Hi all:<div><br><div>openswan conflits with following kernel OPTIONS:<div><div># CONFIG_INET_AH is not set</div><div># CONFIG_INET_ESP is not set</div><div># CONFIG_INET_IPCOMP is not set</div><div># CONFIG_INET_XFRM_TUNNEL is not set</div>
<div><br></div><div>when these options is disabled,everything is fine....</div><br><div><br></div><div><br><div class="gmail_quote">2009/3/16 <span dir="ltr"><<a href="mailto:users-request@openswan.org" target="_blank">users-request@openswan.org</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Send Users mailing list submissions to<br>
<a href="mailto:users@openswan.org" target="_blank">users@openswan.org</a><br>
<br>
To subscribe or unsubscribe via the World Wide Web, visit<br>
<a href="http://lists.openswan.org/mailman/listinfo/users" target="_blank">http://lists.openswan.org/mailman/listinfo/users</a><br>
or, via email, send a message with subject or body 'help' to<br>
<a href="mailto:users-request@openswan.org" target="_blank">users-request@openswan.org</a><br>
<br>
You can reach the person managing the list at<br>
<a href="mailto:users-owner@openswan.org" target="_blank">users-owner@openswan.org</a><br>
<br>
When replying, please edit your Subject line so it is more specific<br>
than "Re: Contents of Users digest..."<br>
<br>
<br>
Today's Topics:<br>
<br>
1. multiple tunnels road-warriors/net-to-net and l2tp/non-l2tp<br>
(Bob Miller)<br>
2. Re: multiple tunnels road-warriors/net-to-net and<br>
l2tp/non-l2tp (Paul Wouters)<br>
3. oenswan 2.4.10 kernel 2.6.22 can only run behind<br>
firewall(natted). (Zhiping Liu)<br>
<br>
<br>
----------------------------------------------------------------------<br><br>
Message: 3<br>
Date: Mon, 16 Mar 2009 15:31:27 +0800<br>
From: Zhiping Liu <<a href="mailto:flyingzpl@gmail.com" target="_blank">flyingzpl@gmail.com</a>><br>
Subject: [Openswan Users] oenswan 2.4.10 kernel 2.6.22 can only run<br>
behind firewall(natted).<br>
To: <a href="mailto:users@openswan.org" target="_blank">users@openswan.org</a><br>
Message-ID:<br>
<<a href="mailto:92eb98380903160031s2b01e2eboa5355ce32f749a5@mail.gmail.com" target="_blank">92eb98380903160031s2b01e2eboa5355ce32f749a5@mail.gmail.com</a>><br>
Content-Type: text/plain; charset="iso-8859-1"<br>
<br>
Hi everyone:<br>
I have a strange problem,IPSEC SA can established,but can only forward<br>
package through NAT.<br>
<br>
<br>
1.WITHOUT NAT NetWork topology: <javascript:void(0)><br>
<br>
PC A:<br>
eth0:192.168.100.234<br>
eth1:192.168.1.234<br>
PC B:<br>
eth0:192.168.111.231<br>
eth1:192.168.1.231<br>
<br>
My pc(Windows XP,trying to access 192.168.111.231,set 192.168.100.234 as<br>
gateway):<br>
eth0:192.168.100.10<br>
<br>
2.ipsec.conf (PC A)<br>
-bash-3.2$ cat /etc/ipsec.conf<br>
version 2.0 # conforms to second version of ipsec.conf specification<br>
config setup<br>
plutodebug = all<br>
klipsdebug = all<br>
nat_traversal=no<br>
interfaces = "ipsec0=eth1"<br>
include /etc/ipsec.d/examples/no_oe.conf<br>
conn aa<br>
type = tunnel<br>
auto = start<br>
keyexchange = ike<br>
authby = secret<br>
auth = esp<br>
esp = 3DES-SHA1<br>
ike = 3DES-SHA1-MODP1024<br>
aggrmode = yes<br>
pfs = yes<br>
pfsgroup = MODP1024<br>
left = 192.168.1.234<br>
leftsubnet = <a href="http://192.168.100.0/255.255.255.0" target="_blank">192.168.100.0/255.255.255.0</a><br>
right = 192.168.1.132<br>
rightsubnet = <a href="http://192.168.111.0/255.255.255.0" target="_blank">192.168.111.0/255.255.255.0</a><br>
leftid = @aaa<br>
rightid = @bbb<br>
<br>
3.tcp dump result on PC A<br>
<br>
>From eth1,there is result from peer node,<a href="http://192.168.1.132" target="_blank">192.168.1.132</a>:<br>
<br>
-bash-3.2$ sudo ./tcpdump -i eth1 host 192.168.1.132 -vv<br>
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 96<br>
bytes<br>
14:16:32.753634 IP (tos 0x0, ttl 64, id 51990, offset 0, flags [none], proto<br>
ESP (50), length 112) 192.168.1.234 > <a href="http://192.168.1.132" target="_blank">192.168.1.132</a>:<br>
