<html>
<head>
<style>
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 10pt;
font-family:Verdana
}
</style>
</head>
<body class='hmmessage'>
<pre>Hi,<br><br>It is my understanding these kernel options are used by NETKEY and should be either <br>turned off or loaded as modules when using KLIPS.<br><br>Also it looks like the ip address of PC B (eth1) you have listed as 192.168.1.231 and <br>then in the ipsec.conf file for PC A you have the right=192.168.1.132. Could this be <br>causing your issues?<br><br>-Jennifer<br><br></pre>
<p class="EC_EC_MsoNormal" style=""><a name="_MailAutoSig"><span style="font-size: 12pt;"></span></a><font style="font-size: 8pt;" size="1"><span style=""><b style=""><i style=""><span style="font-size: 12pt;"><font color="#000000"><font face="Calibri">Jennifer Agarwal</font></font></span></i></b></span></font></p>
<p class="EC_EC_MsoNormal" style=""><font style="font-size: 8pt;" size="1"><span style=""><span style=""><font style="" color="#000000"><font face="Calibri">President / Principal Engineer<br></font></font></span></span></font></p>
<p class="EC_EC_MsoNormal" style=""><font style="font-size: 8pt;" size="1"><span style=""><span style=""><font style="" color="#000000"><font face="Calibri">Exquisite Software Solutions, LLC</font></font></span></span></font></p>
<p class="EC_EC_MsoNormal" style=""><font style="font-size: 8pt;" size="1"><span style=""><span style=""><font style="" color="#000000"><font face="Calibri">(240) 483-8619</font></font></span></span></font></p>
<p class="EC_EC_MsoNormal" style=""><font style="font-size: 8pt;" size="1"><span style=""><span style=""><font style="" color="#000000"><font face="Calibri">jsagarwal@exqss.com</font></font></span></span></font></p><pre>=========================================================<br>> Hi all:<br>> openswan conflits with following kernel OPTIONS:# CONFIG_INET_AH is not set<br>> # CONFIG_INET_ESP is not set<br>> # CONFIG_INET_IPCOMP is not set<br>> # CONFIG_INET_XFRM_TUNNEL is not set<br> <br>> when these options is disabled,everything is fine....<br> <br> <br> <br>> 2009/3/16 <users-request@openswan.org><br> <br>> Send Users mailing list submissions to<br>> users@openswan.org<br>><br>> To subscribe or unsubscribe via the World Wide Web, visit<br>> <a href="http://lists.openswan.org/mailman/listinfo/users" target="_blank">http://lists.openswan.org/mailman/listinfo/users</a><br>> or, via email, send a message with subject or body 'help' to<br> users-request@openswan.org<br>><br>> You can reach the person managing the list at<br>> users-owner@openswan.org<br>><br>> When replying, please edit your Subject line so it is more specific<br>> than "Re: Contents of Users digest..."<br>><br>><br>> Today's Topics:<br>><br>> 1. multiple tunnels road-warriors/net-to-net and l2tp/non-l2tp<br>> (Bob Miller)<br>> 2. Re: multiple tunnels road-warriors/net-to-net and<br>> l2tp/non-l2tp (Paul Wouters)<br>> 3. oenswan 2.4.10 kernel 2.6.22 can only run behind<br>> firewall(natted). (Zhiping Liu)<br>><br>><br>> ----------------------------------------------------------------------<br>><br>> Message: 3<br>> Date: Mon, 16 Mar 2009 15:31:27 +0800<br>> From: Zhiping Liu <flyingzpl@gmail.com><br>> Subject: [Openswan Users] oenswan 2.4.10 kernel 2.6.22 can only run<br>> behind firewall(natted).<br>> To: users@openswan.org<br>> Message-ID:<br>> <92eb98380903160031s2b01e2eboa5355ce32f749a5@mail.gmail.com><br>> Content-Type: text/plain; charset="iso-8859-1"<br>><br>> Hi everyone:<br>> I have a strange problem,IPSEC SA can established,but can only forward<br>> package through NAT.