26.513105 212.202.202.151.33369 > 207.46.249.190.80: P 1:93(92)
ack 1 win 5840 <nop,nop,timestamp 17524123 0> (DF)
01:34:26.673758 207.46.249.190.80 > 212.202.202.151.33369: . ack 93 win
65443 <nop,nop,timestamp 3697004 17524123> (DF)
01:34:28.437372 212.202.202.151.33369 > 207.46.249.190.80: F 93:93(0)
ack 1 win 5840 <nop,nop,timestamp 17526047 0> (DF)
01:34:28.597316 207.46.249.190.80 > 212.202.202.151.33369: . ack 94 win
65443 <nop,nop,timestamp 3697024 17526047> (DF)

Can I do anything about this?

Thanks, Andreas

Re: ipsec 2.5.70 trouble

[David S. Miller]

   From: Andreas Jellinghaus <aj@dungeon.inka.de>
   Date: 30 May 2003 01:39:43 +0200
   
   Can I do anything about this?

The connection looks fine, 212.202.202.151 simply isn't sending any
data back.  Maybe dropped PMTU messages, can you get a trace from the
other end of the IPSEC tunnel?