ESP(spi=0xa1015406,seq=0x2), length 92<br>
14:16:52.764378 IP (tos 0x0, ttl 64, id 32957, offset 0, flags [none], proto<br>
ESP (50), length 112) 192.168.1.132 > <a href="http://192.168.1.234" target="_blank">192.168.1.234</a>:<br>
ESP(spi=0x1c703a00,seq=0x2), length 92<br>
14:16:37.729272 arp who-has 192.168.1.132 tell 192.168.1.234<br>
14:16:37.729482 arp reply 192.168.1.132 is-at 00:19:db:47:0c:60 (oui<br>
Unknown)<br>
<br>
4 packets captured<br>
4 packets received by filter<br>
0 packets dropped by kernel<br>
<br>
But no result for ipsec0(192.168.100.10 is my IP)<br>
-bash-3.2$ sudo ./tcpdump -i ipsec0 -vv<br>
tcpdump: listening on ipsec0, link-type EN10MB (Ethernet), capture size 96<br>
bytes<br>
14:16:32.744483 IP (tos 0x0, ttl 127, id 31949, offset 0, flags [none],<br>
proto ICMP (1), length 60) 192.168.100.10 > <a href="http://192.168.111.132" target="_blank">192.168.111.132</a>: ICMP echo<br>
request, id 768, seq 35072, length 40<br>
14:16:32.747816 IP (tos 0x0, ttl 64, id 7320, offset 0, flags [DF], proto<br>
UDP (17), length 74) 192.168.1.234.filenet-pa > 192.168.111.1.domain: [udp<br>
sum ok] 3304+ PTR? 132.111.168.192.in-addr.arpa. (46)<br>
<br>
2 packets captured<br>
13 packets received by filter<br>
0 packets dropped by kernel<br>
-bash-3.2$<br>
<br>
4.ipsec log file(can only see message send out)<br>
Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_tunnel_hard_header:<br>
skb->dev=ipsec0 dev=ipsec0.<br>
Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_tunnel_hard_header:<br>
Revectored 0p00000000->0pdc883a24 len=84 type=2048 dev=ipsec0->eth1<br>
dev_addr=00:50:c2:1c:97:92 ip=c0a864ea->c0a86f01<br>
Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_strip_hard_header: >>><br>
skb->len=98 hard_header_len:14 00:50:c2:1c:97:92:00:50:c2:1c:97:92:08:00<br>
Mar 16 12:49:32 SSLVPN kernel: klips_debug: IP: ihl:20 ver:4 tos:0 tlen:84<br>
id:0 DF frag_off:0 ttl:64 proto:1 (ICMP) chk:58732 saddr:192.168.100.234<br>
daddr:192.168.111.1 type:code=8:0<br>
Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_strip_hard_header:<br>
Original head,tailroom: 2,28<br>
Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_findroute:<br>
192.168.100.234:0-><a href="http://192.168.111.1:0" target="_blank">192.168.111.1:0</a> 1<br>
Mar 16 12:49:32 SSLVPN kernel: klips_debug:rj_match: * See if we match<br>
exactly as a host destination<br>
Mar 16 12:49:32 SSLVPN kernel: klips_debug:rj_match: ** try to match a leaf,<br>
t=0pde630180<br>
Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_SAlookup: checking for<br>
local udp/500 IKE packet saddr=c0a864ea, er=0pde630180, daddr=c0a86f01,<br>
er_dst=c0a80184, proto=1 sport=0 dport=0<br>
Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_sa_getbyid: linked entry in<br>
ipsec_sa table for hash=168 of<br>
<a href="mailto:SA%3Atun.1002@192.168.1.132" target="_blank">SA:tun.1002@192.168.1.132</a><<a href="mailto:SA%253Atun.1002@192.168.1.132" target="_blank">SA%3Atun.1002@192.168.1.132</a>>requested.<br>
Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_bundle: found<br>
ipsec_sa -- SA:<IPIP> <a href="mailto:tun.1002@192.168.1.132" target="_blank">tun.1002@192.168.1.132</a><br>
Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_bundle: calling<br>
room for <IPIP>, <a href="mailto:SA%3Atun.1002@192.168.1.132" target="_blank">SA:tun.1002@192.168.1.132</a> <<a href="mailto:SA%253Atun.1002@192.168.1.132" target="_blank">SA%3Atun.1002@192.168.1.132</a>><br>
Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_bundle: Required<br>
head,tailroom: 20,0<br>
Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_bundle: calling<br>
room for <ESP_3DES_HMAC_SHA1>,<br>
<a href="mailto:SA%3Aesp.1867139c@192.168.1.132" target="_blank">SA:esp.1867139c@192.168.1.132</a><<a href="mailto:SA%253Aesp.1867139c@192.168.1.132" target="_blank">SA%3Aesp.1867139c@192.168.1.132</a>><br>
Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_bundle: Required<br>
head,tailroom: 16,16<br>
Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_bundle: existing<br>
head,tailroom: 2,28 before applying xforms with head,tailroom: 36,16 .<br>
Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_bundle: mtu:1500<br>
physmtu:1500 tothr:36 tottr:16 mtudiff:52 ippkttotlen:84<br>
Mar 16 12:49:32 SSLVPN kernel: klips_info:ipsec_xmit_encap_bundle: dev<br>
ipsec0 mtu of 1500 decreased by 57 to 1443<br>
Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_bundle:<br>
allocating 14 bytes for hardheader.<br>
Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_bundle:<br>
head,tailroom: 16,28 after hard_header stripped.<br>
Mar 16 12:49:32 SSLVPN kernel: klips_debug: IP: ihl:20 ver:4 tos:0 tlen:84<br>
id:0 DF frag_off:0 ttl:64 proto:1 (ICMP) chk:58732 saddr:192.168.100.234<br>
daddr:192.168.111.1 type:code=8:0<br>
Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_bundle:<br>
head,tailroom: 68,104 after allocation<br>
Mar 16 12:49:32 SSLVPN kernel: klips_debug: IP: ihl:20 ver:4 tos:0 tlen:84<br>
id:0 DF frag_off:0 ttl:64 proto:1 (ICMP) chk:58732 saddr:192.168.100.234<br>
daddr:192.168.111.1 type:code=8:0<br>
Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_once: calling<br>
output for <IPIP>, <a href="mailto:SA%3Atun.1002@192.168.1.132" target="_blank">SA:tun.1002@192.168.1.132</a> <<a href="mailto:SA%253Atun.1002@192.168.1.132" target="_blank">SA%3Atun.1002@192.168.1.132</a>><br>
Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_once: pushing 20<br>
bytes, putting 0, proto 4.<br>
Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_once:<br>
head,tailroom: 48,104 before xform.<br>
Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_once: after<br>
<IPIP>, <a href="mailto:SA%3Atun.1002@192.168.1.132" target="_blank">SA:tun.1002@192.168.1.132</a> <<a href="mailto:SA%253Atun.1002@192.168.1.132" target="_blank">SA%3Atun.1002@192.168.1.132</a>>:<br>
Mar 16 12:49:32 SSLVPN kernel: klips_debug: IP: ihl:20 ver:4 tos:0<br>
tlen:104 id:46843 frag_off:0 ttl:64 proto:4 chk:16088 saddr:192.168.1.234<br>
daddr:192.168.1.132<br>
Mar 16 12:49:32 SSLVPN kernel: klips_debug: IP: ihl:20 ver:4 tos:0<br>
tlen:104 id:46843 frag_off:0 ttl:64 proto:4 chk:16088 saddr:192.168.1.234<br>
daddr:192.168.1.132<br>
Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_once: calling<br>
output for <ESP_3DES_HMAC_SHA1>,<br>
<a href="mailto:SA%3Aesp.1867139c@192.168.1.132" target="_blank">SA:esp.1867139c@192.168.1.132</a><<a href="mailto:SA%253Aesp.1867139c@192.168.1.132" target="_blank">SA%3Aesp.1867139c@192.168.1.132</a>><br>
Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_once: pushing 16<br>
bytes, putting 16, proto 50.<br>
Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_once:<br>
head,tailroom: 32,88 before xform.<br>
Mar 16 12:49:32 SSLVPN kernel: klips_dmp: at pre-encrypt, len=136:<br>
Mar 16 12:49:32 SSLVPN kernel: klips_debug: @000: 45 00 00 88 b6 fb 00 00<br>
40 32 3e d8 c0 a8 01 ea<br>
Mar 16 12:49:32 SSLVPN kernel: klips_debug: @010: c0 a8 01 84 18 67 13 9c<br>
00 00 00 02 c0 a8 01 ea<br>
Mar 16 12:49:32 SSLVPN kernel: klips_debug: @020: c0 a8 01 84 45 00 00 54<br>
00 00 40 00 40 01 e5 6c<br>
Mar 16 12:49:32 SSLVPN kernel: klips_debug: @030: c0 a8 64 ea c0 a8 6f 01<br>
08 00 38 4f 3a 37 00 00<br>
Mar 16 12:49:32 SSLVPN kernel: klips_debug: @040: 0d 20 35 2d 00 00 00 00<br>
00 00 00 00 00 00 00 00<br>
Mar 16 12:49:32 SSLVPN kernel: klips_debug: @050: 00 00 00 00 00 00 00 00<br>
00 00 00 00 00 00 00 00<br>
Mar 16 12:49:32 SSLVPN kernel: klips_debug: @060: 00 00 00 00 00 00 00 10<br>
00 00 00 00 00 00 00 00<br>
Mar 16 12:49:32 SSLVPN kernel: klips_debug: @070: 68 8d 0c 08 34 c7 99 bf<br>
01 02 02 04 04 00 00 00<br>
Mar 16 12:49:32 SSLVPN kernel: klips_debug: @080: 50 e5 74 64 64 ed 07 00<br>
Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_alg_esp_encrypt: entering<br>