<br>><br>><br>> 1.WITHOUT NAT NetWork topology: <javascript:void(0)><br>><br>> PC A:<br>> eth0:192.168.100.234<br>> eth1:192.168.1.234<br>> PC B:<br>> eth0:192.168.111.231<br>> eth1:192.168.1.231<br>><br>> My pc(Windows XP,trying to access 192.168.111.231,set 192.168.100.234 as<br>> gateway):<br>> eth0:192.168.100.10<br>><br>> 2.ipsec.conf (PC A)<br>> -bash-3.2$ cat /etc/ipsec.conf<br>> version 2.0 # conforms to second version of ipsec.conf specification<br>> config setup<br>> plutodebug = all<br>> klipsdebug = all<br>> nat_traversal=no<br>> interfaces = "ipsec0=eth1"<br>> include /etc/ipsec.d/examples/no_oe.conf<br>> conn aa<br>> type = tunnel<br>> auto = start<br>> keyexchange = ike<br>> authby = secret<br>> auth = esp<br>> esp = 3DES-SHA1<br>> ike = 3DES-SHA1-MODP1024<br>> aggrmode = yes<br>> pfs = yes<br>> pfsgroup = MODP1024<br>> left = 192.168.1.234<br>> leftsubnet = 192.168.100.0/255.255.255.0<br>> right = 192.168.1.132<br>> rightsubnet = 192.168.111.0/255.255.255.0<br>> leftid = @aaa<br>> rightid = @bbb<br>><br>> 3.tcp dump result on PC A<br>><br>> >From eth1,there is result from peer node,192.168.1.132:<br>><br>> -bash-3.2$ sudo ./tcpdump -i eth1 host 192.168.1.132 -vv<br>> tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 96<br>> bytes<br>> 14:16:32.753634 IP (tos 0x0, ttl 64, id 51990, offset 0, flags [none],<br>> proto<br>> ESP (50), length 112) 192.168.1.234 > 192.168.1.132:<br>> ESP(spi=0xa1015406,seq=0x2), length 92<br>> 14:16:52.764378 IP (tos 0x0, ttl 64, id 32957, offset 0, flags [none],<br>> proto<br>> ESP (50), length 112) 192.168.1.132 > 192.168.1.234:<br>> ESP(spi=0x1c703a00,seq=0x2), length 92<br>> 14:16:37.729272 arp who-has 192.168.1.132 tell 192.168.1.234<br>> 14:16:37.729482 arp reply 192.168.1.132 is-at 00:19:db:47:0c:60 (oui<br>> Unknown)<br>><br>> 4 packets captured<br>> 4 packets received by filter<br>> 0 packets dropped by kernel<br>><br>> But no result for ipsec0(192.168.100.10 is my IP)<br>> -bash-3.2$ sudo ./tcpdump -i ipsec0 -vv<br>> tcpdump: listening on ipsec0, link-type EN10MB (Ethernet), capture size 96<br>> bytes<br>> 14:16:32.744483 IP (tos 0x0, ttl 127, id 31949, offset 0, flags [none],<br>> proto ICMP (1), length 60) 192.168.100.10 > 192.168.111.132: ICMP echo<br>> request, id 768, seq 35072, length 40<br>> 14:16:32.747816 IP (tos 0x0, ttl 64, id 7320, offset 0, flags [DF], proto<br>> UDP (17), length 74) 192.168.1.234.filenet-pa > 192.168.111.1.domain: [udp<br>> sum ok] 3304+ PTR? 132.111.168.192.in-addr.arpa. (46)<br>><br>> 2 packets captured<br>> 13 packets received by filter<br>> 0 packets dropped by kernel<br>> -bash-3.2$<br>><br>> 4.ipsec log file(can only see message send out)<br>> Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_tunnel_hard_header:<br>> skb->dev=ipsec0 dev=ipsec0.<br>> Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_tunnel_hard_header:<br>> Revectored 0p00000000->0pdc883a24 len=84 type=2048 dev=ipsec0->eth1<br>> dev_addr=00:50:c2:1c:97:92 ip=c0a864ea->c0a86f01<br>> Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_strip_hard_header:<br>> >>><br>> skb->len=98 hard_header_len:14 00:50:c2:1c:97:92:00:50:c2:1c:97:92:08:00<br>> Mar 16 12:49:32 SSLVPN kernel: klips_debug: IP: ihl:20 ver:4 tos:0<br>> tlen:84<br>> id:0 DF frag_off:0 ttl:64 proto:1 (ICMP) chk:58732 saddr:192.168.100.234<br>> daddr:192.168.111.1 type:code=8:0<br>> Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_strip_hard_header:<br>> Original head,tailroom: 2,28<br>> Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_findroute:<br>> 192.168.100.234:0->192.168.111.1:0 1<br>> Mar 16 12:49:32 SSLVPN kernel: klips_debug:rj_match: * See if we match<br>> exactly as a host destination<br>> Mar 16 12:49:32 SSLVPN kernel: klips_debug:rj_match: ** try to match a<br>> leaf,<br>> t=0pde630180<br>> Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_SAlookup: checking<br>> for<br>> local udp/500 IKE packet saddr=c0a864ea, er=0pde630180, daddr=c0a86f01,<br>> er_dst=c0a80184, proto=1 sport=0 dport=0<br>> Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_sa_getbyid: linked entry<br>> in<br>> ipsec_sa table for hash=168 of<br>> SA:tun.1002@192.168.1.132 <SA%3Atun.1002@192.168.1.132><<br>> SA%3Atun.1002@192.168.1.132 <SA%253Atun.1002@192.168.1.132>>requested.