* IPsec tunnel mode bug - malformed, misaddressed packets
@ 2004-10-17 11:52 Christopher K. Johnson
2004-10-18 1:08 ` Herbert Xu
0 siblings, 1 reply; 4+ messages in thread
From: Christopher K. Johnson @ 2004-10-17 11:52 UTC (permalink / raw)
To: netdev
There is an ipsec bug in FC2 kernel 2.6.8-1.521 for ipsec tunnel mode.
I have proven with a packet trace that some packets are
misaddressed. Specifically it constructs a packet of the form:
IP header1 | AH header | IP header2 | ESP
The IP header1 has an incorrect destination address of the host in the
remote tunneled subnet instead of the remote vpn partner, whereas IP
header2 has the correct destination address of the remote vpn partner.
For an host in local ipsec subnet contacting a web server in remote
ipsec subnet the initial syn and response of syn,ack are tunnelled
successfuly, but the encrypted ack goes out malformed as indicated above,
thus is never delivered.
Packet trace and setkey config are attached to bugzilla entry at
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=132832
Your help in resolving this bug so ipsec is usable would be appreciated greatly.
Chris
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: IPsec tunnel mode bug - malformed, misaddressed packets
2004-10-17 11:52 IPsec tunnel mode bug - malformed, misaddressed packets Christopher K. Johnson
@ 2004-10-18 1:08 ` Herbert Xu
2004-10-18 23:17 ` Christopher K. Johnson
0 siblings, 1 reply; 4+ messages in thread
From: Herbert Xu @ 2004-10-18 1:08 UTC (permalink / raw)
To: Christopher K. Johnson; +Cc: netdev
On Sun, Oct 17, 2004 at 11:52:21AM +0000, Christopher K. Johnson wrote:
> There is an ipsec bug in FC2 kernel 2.6.8-1.521 for ipsec tunnel mode.
> I have proven with a packet trace that some packets are
> misaddressed. Specifically it constructs a packet of the form:
> IP header1 | AH header | IP header2 | ESP
This is purely a user-space error. The Linux IPsec stack is
very flexible. In particular, you can configure it to generate
non-sense such as the above quite easily.
In this case, racoon needs to be taught that only the inner SA
should be marked as tunnel mode.
Cheers,
--
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: IPsec tunnel mode bug - malformed, misaddressed packets
2004-10-18 1:08 ` Herbert Xu
@ 2004-10-18 23:17 ` Christopher K. Johnson
2004-10-18 23:49 ` Herbert Xu
0 siblings, 1 reply; 4+ messages in thread
From: Christopher K. Johnson @ 2004-10-18 23:17 UTC (permalink / raw)
To: netdev
Herbert Xu wrote:
>On Sun, Oct 17, 2004 at 11:52:21AM +0000, Christopher K. Johnson wrote:
>
>
>>There is an ipsec bug in FC2 kernel 2.6.8-1.521 for ipsec tunnel mode.
>>I have proven with a packet trace that some packets are
>>misaddressed. Specifically it constructs a packet of the form:
>>IP header1 | AH header | IP header2 | ESP
>>
>>
>In this case, racoon needs to be taught that only the inner SA
>should be marked as tunnel mode.
>
>
I updated the vpn peers to ipsec-tools-0.3.3-1 from fedora core
development and the problem is the same. I captured a packet trace to
verify. Any takers for an ipsec-tools bug? I'll gladly provide more
details off-list.
Thanks.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2004-10-18 23:49 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-10-17 11:52 IPsec tunnel mode bug - malformed, misaddressed packets Christopher K. Johnson
2004-10-18 1:08 ` Herbert Xu
2004-10-18 23:17 ` Christopher K. Johnson
2004-10-18 23:49 ` Herbert Xu
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).