with encalg=3, ixt_e=df0c3bc0<br>
Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_alg_esp_encrypt: calling<br>
cbc_encrypt encalg=3 ips_key_e=d26c5400 idat=de5f6644 ilen=88 iv=de5f663c,<br>
encrypt=1<br>
Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_alg_esp_encrypt: returned<br>
ret=1<br>
Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_once: after<br>
<ESP_3DES_HMAC_SHA1>,<br>
<a href="mailto:SA%3Aesp.1867139c@192.168.1.132" target="_blank">SA:esp.1867139c@192.168.1.132</a><<a href="mailto:SA%253Aesp.1867139c@192.168.1.132" target="_blank">SA%3Aesp.1867139c@192.168.1.132</a>><br>
:<br>
Mar 16 12:49:32 SSLVPN kernel: klips_debug: IP: ihl:20 ver:4 tos:0<br>
tlen:136 id:46843 frag_off:0 ttl:64 proto:50 (ESP) chk:16010<br>
saddr:192.168.1.234 daddr:192.168.1.132<br>
Mar 16 12:49:32 SSLVPN kernel: klips_debug: IP: ihl:20 ver:4 tos:0<br>
tlen:136 id:46843 frag_off:0 ttl:64 proto:50 (ESP) chk:16010<br>
saddr:192.168.1.234 daddr:192.168.1.132<br>
Mar 16 12:49:32 SSLVPN kernel: klips_error:ipsec_sa_put: null pointer passed<br>
in!<br>
Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_findroute: <a href="http://192.168.1.234:0" target="_blank">192.168.1.234:0</a><br>
-><a href="http://192.168.1.132:0" target="_blank">192.168.1.132:0</a> 50<br>
Mar 16 12:49:32 SSLVPN kernel: klips_debug:rj_match: * See if we match<br>
exactly as a host destination<br>
Mar 16 12:49:32 SSLVPN kernel: klips_debug:rj_match: ** try to match a leaf,<br>
t=0pde630180<br>
Mar 16 12:49:32 SSLVPN kernel: klips_debug:rj_match: *** start searching up<br>
the tree, t=0pde630180<br>
Mar 16 12:49:32 SSLVPN kernel: klips_debug:rj_match: **** t=0pde630198<br>
Mar 16 12:49:32 SSLVPN kernel: klips_debug:rj_match: **** t=0pdc8838c0<br>
Mar 16 12:49:32 SSLVPN kernel: klips_debug:rj_match: ***** cp2=0pd5f31d68<br>
cp3=0pd8d998d0<br>
Mar 16 12:49:32 SSLVPN kernel: klips_debug:rj_match: ***** not found.<br>
Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_restore_hard_header:<br>
After recursive xforms -- head,tailroom: 32,88<br>
Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_restore_hard_header:<br>
With hard_header, final head,tailroom: 18,88<br>
Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_send: ...done, calling<br>
ip_send() on device:eth1<br>
Mar 16 12:49:32 SSLVPN kernel: klips_debug: IP: ihl:20 ver:4 tos:0<br>
tlen:136 id:46843 frag_off:0 ttl:64 proto:50 (ESP) chk:16010<br>
saddr:192.168.1.234 daddr:192.168.1.132<br>
<br>
<br>
5.WITH NAT NetWork topology: <javascript:void(0)><br>
PC A<br>
eth0:192.168.100.234<br>
eth1:192.168.111.234<br>
Gateway: 192.168.111.1(udp port 500,4500 natted to PC A)<br>
<br>
Server B:<br>
ppp0--->pppoe<br>
eth1:192.168.80.1<br>
<br>
6.ipsec.conf (PC A)<br>
version 2.0 # conforms to second version of ipsec.conf specification<br>
config setup<br>
plutodebug = all<br>
klipsdebug = all<br>
nat_traversal=yes<br>
interfaces = "%defaultroute"<br>
include /etc/ipsec.d/examples/no_oe.conf<br>
conn cylan<br>
type = tunnel<br>
auto = start<br>
keyexchange = ike<br>
authby = secret<br>
auth = esp<br>
esp = 3DES-SHA1<br>
ike = 3DES-SHA1-MODP1024<br>
aggrmode = yes<br>
pfs = yes<br>
pfsgroup = MODP1024<br>
left = %defaultroute<br>
leftsubnet = <a href="http://192.168.100.0/255.255.255.0" target="_blank">192.168.100.0/255.255.255.0</a><br>
right = 219.133.245.113<br>
rightsubnet = <a href="http://192.168.80.0/255.255.255.0" target="_blank">192.168.80.0/255.255.255.0</a><br>
leftid = @bbb<br>
rightid = @aaa<br>
<br>
7.tcp dump result on PC A<br>
-bash-3.2$ sudo ./tcpdump -i eth1 host 219.133.245.113<br>
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode<br>
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes<br>
14:55:14.424375 IP 192.168.111.234.ipsec-nat-t ><br>
113.245.133.219.broad.sz.gd.dynamic.163data.com.cn.ipsec-nat-t: UDP-encap:<br>
ESP(spi=0x4f6ec270,seq=0x2), length 92<br>
14:55:23.105922 IP 192.168.111.234.ipsec-nat-t ><br>