<br>> Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_bundle: found<br>> ipsec_sa -- SA:<IPIP> tun.1002@192.168.1.132<br>> Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_bundle: calling<br>> room for <IPIP>, SA:tun.1002@192.168.1.132 <SA%3Atun.1002@192.168.1.132> <<br>> SA%3Atun.1002@192.168.1.132 <SA%253Atun.1002@192.168.1.132>><br>> Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_bundle:<br>> Required<br>> head,tailroom: 20,0<br>> Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_bundle: calling<br>> room for <ESP_3DES_HMAC_SHA1>,<br>> SA:esp.1867139c@192.168.1.132 <SA%3Aesp.1867139c@192.168.1.132><<br>> SA%3Aesp.1867139c@192.168.1.132 <SA%253Aesp.1867139c@192.168.1.132>><br>> Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_bundle:<br>> Required<br>> head,tailroom: 16,16<br>> Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_bundle:<br>> existing<br>> head,tailroom: 2,28 before applying xforms with head,tailroom: 36,16 .<br>> Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_bundle:<br>> mtu:1500<br>> physmtu:1500 tothr:36 tottr:16 mtudiff:52 ippkttotlen:84<br>> Mar 16 12:49:32 SSLVPN kernel: klips_info:ipsec_xmit_encap_bundle: dev<br>> ipsec0 mtu of 1500 decreased by 57 to 1443<br>> Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_bundle:<br>> allocating 14 bytes for hardheader.<br>> Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_bundle:<br>> head,tailroom: 16,28 after hard_header stripped.<br>> Mar 16 12:49:32 SSLVPN kernel: klips_debug: IP: ihl:20 ver:4 tos:0<br>> tlen:84<br>> id:0 DF frag_off:0 ttl:64 proto:1 (ICMP) chk:58732 saddr:192.168.100.234<br>> daddr:192.168.111.1 type:code=8:0<br>> Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_bundle:<br>> head,tailroom: 68,104 after allocation<br>> Mar 16 12:49:32 SSLVPN kernel: klips_debug: IP: ihl:20 ver:4 tos:0<br>> tlen:84<br>> id:0 DF frag_off:0 ttl:64 proto:1 (ICMP) chk:58732 saddr:192.168.100.234<br>> daddr:192.168.111.1 type:code=8:0<br>> Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_once: calling<br>> output for <IPIP>, SA:tun.1002@192.168.1.132 <SA%3Atun.1002@192.168.1.132><<br>> SA%3Atun.1002@192.168.1.132 <SA%253Atun.1002@192.168.1.132>><br>> Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_once: pushing<br>> 20<br>> bytes, putting 0, proto 4.<br>> Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_once:<br>> head,tailroom: 48,104 before xform.<br>> Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_once: after<br>> <IPIP>, SA:tun.1002@192.168.1.132 <SA%3Atun.1002@192.168.1.132> <<br>> SA%3Atun.1002@192.168.1.132 <SA%253Atun.1002@192.168.1.132>>:<br>> Mar 16 12:49:32 SSLVPN kernel: klips_debug: IP: ihl:20 ver:4 tos:0<br>> tlen:104 id:46843 frag_off:0 ttl:64 proto:4 chk:16088 saddr:192.168.1.234<br>> daddr:192.168.1.132<br>> Mar 16 12:49:32 SSLVPN kernel: klips_debug: IP: ihl:20 ver:4 tos:0<br>> tlen:104 id:46843 frag_off:0 ttl:64 proto:4 chk:16088 saddr:192.168.1.234<br>> daddr:192.168.1.132<br>> Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_once: calling<br>> output for <ESP_3DES_HMAC_SHA1>,<br>> SA:esp.1867139c@192.168.1.132 <SA%3Aesp.1867139c@192.168.1.132><<br>> SA%3Aesp.1867139c@192.168.1.132 <SA%253Aesp.1867139c@192.168.1.132>><br>> Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_once: pushing<br>> 16<br>> bytes, putting 16, proto 50.<br>> Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_once:<br>> head,tailroom: 32,88 before xform.