IPSEC IPV4 Tunnel Requires IPV6 WIth 2.6.25?

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* IPSEC IPV4 Tunnel Requires IPV6 WIth 2.6.25?
@ 2008-05-15 20:09 Alan Swanson
  2008-05-21 12:01 ` Kazunori MIYAZAWA
  0 siblings, 1 reply; 5+ messages in thread
From: Alan Swanson @ 2008-05-15 20:09 UTC (permalink / raw)
  To: netdev

Hi. Usual non-subscriber CC replies request please.

There is a problem with 2.6.25(.4) using IPSEC on ipv4. You seem to need
to have ipv6 available otherwise a protocol not supported error is
returned when trying to set a Security Association Database. I'm using
setkey on a file but another user on the ipsec-tools-devel list reported
the same issue using racoon.

http://marc.info/?l=ipsec-tools-devel&m=121015164014761&w=2

So with modules loaded you expect to work.

$ lsmod
  Module                  Size  Used by
  authenc                 5056  0 
  ah4                     4672  0 
  esp4                    5824  0 
  aead                    5824  2 authenc,esp4
  xfrm4_mode_tunnel       2176  20

A static file with tunnel configuration for laptop to desktop over open
wireless not running WEP/WPA.

$ head -n 12 /etc/ipsec.conf
  #!/usr/sbin/setkey -f

  flush;
  spdflush;

  add 1.1.1.1 2.2.2.2 esp 0x500 -m tunnel
  -E rijndael-cbc 0x...
  -A hmac-sha1 0x...;

  add 2.2.2.2 1.1.1.1 esp 0x501 -m tunnel
  -E rijndael-cbc 0x...
  -A hmac-sha1 0x...;

You get protocol not supported error.

$ setkey -f /etc/ipsec.conf
  The result of line 8: Protocol not supported.
  The result of line 12: Protocol not supported.

But after modprobing ipv6 which automatically pulls
in xfrm6_mode_tunnel, setkey starts working and I can communicate via
IPSEC.

$ lsmod
  Module                  Size  Used by
  xfrm6_mode_tunnel       2048  4 
  ipv6                  217444  10 xfrm6_mode_tunnel
  authenc                 5056  4 
  ah4                     4672  0 
  esp4                    5824  4 
  aead                    5824  2 authenc,esp4
  xfrm4_mode_tunnel       2176  28

It really shouldn't need ipv6. Full kernel config, lsmod before and
after modprobing ipv6 are available at below URL's.

http://www.swanson.ukfsn.org/ipsec/config
http://www.swanson.ukfsn.org/ipsec/lsmod-post-modprobe-ipv6
http://www.swanson.ukfsn.org/ipsec/lsmod-pre-modprobe-ipv6

-- 
Alan.

"One must never be purposelessnessnesslessness."

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: IPSEC IPV4 Tunnel Requires IPV6 WIth 2.6.25?
  2008-05-15 20:09 IPSEC IPV4 Tunnel Requires IPV6 WIth 2.6.25? Alan Swanson
@ 2008-05-21 12:01 ` Kazunori MIYAZAWA
  2008-05-21 12:17   ` Kazunori MIYAZAWA
  0 siblings, 1 reply; 5+ messages in thread
From: Kazunori MIYAZAWA @ 2008-05-21 12:01 UTC (permalink / raw)
  To: Alan Swanson; +Cc: netdev

[-- Attachment #1: Type: text/plain, Size: 2273 bytes --]

Hello,

This patch fixes the problem.
I though that someone (sorry I foget) sent the same patch
when netlink was fixed.

Alan Swanson wrote:
> Hi. Usual non-subscriber CC replies request please.
> 
> There is a problem with 2.6.25(.4) using IPSEC on ipv4. You seem to need
> to have ipv6 available otherwise a protocol not supported error is
> returned when trying to set a Security Association Database. I'm using
> setkey on a file but another user on the ipsec-tools-devel list reported
> the same issue using racoon.
> 
> http://marc.info/?l=ipsec-tools-devel&m=121015164014761&w=2
> 
> So with modules loaded you expect to work.
> 
> $ lsmod
>   Module                  Size  Used by
>   authenc                 5056  0 
>   ah4                     4672  0 
>   esp4                    5824  0 
>   aead                    5824  2 authenc,esp4
>   xfrm4_mode_tunnel       2176  20
> 
> A static file with tunnel configuration for laptop to desktop over open
> wireless not running WEP/WPA.
> 
> $ head -n 12 /etc/ipsec.conf
>   #!/usr/sbin/setkey -f
>   
>   flush;
>   spdflush;
>   
>   add 1.1.1.1 2.2.2.2 esp 0x500 -m tunnel
>   -E rijndael-cbc 0x...
>   -A hmac-sha1 0x...;
>   
>   add 2.2.2.2 1.1.1.1 esp 0x501 -m tunnel
>   -E rijndael-cbc 0x...
>   -A hmac-sha1 0x...;
> 
> You get protocol not supported error.
> 
> $ setkey -f /etc/ipsec.conf
>   The result of line 8: Protocol not supported.
>   The result of line 12: Protocol not supported.
> 
> But after modprobing ipv6 which automatically pulls
> in xfrm6_mode_tunnel, setkey starts working and I can communicate via
> IPSEC.
> 
> $ lsmod
>   Module                  Size  Used by
>   xfrm6_mode_tunnel       2048  4 
>   ipv6                  217444  10 xfrm6_mode_tunnel
>   authenc                 5056  4 
>   ah4                     4672  0 
>   esp4                    5824  4 
>   aead                    5824  2 authenc,esp4
>   xfrm4_mode_tunnel       2176  28
> 
> It really shouldn't need ipv6. Full kernel config, lsmod before and
> after modprobing ipv6 are available at below URL's.
> 
> http://www.swanson.ukfsn.org/ipsec/config
> http://www.swanson.ukfsn.org/ipsec/lsmod-post-modprobe-ipv6
> http://www.swanson.ukfsn.org/ipsec/lsmod-pre-modprobe-ipv6
> 