113.245.133.219.broad.sz.gd.dynamic.163data.com.cn.ipsec-nat-t: UDP-encap:<br>
ESP(spi=0x4f6ec270,seq=0x3), length 92<br>
14:55:25.115728 IP 192.168.111.234.ipsec-nat-t ><br>
113.245.133.219.broad.sz.gd.dynamic.163data.com.cn.ipsec-nat-t:<br>
isakmp-nat-keep-alive<br>
14:55:25.117799 IP 192.168.111.234.ipsec-nat-t ><br>
113.245.133.219.broad.sz.gd.dynamic.163data.com.cn.ipsec-nat-t:<br>
isakmp-nat-keep-alive<br>
<br>
4 packets captured<br>
4 packets received by filter<br>
0 packets dropped by kernel<br>
<br>
ipsec0 got ICMP echo replys,it's ok<br>
-bash-3.2$ sudo ./tcpdump -i ipsec0 -vv<br>
tcpdump: listening on ipsec0, link-type EN10MB (Ethernet), capture size 96<br>
bytes<br>
14:56:34.183178 IP (tos 0x0, ttl 127, id 44881, offset 0, flags [none],<br>
proto ICMP (1), length 60) 192.168.100.10 > <a href="http://192.168.80.1" target="_blank">192.168.80.1</a>: ICMP echo request,<br>
id 768, seq 36352, length 40<br>
14:56:34.207201 IP (tos 0x0, ttl 64, id 50421, offset 0, flags [none], proto<br>
ICMP (1), length 60) 192.168.80.1 > <a href="http://192.168.100.10" target="_blank">192.168.100.10</a>: ICMP echo reply, id 768,<br>
seq 36352, length 40<br>
<br>
2 packets captured<br>
2 packets received by filter<br>
0 packets dropped by kernel<br>
-bash-3.2$<br>
<br>
8.ipsec log file(with icmp result)<br>
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_tunnel_neigh_setup:<br>
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_tunnel_hard_header:<br>
skb->dev=ipsec0 dev=ipsec0.<br>
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_tunnel_hard_header:<br>
Revectored 0p00000000->0pd80e4a24 len=60 type=2048 dev=ipsec0->eth1<br>
dev_addr=00:50:c2:1c:97:92 ip=c0a8640a->c0a85001<br>
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_strip_hard_header: >>><br>
skb->len=74 hard_header_len:14 00:50:c2:1c:97:92:00:50:c2:1c:97:92:08:00<br>
Mar 16 15:10:32 SSLVPN kernel: klips_debug: IP: ihl:20 ver:4 tos:0 tlen:60<br>
id:48219 frag_off:0 ttl:127 proto:1 (ICMP) chk:18953 saddr:192.168.100.10<br>
daddr:192.168.80.1 type:code=8:0<br>
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_strip_hard_header:<br>
Original head,tailroom: 18,36<br>
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_findroute: <a href="http://192.168.100.10:0" target="_blank">192.168.100.10:0</a><br>
-><a href="http://192.168.80.1:0" target="_blank">192.168.80.1:0</a> 1<br>
Mar 16 15:10:32 SSLVPN kernel: klips_debug:rj_match: * See if we match<br>
exactly as a host destination<br>
Mar 16 15:10:32 SSLVPN kernel: klips_debug:rj_match: ** try to match a leaf,<br>
t=0pd85d0e40<br>
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_SAlookup: checking for<br>
local udp/500 IKE packet saddr=c0a8640a, er=0pd85d0e40, daddr=c0a85001,<br>
er_dst=db85f571, proto=1 sport=0 dport=0<br>
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_sa_getbyid: linked entry in<br>
ipsec_sa table for hash=234 of<br>
<a href="mailto:SA%3Atun.1004@219.133.245.113" target="_blank">SA:tun.1004@219.133.245.113</a><<a href="mailto:SA%253Atun.1004@219.133.245.113" target="_blank">SA%3Atun.1004@219.133.245.113</a>>requested.<br>
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_bundle: found<br>
ipsec_sa -- SA:<IPIP> <a href="mailto:tun.1004@219.133.245.113" target="_blank">tun.1004@219.133.245.113</a><br>
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_bundle: calling<br>
room for <IPIP>, <a href="mailto:SA%3Atun.1004@219.133.245.113" target="_blank">SA:tun.1004@219.133.245.113</a> <<a href="mailto:SA%253Atun.1004@219.133.245.113" target="_blank">SA%3Atun.1004@219.133.245.113</a>><br>
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_bundle: Required<br>
head,tailroom: 20,0<br>
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_bundle: calling<br>
room for <ESP_3DES_HMAC_SHA1>,<br>
<a href="mailto:SA%3Aesp.4f6ec270@219.133.245.113" target="_blank">SA:esp.4f6ec270@219.133.245.113</a><<a href="mailto:SA%253Aesp.4f6ec270@219.133.245.113" target="_blank">SA%3Aesp.4f6ec270@219.133.245.113</a>><br>