<br>> Mar 16 12:49:32 SSLVPN kernel: klips_dmp: at pre-encrypt, len=136:<br>> Mar 16 12:49:32 SSLVPN kernel: klips_debug: @000: 45 00 00 88 b6 fb 00 00<br>> 40 32 3e d8 c0 a8 01 ea<br>> Mar 16 12:49:32 SSLVPN kernel: klips_debug: @010: c0 a8 01 84 18 67 13 9c<br>> 00 00 00 02 c0 a8 01 ea<br>> Mar 16 12:49:32 SSLVPN kernel: klips_debug: @020: c0 a8 01 84 45 00 00 54<br>> 00 00 40 00 40 01 e5 6c<br>> Mar 16 12:49:32 SSLVPN kernel: klips_debug: @030: c0 a8 64 ea c0 a8 6f 01<br>> 08 00 38 4f 3a 37 00 00<br>> Mar 16 12:49:32 SSLVPN kernel: klips_debug: @040: 0d 20 35 2d 00 00 00 00<br>> 00 00 00 00 00 00 00 00<br>> Mar 16 12:49:32 SSLVPN kernel: klips_debug: @050: 00 00 00 00 00 00 00 00<br>> 00 00 00 00 00 00 00 00<br>> Mar 16 12:49:32 SSLVPN kernel: klips_debug: @060: 00 00 00 00 00 00 00 10<br>> 00 00 00 00 00 00 00 00<br>> Mar 16 12:49:32 SSLVPN kernel: klips_debug: @070: 68 8d 0c 08 34 c7 99 bf<br>> 01 02 02 04 04 00 00 00<br>> Mar 16 12:49:32 SSLVPN kernel: klips_debug: @080: 50 e5 74 64 64 ed 07 00<br>> Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_alg_esp_encrypt: entering<br>> with encalg=3, ixt_e=df0c3bc0<br>> Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_alg_esp_encrypt: calling<br>> cbc_encrypt encalg=3 ips_key_e=d26c5400 idat=de5f6644 ilen=88 iv=de5f663c,<br>> encrypt=1<br>> Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_alg_esp_encrypt: returned<br>> ret=1<br>> Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_once: after<br>> <ESP_3DES_HMAC_SHA1>,<br>> SA:esp.1867139c@192.168.1.132 <SA%3Aesp.1867139c@192.168.1.132><<br>> SA%3Aesp.1867139c@192.168.1.132 <SA%253Aesp.1867139c@192.168.1.132>><br>> :<br>> Mar 16 12:49:32 SSLVPN kernel: klips_debug: IP: ihl:20 ver:4 tos:0<br>> tlen:136 id:46843 frag_off:0 ttl:64 proto:50 (ESP) chk:16010<br>> saddr:192.168.1.234 daddr:192.168.1.132<br>> Mar 16 12:49:32 SSLVPN kernel: klips_debug: IP: ihl:20 ver:4 tos:0<br>> tlen:136 id:46843 frag_off:0 ttl:64 proto:50 (ESP) chk:16010<br>> saddr:192.168.1.234 daddr:192.168.1.132<br>> Mar 16 12:49:32 SSLVPN kernel: klips_error:ipsec_sa_put: null pointer<br>> passed<br>> in!<br>> Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_findroute:<br>> 192.168.1.234:0<br>> ->192.168.1.132:0 50<br>> Mar 16 12:49:32 SSLVPN kernel: klips_debug:rj_match: * See if we match<br>> exactly as a host destination<br>> Mar 16 12:49:32 SSLVPN kernel: klips_debug:rj_match: ** try to match a<br>> leaf,<br>> t=0pde630180<br>> Mar 16 12:49:32 SSLVPN kernel: klips_debug:rj_match: *** start searching up<br>> the tree, t=0pde630180<br>> Mar 16 12:49:32 SSLVPN kernel: klips_debug:rj_match: **** t=0pde630198<br>> Mar 16 12:49:32 SSLVPN kernel: klips_debug:rj_match: **** t=0pdc8838c0<br>> Mar 16 12:49:32 SSLVPN kernel: klips_debug:rj_match: ***** cp2=0pd5f31d68<br>> cp3=0pd8d998d0<br>> Mar 16 12:49:32 SSLVPN kernel: klips_debug:rj_match: ***** not found.<br>> Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_restore_hard_header:<br>> After recursive xforms -- head,tailroom: 32,88<br>> Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_restore_hard_header:<br>> With hard_header, final head,tailroom: 18,88<br>> Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_send: ...done,<br>> calling<br>> ip_send() on device:eth1<br>> Mar 16 12:49:32 SSLVPN kernel: klips_debug: IP: ihl:20 ver:4 tos:0<br>> tlen:136 id:46843 frag_off:0 ttl:64 proto:50 (ESP) chk:16010<br>> saddr:192.168.1.234 daddr:192.168.1.132<br>><br>><br>> 5.WITH NAT NetWork topology: <javascript:void(0)><br>> PC A<br>> eth0:192.168.100.234<br>> eth1:192.168.111.234<br>> Gateway: 192.168.111.1(udp port 500,4500 natted to PC A)<br>><br>> Server B:<br>> ppp0--->pppoe<br>> eth1:192.168.80.1<br>><br>> 6.ipsec.conf (PC A)<br>> version 2.0 # conforms to second version of ipsec.conf specification<br>> config setup<br>> plutodebug = all<br>> klipsdebug = all<br>> nat_traversal=yes<br>> interfaces = "%defaultroute"<br>> include /etc/ipsec.d/examples/no_oe.conf<br>> conn cylan<br>> type = tunnel<br>> auto = start<br>> keyexchange = ike<br>> authby = secret<br>> auth = esp<br>> esp = 3DES-SHA1<br>> ike = 3DES-SHA1-MODP1024<br>> aggrmode = yes<br>> pfs = yes<br>> pfsgroup = MODP1024<br>> left = %defaultroute<br>> leftsubnet = 192.168.100.0/255.255.255.0<br>> right = 219.133.245.113<br>> rightsubnet = 192.168.80.0/255.255.255.0<br>> leftid = @bbb<br>> rightid = @aaa<br>><br>> 7.tcp dump result on PC A<br>> -bash-3.2$ sudo ./tcpdump -i eth1 host 219.133.245.113<br>> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode<br>> listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes<br>> 14:55:14.424375 IP 192.168.111.234.ipsec-nat-t ><br>> 113.245.133.219.broad.sz.gd.dynamic.163data.com.cn.ipsec-nat-t: UDP-encap:<br>> ESP(spi=0x4f6ec270,seq=0x2), length 92<br>> 14:55:23.105922 IP 192.168.111.234.ipsec-nat-t ><br>> 113.245.133.219.broad.sz.gd.dynamic.163data.com.cn.ipsec-nat-t: UDP-encap:<br>> ESP(spi=0x4f6ec270,seq=0x3), length 92<br>> 14:55:25.115728 IP 192.168.111.234.ipsec-nat-t ><br>> 113.245.133.219.broad.sz.gd.dynamic.163data.com.cn.ipsec-nat-t:<br>> isakmp-nat-keep-alive<br>> 14:55:25.117799 IP 192.168.111.234.ipsec-nat-t ><br>> 113.245.133.219.broad.sz.gd.dynamic.163data.com.cn.ipsec-nat-t:<br>> isakmp-nat-keep-alive<br>><br>> 4 packets captured<br>> 4 packets received by filter<br>> 0 packets dropped by kernel<br>><br>> ipsec0 got ICMP echo replys,it's ok<br>> -bash-3.2$ sudo ./tcpdump -i ipsec0 -vv<br>> tcpdump: listening on ipsec0, link-type EN10MB (Ethernet), capture size 96<br>> bytes<br>> 14:56:34.183178 IP (tos 0x0, ttl 127, id 44881, offset 0, flags [none],<br>> proto ICMP (1), length 60) 192.168.100.10 > 192.168.80.1: ICMP echo<br>> request,<br>> id 768, seq 36352, length 40<br>> 14:56:34.207201 IP (tos 0x0, ttl 64, id 50421, offset 0, flags [none],<br>> proto<br>> ICMP (1), length 60) 192.168.80.1 > 192.168.100.10: ICMP echo reply, id<br>> 768,<br>> seq 36352, length 40<br>><br>> 2 packets captured<br>> 2 packets received by filter<br>> 0 packets dropped by kernel<br>> -bash-3.2$<br>><br>> 8.ipsec log file(with icmp result)<br>> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_tunnel_neigh_setup:<br>> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_tunnel_hard_header:<br>> skb->dev=ipsec0 dev=ipsec0.<br>> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_tunnel_hard_header:<br>> Revectored 0p00000000->0pd80e4a24 len=60 type=2048 dev=ipsec0->eth1<br>> dev_addr=00:50:c2:1c:97:92 ip=c0a8640a->c0a85001<br>> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_strip_hard_header:<br>> >>><br>> skb->len=74 hard_header_len:14 00:50:c2:1c:97:92:00:50:c2:1c:97:92:08:00<br>> Mar 16 15:10:32 SSLVPN kernel: klips_debug: IP: ihl:20 ver:4 tos:0<br>> tlen:60<br>> id:48219 frag_off:0 ttl:127 proto:1 (ICMP) chk:18953 saddr:192.168.100.10<br>> daddr:192.168.80.1 type:code=8:0<br>> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_strip_hard_header:<br>> Original head,tailroom: 18,36<br>> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_findroute:<br>> 192.168.100.10:0<br>> ->192.168.80.1:0 1<br>> Mar 16 15:10:32 SSLVPN kernel: klips_debug:rj_match: * See if we match<br>> exactly as a host destination<br>> Mar 16 15:10:32 SSLVPN kernel: klips_debug:rj_match: ** try to match a<br>> leaf,<br>> t=0pd85d0e40<br>> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_SAlookup: checking<br>> for<br>> local udp/500 IKE packet saddr=c0a8640a, er=0pd85d0e40, daddr=c0a85001,<br>> er_dst=db85f571, proto=1 sport=0 dport=0<br>> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_sa_getbyid: linked entry<br>> in<br>> ipsec_sa table for hash=234 of<br>> SA:tun.1004@219.133.245.113 <SA%3Atun.1004@219.133.245.113><<br>> SA%3Atun.1004@219.133.245.113 <SA%253Atun.1004@219.133.245.113>>requested.