--
Kazunori Miyazawa

[-- Attachment #2: patch-fixing-af_key.txt --]
[-- Type: text/plain, Size: 531 bytes --]

signed-off-by: Kazunori MIYAZAWA <kazunori@miyazawa.org>

diff --git a/net/key/af_key.c b/net/key/af_key.c
index e9ef9af..835e307 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -1219,7 +1219,7 @@ static struct xfrm_state * pfkey_msg2xfrm_state(struct sadb_msg *hdr,
                x->sel.prefixlen_s = addr->sadb_address_prefixlen;
        }
 
-       if (x->props.mode == XFRM_MODE_TRANSPORT)
+       if (!x->sel.mode)
                x->sel.family = x->props.family;
 
        if (ext_hdrs[SADB_X_EXT_NAT_T_TYPE-1]) {


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: IPSEC IPV4 Tunnel Requires IPV6 WIth 2.6.25?
  2008-05-21 12:01 ` Kazunori MIYAZAWA
@ 2008-05-21 12:17   ` Kazunori MIYAZAWA
  2008-05-21 20:18     ` Alan Swanson
  0 siblings, 1 reply; 5+ messages in thread
From: Kazunori MIYAZAWA @ 2008-05-21 12:17 UTC (permalink / raw)
  To: Alan Swanson; +Cc: netdev

[-- Attachment #1: Type: text/plain, Size: 218 bytes --]

Kazunori MIYAZAWA さんは書きました:
> Hello,
> 
> This patch fixes the problem.
> I though that someone (sorry I foget) sent the same patch
> when netlink was fixed.
> 

Sorry I did typo.

--
Kazunori Miyazawa

[-- Attachment #2: patch-fixing-af_key.txt --]
[-- Type: text/plain, Size: 533 bytes --]

signed-off-by: Kazunori MIYAZAWA <kazunori@miyazawa.org>

diff --git a/net/key/af_key.c b/net/key/af_key.c
index e9ef9af..835e307 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -1219,7 +1219,7 @@ static struct xfrm_state * pfkey_msg2xfrm_state(struct sadb_msg *hdr,
                x->sel.prefixlen_s = addr->sadb_address_prefixlen;
        }
 
-       if (x->props.mode == XFRM_MODE_TRANSPORT)
+       if (!x->sel.family)
                x->sel.family = x->props.family;
 
        if (ext_hdrs[SADB_X_EXT_NAT_T_TYPE-1]) {


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: IPSEC IPV4 Tunnel Requires IPV6 WIth 2.6.25?
  2008-05-21 12:17   ` Kazunori MIYAZAWA
@ 2008-05-21 20:18     ` Alan Swanson
  2008-05-21 20:28       ` David Miller
  0 siblings, 1 reply; 5+ messages in thread
From: Alan Swanson @ 2008-05-21 20:18 UTC (permalink / raw)
  To: Kazunori MIYAZAWA; +Cc: netdev

On Wed, 2008-05-21 at 21:17 +0900, Kazunori MIYAZAWA wrote:
> Kazunori MIYAZAWA さんは書きました:
> > Hello,
> > 
> > This patch fixes the problem.
> > I though that someone (sorry I foget) sent the same patch
> > when netlink was fixed.
> > 
> 
> Sorry I did typo.

Hi Kazunori.

Confirmed, that patch fixed the problem. Thanks very much.

I don't see if this single line regression from the "inter address
family IPsec tunnel on the fly" patch has reverted in any Git trees yet.
A candidate for stable perhaps?

-- 
Alan.

"One must never be purposelessnessnesslessness."

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: IPSEC IPV4 Tunnel Requires IPV6 WIth 2.6.25?
  2008-05-21 20:18     ` Alan Swanson
@ 2008-05-21 20:28       ` David Miller
  0 siblings, 0 replies; 5+ messages in thread
From: David Miller @ 2008-05-21 20:28 UTC (permalink / raw)
  To: swanson; +Cc: kazunori, netdev

From: Alan Swanson <swanson@ukfsn.org>
Date: Wed, 21 May 2008 21:18:16 +0100

> Confirmed, that patch fixed the problem. Thanks very much.

Thanks for testing Alan.  I've applied Kazunori-san's patch.

> A candidate for stable perhaps?

Yes, I'll queue it up for -stable.

Thanks everyone.

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2008-05-21 20:28 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-05-15 20:09 IPSEC IPV4 Tunnel Requires IPV6 WIth 2.6.25? Alan Swanson
2008-05-21 12:01 ` Kazunori MIYAZAWA
2008-05-21 12:17   ` Kazunori MIYAZAWA
2008-05-21 20:18     ` Alan Swanson
2008-05-21 20:28       ` David Miller

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).