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_bundle: Required<br>
head,tailroom: 16,24<br>
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_bundle: existing<br>
head,tailroom: 18,36 before applying xforms with head,tailroom: 36,24 .<br>
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_bundle: mtu:1500<br>
physmtu:1500 tothr:36 tottr:24 mtudiff:60 ippkttotlen:60<br>
Mar 16 15:10:32 SSLVPN kernel: klips_info:ipsec_xmit_encap_bundle: dev<br>
ipsec0 mtu of 1500 decreased by 65 to 1435<br>
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_bundle:<br>
allocating 14 bytes for hardheader.<br>
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_bundle:<br>
head,tailroom: 32,36 after hard_header stripped.<br>
Mar 16 15:10:32 SSLVPN kernel: klips_debug: IP: ihl:20 ver:4 tos:0 tlen:60<br>
id:48219 frag_off:0 ttl:127 proto:1 (ICMP) chk:18953 saddr:192.168.100.10<br>
daddr:192.168.80.1 type:code=8:0<br>
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_bundle:<br>
head,tailroom: 68,128 after allocation<br>
Mar 16 15:10:32 SSLVPN kernel: klips_debug: IP: ihl:20 ver:4 tos:0 tlen:60<br>
id:48219 frag_off:0 ttl:127 proto:1 (ICMP) chk:18953 saddr:192.168.100.10<br>
daddr:192.168.80.1 type:code=8:0<br>
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_once: calling<br>
output for <IPIP>, <a href="mailto:SA%3Atun.1004@219.133.245.113" target="_blank">SA:tun.1004@219.133.245.113</a><<a href="mailto:SA%253Atun.1004@219.133.245.113" target="_blank">SA%3Atun.1004@219.133.245.113</a>><br>
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_once: pushing 20<br>
bytes, putting 0, proto 4.<br>
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_once:<br>
head,tailroom: 48,128 before xform.<br>
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_once: after<br>
<IPIP>, <a href="mailto:SA%3Atun.1004@219.133.245.113" target="_blank">SA:tun.1004@219.133.245.113</a> <<a href="mailto:SA%253Atun.1004@219.133.245.113" target="_blank">SA%3Atun.1004@219.133.245.113</a>>:<br>
Mar 16 15:10:32 SSLVPN kernel: klips_debug: IP: ihl:20 ver:4 tos:0 tlen:80<br>
id:43802 frag_off:0 ttl:64 proto:4 chk:52741 saddr:192.168.111.234<br>
daddr:219.133.245.113<br>
Mar 16 15:10:32 SSLVPN kernel: klips_debug: IP: ihl:20 ver:4 tos:0 tlen:80<br>
id:43802 frag_off:0 ttl:64 proto:4 chk:52741 saddr:192.168.111.234<br>
daddr:219.133.245.113<br>
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_once: calling<br>
output for <ESP_3DES_HMAC_SHA1>,<br>
<a href="mailto:SA%3Aesp.4f6ec270@219.133.245.113" target="_blank">SA:esp.4f6ec270@219.133.245.113</a><<a href="mailto:SA%253Aesp.4f6ec270@219.133.245.113" target="_blank">SA%3Aesp.4f6ec270@219.133.245.113</a>><br>
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_once: pushing 16<br>
bytes, putting 16, proto 50.<br>
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_once:<br>
head,tailroom: 32,112 before xform.<br>
Mar 16 15:10:32 SSLVPN kernel: klips_dmp: at pre-encrypt, len=112:<br>
Mar 16 15:10:32 SSLVPN kernel: klips_debug: @000: 45 00 00 70 ab 1a 00 00<br>
40 32 ce 05 c0 a8 6f ea<br>
Mar 16 15:10:32 SSLVPN kernel: klips_debug: @010: db 85 f5 71 4f 6e c2 70<br>
00 00 00 08 c0 a8 6f ea<br>
Mar 16 15:10:32 SSLVPN kernel: klips_debug: @020: db 85 f5 71 45 00 00 3c<br>
bc 5b 00 00 7f 01 4a 09<br>
Mar 16 15:10:32 SSLVPN kernel: klips_debug: @030: c0 a8 64 0a c0 a8 50 01<br>
08 00 ba 5b 03 00 90 00<br>
Mar 16 15:10:32 SSLVPN kernel: klips_debug: @040: 61 62 63 64 65 66 67 68<br>
69 6a 6b 6c 6d 6e 6f 70<br>
Mar 16 15:10:32 SSLVPN kernel: klips_debug: @050: 71 72 73 74 75 76 77 61<br>
62 63 64 65 66 67 68 69<br>
Mar 16 15:10:32 SSLVPN kernel: klips_debug: @060: 01 02 02 04 00 00 00 00<br>
00 00 00 00 00 00 00 00<br>
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_alg_esp_encrypt: entering<br>
with encalg=3, ixt_e=df0c3bc0<br>
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_alg_esp_encrypt: calling<br>