<br>> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_bundle: found<br>> ipsec_sa -- SA:<IPIP> tun.1004@219.133.245.113<br>> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_bundle: calling<br>> room for <IPIP>, SA:tun.1004@219.133.245.113<SA%3Atun.1004@219.133.245.113><<br>> SA%3Atun.1004@219.133.245.113 <SA%253Atun.1004@219.133.245.113>><br>> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_bundle:<br>> Required<br>> head,tailroom: 20,0<br>> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_bundle: calling<br>> room for <ESP_3DES_HMAC_SHA1>,<br>> SA:esp.4f6ec270@219.133.245.113 <SA%3Aesp.4f6ec270@219.133.245.113><<br>> SA%3Aesp.4f6ec270@219.133.245.113 <SA%253Aesp.4f6ec270@219.133.245.113>><br>> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_bundle:<br>> Required<br>> head,tailroom: 16,24<br>> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_bundle:<br>> existing<br>> head,tailroom: 18,36 before applying xforms with head,tailroom: 36,24 .<br>> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_bundle:<br>> mtu:1500<br>> physmtu:1500 tothr:36 tottr:24 mtudiff:60 ippkttotlen:60<br>> Mar 16 15:10:32 SSLVPN kernel: klips_info:ipsec_xmit_encap_bundle: dev<br>> ipsec0 mtu of 1500 decreased by 65 to 1435<br>> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_bundle:<br>> allocating 14 bytes for hardheader.<br>> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_bundle:<br>> head,tailroom: 32,36 after hard_header stripped.<br>> Mar 16 15:10:32 SSLVPN kernel: klips_debug: IP: ihl:20 ver:4 tos:0<br>> tlen:60<br>> id:48219 frag_off:0 ttl:127 proto:1 (ICMP) chk:18953 saddr:192.168.100.10<br>> daddr:192.168.80.1 type:code=8:0<br>> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_bundle:<br>> head,tailroom: 68,128 after allocation<br>> Mar 16 15:10:32 SSLVPN kernel: klips_debug: IP: ihl:20 ver:4 tos:0<br>> tlen:60<br>> id:48219 frag_off:0 ttl:127 proto:1 (ICMP) chk:18953 saddr:192.168.100.10<br>> daddr:192.168.80.1 type:code=8:0<br>> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_once: calling<br>> output for <IPIP>, SA:tun.1004@219.133.245.113<SA%3Atun.1004@219.133.245.113><br>> <SA%3Atun.1004@219.133.245.113 <SA%253Atun.1004@219.133.245.113>><br>> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_once: pushing<br>> 20<br>> bytes, putting 0, proto 4.<br>> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_once:<br>> head,tailroom: 48,128 before xform.<br>> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_once: after<br>> <IPIP>, SA:tun.1004@219.133.245.113 <SA%3Atun.1004@219.133.245.113> <<br>> SA%3Atun.1004@219.133.245.113 <SA%253Atun.1004@219.133.245.113>>:<br>> Mar 16 15:10:32 SSLVPN kernel: klips_debug: IP: ihl:20 ver:4 tos:0<br>> tlen:80<br>> id:43802 frag_off:0 ttl:64 proto:4 chk:52741 saddr:192.168.111.234<br>> daddr:219.133.245.113<br>> Mar 16 15:10:32 SSLVPN kernel: klips_debug: IP: ihl:20 ver:4 tos:0<br>> tlen:80<br>> id:43802 frag_off:0 ttl:64 proto:4 chk:52741 saddr:192.168.111.234<br>> daddr:219.133.245.113<br>> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_once: calling<br>> output for <ESP_3DES_HMAC_SHA1>,<br>> SA:esp.4f6ec270@219.133.245.113 <SA%3Aesp.4f6ec270@219.133.245.113><<br>> SA%3Aesp.4f6ec270@219.133.245.113 <SA%253Aesp.4f6ec270@219.133.245.113>><br>> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_once: pushing<br>> 16<br>> bytes, putting 16, proto 50.<br>> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_once:<br>> head,tailroom: 32,112 before xform.