ipsec 2.5.70 trouble

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* ipsec 2.5.70 trouble
@ 2003-05-29 19:05 Andreas Jellinghaus
  2003-05-29 21:14 ` David S. Miller
  0 siblings, 1 reply; 4+ messages in thread
From: Andreas Jellinghaus @ 2003-05-29 19:05 UTC (permalink / raw)
  To: netdev@oss.sgi.com

I create a single ping, I can see the packet plain in OUTPUT iptable,
I can see the packet encrypted with tcpdump on the source machine.

but on the target machine (same lan), I see the
packets encrypted, but where is that second packet in tcpdump
comming from?

ping 192.168.1.1

source machine has real ip eth0 192.168.0.10 and for ipsec an additional
192.168.3.2, and a default route with src 192.168.3.2 and an ipsec
policy put everything from/to 192.168.3.2 in a tunnel
192.168.0.10-192.168.0.1.

source machine iptables
May 29 20:36:26 simulacron kernel: iptlog.output IN= OUT=eth0
SRC=192.168.3.2 DST=192.168.1.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF
PROTO=ICMP TYPE=8 CODE=0 ID=32002 SEQ=1 

source machine tcpdump
20:36:26.296466 192.168.0.10 > 192.168.0.1: ESP(spi=0x0dfc33a3,seq=0x7)
(DF)

destination machine tcpdump
tcpdump: listening on eth0
20:35:23.773924 192.168.0.10 > 192.168.0.1: ESP(spi=0x0dfc33a3,seq=0x7)
(DF)
20:35:23.773924 truncated-ip - 24 bytes missing!192.168.0.10 >
192.168.0.1: truncated-ip - 13087 bytes missing!64.4.224.214 >
192.168.0.10: (frag 17664:13167@672) [tos 0xfc]  (ipip)

destination machine iptables
May 29 20:35:23 localhost kernel: iptlog.input IN=eth0 OUT=
MAC=00:e0:7d:01:bb:0d:00:04:76:45:01:6e:08:00 SRC=192.168.0.10
DST=192.168.0.1 LEN=152 TOS=0x00 PREC=0x00 TTL=64 ID=55297 DF PROTO=ESP
SPI=0xdfc33a3 

Regards, Andreas

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: ipsec 2.5.70 trouble
  2003-05-29 19:05 ipsec 2.5.70 trouble Andreas Jellinghaus
@ 2003-05-29 21:14 ` David S. Miller
  2003-05-29 23:39   ` Andreas Jellinghaus
  0 siblings, 1 reply; 4+ messages in thread
From: David S. Miller @ 2003-05-29 21:14 UTC (permalink / raw)
  To: aj; +Cc: netdev

   From: Andreas Jellinghaus <aj@dungeon.inka.de>
   Date: 29 May 2003 21:05:55 +0200

   but on the target machine (same lan), I see the
   packets encrypted, but where is that second packet in tcpdump
   comming from?

After we do the transformation, we stick it back into
the nework stack input to prevent stack exhaustion.

And yes it is on purpose and not changing.

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: ipsec 2.5.70 trouble
  2003-05-29 21:14 ` David S. Miller
@ 2003-05-29 23:39   ` Andreas Jellinghaus
  2003-05-29 23:47     ` David S. Miller
  0 siblings, 1 reply; 4+ messages in thread
From: Andreas Jellinghaus @ 2003-05-29 23:39 UTC (permalink / raw)
  To: David S. Miller; +Cc: netdev

On Thu, 2003-05-29 at 23:14, David S. Miller wrote:
> After we do the transformation, we stick it back into
> the nework stack input to prevent stack exhaustion.
> 
> And yes it is on purpose and not changing.

ok. I can't "GET http://www.microsoft.com/" (and lots of other
websites). The setup is laptop -> wlan+ipsec (esp, tunnel mode) ->
firewall+nat -> pppoe -> internet.

01:34:25.500786 212.202.202.151.33369 > 207.46.249.190.80: S
750265125:750265125 (0) win 5840 <mss 1460,sackOK,timestamp 17523110
0,nop,wscale 0> (DF)
01:34:25.661897 207.46.249.190.80 > 212.202.202.151.33369: S
2015313287:2015313287(0) ack 750265126 win 16384 <mss 1460,nop,wscale
0,nop,nop,timestamp 0 0,nop,nop,sackOK>
01:34:25.665581 212.202.202.151.33369 > 207.46.249.190.80: . ack 1 win
5840 <nop,nop,timestamp 17523275 0> (DF)
01:34:25.676682 212.202.202.151.33369 > 207.46.249.190.80: P 1:93(92)
ack 1 win 5840 <nop,nop,timestamp 17523286 0> (DF)
01:34:26.513105 212.202.202.151.33369 > 207.46.249.190.80: P 1:93(92)
ack 1 win 5840 <nop,nop,timestamp 17524123 0> (DF)
01:34:26.673758 207.46.249.190.80 > 212.202.202.151.33369: . ack 93 win
65443 <nop,nop,timestamp 3697004 17524123> (DF)
01:34:28.437372 212.202.202.151.33369 > 207.46.249.190.80: F 93:93(0)
ack 1 win 5840 <nop,nop,timestamp 17526047 0> (DF)
01:34:28.597316 207.46.249.190.80 > 212.202.202.151.33369: . ack 94 win
65443 <nop,nop,timestamp 3697024 17526047> (DF)

Can I do anything about this?

Thanks, Andreas

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: ipsec 2.5.70 trouble
  2003-05-29 23:39   ` Andreas Jellinghaus
@ 2003-05-29 23:47     ` David S. Miller
  0 siblings, 0 replies; 4+ messages in thread
From: David S. Miller @ 2003-05-29 23:47 UTC (permalink / raw)
  To: aj; +Cc: netdev

   From: Andreas Jellinghaus <aj@dungeon.inka.de>
   Date: 30 May 2003 01:39:43 +0200

   Can I do anything about this?

The connection looks fine, 212.202.202.151 simply isn't sending any
data back.  Maybe dropped PMTU messages, can you get a trace from the
other end of the IPSEC tunnel?

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2003-05-29 23:47 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-05-29 19:05 ipsec 2.5.70 trouble Andreas Jellinghaus
2003-05-29 21:14 ` David S. Miller
2003-05-29 23:39   ` Andreas Jellinghaus
2003-05-29 23:47     ` David S. Miller

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).