cbc_encrypt encalg=3 ips_key_e=de5f6800 idat=d1f03c44 ilen=64 iv=d1f03c3c,<br>
encrypt=1<br>
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_alg_esp_encrypt: returned<br>
ret=1<br>
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_once: after<br>
<ESP_3DES_HMAC_SHA1>,<br>
<a href="mailto:SA%3Aesp.4f6ec270@219.133.245.113" target="_blank">SA:esp.4f6ec270@219.133.245.113</a><<a href="mailto:SA%253Aesp.4f6ec270@219.133.245.113" target="_blank">SA%3Aesp.4f6ec270@219.133.245.113</a>><br>
:<br>
Mar 16 15:10:32 SSLVPN kernel: klips_debug: IP: ihl:20 ver:4 tos:0<br>
tlen:112 id:43802 frag_off:0 ttl:64 proto:50 (ESP) chk:52663<br>
saddr:192.168.111.234 daddr:219.133.245.113<br>
Mar 16 15:10:32 SSLVPN kernel: klips_debug: IP: ihl:20 ver:4 tos:0<br>
tlen:112 id:43802 frag_off:0 ttl:64 proto:50 (ESP) chk:52663<br>
saddr:192.168.111.234 daddr:219.133.245.113<br>
Mar 16 15:10:32 SSLVPN kernel: klips_error:ipsec_sa_put: null pointer passed<br>
in!<br>
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_findroute:<br>
192.168.111.234:0-><a href="http://219.133.245.113:0" target="_blank">219.133.245.113:0</a> 50<br>
Mar 16 15:10:32 SSLVPN kernel: klips_debug:rj_match: * See if we match<br>
exactly as a host destination<br>
Mar 16 15:10:32 SSLVPN kernel: klips_debug:rj_match: ** try to match a leaf,<br>
t=0pd85d0e40<br>
Mar 16 15:10:32 SSLVPN kernel: klips_debug:rj_match: *** start searching up<br>
the tree, t=0pd85d0e40<br>
Mar 16 15:10:32 SSLVPN kernel: klips_debug:rj_match: **** t=0pd85d0e58<br>
Mar 16 15:10:32 SSLVPN kernel: klips_debug:rj_match: **** t=0pd80e4f40<br>
Mar 16 15:10:32 SSLVPN kernel: klips_debug:rj_match: ***** cp2=0pd94d9aa8<br>
cp3=0pd8d99990<br>
Mar 16 15:10:32 SSLVPN kernel: klips_debug:rj_match: ***** not found.<br>
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_restore_hard_header:<br>
After recursive xforms -- head,tailroom: 32,112<br>
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_tunnel_start_xmit:<br>
encapsuling packet into UDP (NAT-Traversal) (2 8)<br>
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_restore_hard_header:<br>
With hard_header, final head,tailroom: 18,104<br>
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_send: ...done, calling<br>
ip_send() on device:eth1<br>
Mar 16 15:10:32 SSLVPN kernel: klips_debug: IP: ihl:20 ver:4 tos:0<br>
tlen:120 id:43802 frag_off:0 ttl:64 proto:17 (UDP) chk:52688 saddr:<br>
<a href="http://192.168.111.234:4500" target="_blank">192.168.111.234:4500</a> daddr:<a href="http://219.133.245.113:4500" target="_blank">219.133.245.113:4500</a><br>
Mar 16 15:10:32 SSLVPN kernel: klips_debug: IP: ihl:20 ver:4 tos:0<br>
tlen:112 id:50426 frag_off:0 ttl:62 proto:50 (ESP) chk:46576<br>
saddr:219.133.245.113 daddr:192.168.111.234<br>
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_rcv_decap_once: decap (50)<br>
from 219.133.245.113 -> 192.168.111.234<br>
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_sa_getbyid: linked entry in<br>
ipsec_sa table for hash=113 of<br>
<a href="mailto:SA%3Aesp.a4cc5288@192.168.111.234" target="_blank">SA:esp.a4cc5288@192.168.111.234</a><<a href="mailto:SA%253Aesp.a4cc5288@192.168.111.234" target="_blank">SA%3Aesp.a4cc5288@192.168.111.234</a>>requested.<br>
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_rcv:<br>
<a href="mailto:SA%3Aesp.a4cc5288@192.168.111.234" target="_blank">SA:esp.a4cc5288@192.168.111.234</a> <<a href="mailto:SA%253Aesp.a4cc5288@192.168.111.234" target="_blank">SA%3Aesp.a4cc5288@192.168.111.234</a>>,<br>
src=219.133.245.113 of pkt agrees with expected SA source address policy.<br>
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_rcv:<br>
<a href="mailto:SA%3Aesp.a4cc5288@192.168.111.234" target="_blank">SA:esp.a4cc5288@192.168.111.234</a> <<a href="mailto:SA%253Aesp.a4cc5288@192.168.111.234" target="_blank">SA%3Aesp.a4cc5288@192.168.111.234</a>> First SA<br>
in group.<br>