<br>> Mar 16 15:10:32 SSLVPN kernel: klips_dmp: at pre-encrypt, len=112:<br>> Mar 16 15:10:32 SSLVPN kernel: klips_debug: @000: 45 00 00 70 ab 1a 00 00<br>> 40 32 ce 05 c0 a8 6f ea<br>> Mar 16 15:10:32 SSLVPN kernel: klips_debug: @010: db 85 f5 71 4f 6e c2 70<br>> 00 00 00 08 c0 a8 6f ea<br>> Mar 16 15:10:32 SSLVPN kernel: klips_debug: @020: db 85 f5 71 45 00 00 3c<br>> bc 5b 00 00 7f 01 4a 09<br>> Mar 16 15:10:32 SSLVPN kernel: klips_debug: @030: c0 a8 64 0a c0 a8 50 01<br>> 08 00 ba 5b 03 00 90 00<br>> Mar 16 15:10:32 SSLVPN kernel: klips_debug: @040: 61 62 63 64 65 66 67 68<br>> 69 6a 6b 6c 6d 6e 6f 70<br>> Mar 16 15:10:32 SSLVPN kernel: klips_debug: @050: 71 72 73 74 75 76 77 61<br>> 62 63 64 65 66 67 68 69<br>> Mar 16 15:10:32 SSLVPN kernel: klips_debug: @060: 01 02 02 04 00 00 00 00<br>> 00 00 00 00 00 00 00 00<br>> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_alg_esp_encrypt: entering<br>> with encalg=3, ixt_e=df0c3bc0<br>> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_alg_esp_encrypt: calling<br>> cbc_encrypt encalg=3 ips_key_e=de5f6800 idat=d1f03c44 ilen=64 iv=d1f03c3c,<br>> encrypt=1<br>> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_alg_esp_encrypt: returned<br>> ret=1<br>> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_once: after<br>> <ESP_3DES_HMAC_SHA1>,<br>> SA:esp.4f6ec270@219.133.245.113 <SA%3Aesp.4f6ec270@219.133.245.113><<br>> SA%3Aesp.4f6ec270@219.133.245.113 <SA%253Aesp.4f6ec270@219.133.245.113>><br>> :<br>> Mar 16 15:10:32 SSLVPN kernel: klips_debug: IP: ihl:20 ver:4 tos:0<br>> tlen:112 id:43802 frag_off:0 ttl:64 proto:50 (ESP) chk:52663<br>> saddr:192.168.111.234 daddr:219.133.245.113<br>> Mar 16 15:10:32 SSLVPN kernel: klips_debug: IP: ihl:20 ver:4 tos:0<br>> tlen:112 id:43802 frag_off:0 ttl:64 proto:50 (ESP) chk:52663<br>> saddr:192.168.111.234 daddr:219.133.245.113<br>> Mar 16 15:10:32 SSLVPN kernel: klips_error:ipsec_sa_put: null pointer<br>> passed<br>> in!<br>> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_findroute:<br>> 192.168.111.234:0->219.133.245.113:0 50<br>> Mar 16 15:10:32 SSLVPN kernel: klips_debug:rj_match: * See if we match<br>> exactly as a host destination<br>> Mar 16 15:10:32 SSLVPN kernel: klips_debug:rj_match: ** try to match a<br>> leaf,<br>> t=0pd85d0e40<br>> Mar 16 15:10:32 SSLVPN kernel: klips_debug:rj_match: *** start searching up<br>> the tree, t=0pd85d0e40<br>> Mar 16 15:10:32 SSLVPN kernel: klips_debug:rj_match: **** t=0pd85d0e58<br>> Mar 16 15:10:32 SSLVPN kernel: klips_debug:rj_match: **** t=0pd80e4f40<br>> Mar 16 15:10:32 SSLVPN kernel: klips_debug:rj_match: ***** cp2=0pd94d9aa8<br>> cp3=0pd8d99990<br>> Mar 16 15:10:32 SSLVPN kernel: klips_debug:rj_match: ***** not found.<br>> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_restore_hard_header:<br>> After recursive xforms -- head,tailroom: 32,112<br>> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_tunnel_start_xmit:<br>> encapsuling packet into UDP (NAT-Traversal) (2 8)<br>> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_restore_hard_header:<br>> With hard_header, final head,tailroom: 18,104<br>> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_send: ...done,<br>> calling<br>> ip_send() on device:eth1<br>> Mar 16 15:10:32 SSLVPN kernel: klips_debug: IP: ihl:20 ver:4 tos:0<br>> tlen:120 id:43802 frag_off:0 ttl:64 proto:17 (UDP) chk:52688 saddr:<br>> 192.168.111.234:4500 daddr:219.133.245.113:4500<br>> Mar 16 15:10:32 SSLVPN kernel: klips_debug: IP: ihl:20 ver:4 tos:0<br>> tlen:112 id:50426 frag_off:0 ttl:62 proto:50 (ESP) chk:46576<br>> saddr:219.133.245.113 daddr:192.168.111.234<br>> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_rcv_decap_once: decap (50)<br>> from 219.133.245.113 -> 192.168.111.234<br>> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_sa_getbyid: linked entry<br>> in<br>> ipsec_sa table for hash=113 of<br>> SA:esp.a4cc5288@192.168.111.234 <SA%3Aesp.a4cc5288@192.168.111.234><<br>> SA%3Aesp.a4cc5288@192.168.111.234 <SA%253Aesp.a4cc5288@192.168.111.234><br>> >requested.