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_rcv: natt_type=2<br>
tdbp->ips_natt_type=2 : ok<br>
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_rcv: packet from<br>
219.133.245.113 received with seq=8 (iv)=0x528c134e3bcb1e22 iplen=92<br>
esplen=80 sa=<a href="mailto:esp.a4cc5288@192.168.111.234" target="_blank">esp.a4cc5288@192.168.111.234</a><br>
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_rcv: encalg = 3, authalg =<br>
3.<br>
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_rcv: authentication<br>
successful.<br>
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_rcv: encalg=3 esphlen=16<br>
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_alg_esp_encrypt: entering<br>
with encalg=3, ixt_e=df0c3bc0<br>
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_alg_esp_encrypt: calling<br>
cbc_encrypt encalg=3 ips_key_e=d88e4000 idat=d1f03c4c ilen=64 iv=d1f03c44,<br>
encrypt=0<br>
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_alg_esp_encrypt: returned<br>
ret=1<br>
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_rcv: padlen=2, contents:<br>
0x<offset>: 0x<value> 0x<value> ...<br>
Mar 16 15:10:32 SSLVPN kernel: klips_debug: 00: 01 02<br>
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_rcv: packet decrypted from<br>
<a href="http://219.133.245.113" target="_blank">219.133.245.113</a>: next_header = 4, padding = 2<br>
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_rcv: trimming to 60.<br>
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_rcv: after<br>
<ESP_3DES_HMAC_SHA1>,<br>
<a href="mailto:SA%3Aesp.a4cc5288@192.168.111.234" target="_blank">SA:esp.a4cc5288@192.168.111.234</a><<a href="mailto:SA%253Aesp.a4cc5288@192.168.111.234" target="_blank">SA%3Aesp.a4cc5288@192.168.111.234</a>><br>
:<br>
Mar 16 15:10:32 SSLVPN kernel: klips_debug: IP: ihl:20 ver:4 tos:0 tlen:80<br>
id:50426 frag_off:0 ttl:62 proto:4 chk:46629 saddr:219.133.245.113<br>
daddr:192.168.111.234<br>
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_rcv:<br>
<a href="mailto:SA%3Aesp.a4cc5288@192.168.111.234" target="_blank">SA:esp.a4cc5288@192.168.111.234</a> <<a href="mailto:SA%253Aesp.a4cc5288@192.168.111.234" target="_blank">SA%3Aesp.a4cc5288@192.168.111.234</a>>, Another<br>
IPSEC header to process.<br>
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_rcv: ESP SA sets<br>
skb->nfmark=0x170000.<br>
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_rcv: IPIP tunnel stripped.<br>
Mar 16 15:10:32 SSLVPN kernel: klips_debug: IP: ihl:20 ver:4 tos:0 tlen:60<br>
id:50425 frag_off:0 ttl:64 proto:1 (ICMP) chk:32875 saddr:192.168.80.1<br>
daddr:192.168.100.10 type:code=0:0<br>
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_rcv: IPIP SA sets<br>
skb->nfmark=0x170000.<br>
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_rcv: netif_rx() called.<br>
<br>
<br>
9.udp.c manully patched...<br>
start line:1097<br>
if (ret < 0) {<br>
if(xfrm4_rcv_encap_func != NULL) {<br>
ret = (*xfrm4_rcv_encap_func)(skb, up->encap_type);<br>
UDP_INC_STATS_BH(UDP_MIB_INDATAGRAMS,up->pcflag);<br>
} else {<br>
UDP_INC_STATS_BH(UDP_MIB_INERRORS,up->pcflag);<br>
ret = 1;<br>
}<br>
return ret;<br>
<br>
}<br>
<br>
<br>
--<br>
from Romeo<br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <a href="http://lists.openswan.org/pipermail/users/attachments/20090316/f07b3c83/attachment.html" target="_blank">http://lists.openswan.org/pipermail/users/attachments/20090316/f07b3c83/attachment.html</a><br>
<br>
------------------------------<br>
<br>
_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@openswan.org" target="_blank">Users@openswan.org</a><br>
<a href="http://lists.openswan.org/mailman/listinfo/users" target="_blank">http://lists.openswan.org/mailman/listinfo/users</a><br>
<br>
<br>
End of Users Digest, Vol 64, Issue 19<br>
*************************************<br>
</blockquote></div><br><br clear="all"><br>-- <br>from Romeo<br>
</div>
</div></div></div>