<br>> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_rcv:<br>> SA:esp.a4cc5288@192.168.111.234 <SA%3Aesp.a4cc5288@192.168.111.234> <<br>> SA%3Aesp.a4cc5288@192.168.111.234 <SA%253Aesp.a4cc5288@192.168.111.234>>,<br>> src=219.133.245.113 of pkt agrees with expected SA source address policy.<br>> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_rcv:<br>> SA:esp.a4cc5288@192.168.111.234 <SA%3Aesp.a4cc5288@192.168.111.234> <<br>> SA%3Aesp.a4cc5288@192.168.111.234 <SA%253Aesp.a4cc5288@192.168.111.234>><br>> First SA<br>> in group.<br>> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_rcv: natt_type=2<br>> tdbp->ips_natt_type=2 : ok<br>> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_rcv: packet from<br>> 219.133.245.113 received with seq=8 (iv)=0x528c134e3bcb1e22 iplen=92<br>> esplen=80 sa=esp.a4cc5288@192.168.111.234<br>> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_rcv: encalg = 3, authalg =<br>> 3.<br>> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_rcv: authentication<br>> successful.<br>> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_rcv: encalg=3 esphlen=16<br>> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_alg_esp_encrypt: entering<br>> with encalg=3, ixt_e=df0c3bc0<br>> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_alg_esp_encrypt: calling<br>> cbc_encrypt encalg=3 ips_key_e=d88e4000 idat=d1f03c4c ilen=64 iv=d1f03c44,<br>> encrypt=0<br>> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_alg_esp_encrypt: returned<br>> ret=1<br>> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_rcv: padlen=2, contents:<br>> 0x<offset>: 0x<value> 0x<value> ...<br>> Mar 16 15:10:32 SSLVPN kernel: klips_debug: 00: 01 02<br>> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_rcv: packet decrypted from<br>> 219.133.245.113: next_header = 4, padding = 2<br>> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_rcv: trimming to 60.<br>> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_rcv: after<br>> <ESP_3DES_HMAC_SHA1>,<br>> SA:esp.a4cc5288@192.168.111.234 <SA%3Aesp.a4cc5288@192.168.111.234><<br>> SA%3Aesp.a4cc5288@192.168.111.234 <SA%253Aesp.a4cc5288@192.168.111.234>><br>> :<br>> Mar 16 15:10:32 SSLVPN kernel: klips_debug: IP: ihl:20 ver:4 tos:0<br>> tlen:80<br>> id:50426 frag_off:0 ttl:62 proto:4 chk:46629 saddr:219.133.245.113<br>> daddr:192.168.111.234<br>> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_rcv:<br>> SA:esp.a4cc5288@192.168.111.234 <SA%3Aesp.a4cc5288@192.168.111.234> <<br>> SA%3Aesp.a4cc5288@192.168.111.234 <SA%253Aesp.a4cc5288@192.168.111.234>>,<br>> Another<br>> IPSEC header to process.<br>> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_rcv: ESP SA sets<br>> skb->nfmark=0x170000.<br>> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_rcv: IPIP tunnel stripped.<br>> Mar 16 15:10:32 SSLVPN kernel: klips_debug: IP: ihl:20 ver:4 tos:0<br>> tlen:60<br>> id:50425 frag_off:0 ttl:64 proto:1 (ICMP) chk:32875 saddr:192.168.80.1<br>> daddr:192.168.100.10 type:code=0:0<br>> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_rcv: IPIP SA sets<br>> skb->nfmark=0x170000.<br>> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_rcv: netif_rx() called.<br>><br>><br>> 9.udp.c manully patched...<br>> start line:1097<br>> if (ret < 0) {<br>> if(xfrm4_rcv_encap_func != NULL) {<br>> ret = (*xfrm4_rcv_encap_func)(skb, up->encap_type);<br>> UDP_INC_STATS_BH(UDP_MIB_INDATAGRAMS,up->pcflag);<br>> } else {<br>> UDP_INC_STATS_BH(UDP_MIB_INERRORS,up->pcflag);<br>> ret = 1;<br>> }<br>> return ret;<br>><br>> }<br>><br>><br></pre><br><br /><hr />Use Messenger to talk to your IM friends, even those on Yahoo! <a href='http://ideas.live.com/programpage.aspx?versionId=7adb59de-a857-45ba-81cc-685ee3e858fe' target='_new'>Talk now!</a></body>
</html>