Sorry.i input the wrong address,it should be 192.168.1.132<div><br></div><div>All NETKEY options were built in KERNEL mode,not MODULE mode,this might be the cause.<br><br><div class="gmail_quote">2009/3/17 <span dir="ltr"><<a href="mailto:users-request@openswan.org">users-request@openswan.org</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">Send Users mailing list submissions to<br>
<a href="mailto:users@openswan.org">users@openswan.org</a><br>
<br>
To subscribe or unsubscribe via the World Wide Web, visit<br>
<a href="http://lists.openswan.org/mailman/listinfo/users" target="_blank">http://lists.openswan.org/mailman/listinfo/users</a><br>
or, via email, send a message with subject or body 'help' to<br>
<a href="mailto:users-request@openswan.org">users-request@openswan.org</a><br>
<br>
You can reach the person managing the list at<br>
<a href="mailto:users-owner@openswan.org">users-owner@openswan.org</a><br>
<br>
When replying, please edit your Subject line so it is more specific<br>
than "Re: Contents of Users digest..."<br>
<br>
<br>
Today's Topics:<br>
<br>
1. VPN-Client over two changing ipadresses (Marc Hansen)<br>
2. Re: oenswan 2.4.10 kernel 2.6.22 can only run behind<br>
firewall(natted). (Jennifer Agarwal)<br>
<br>
<br>
----------------------------------------------------------------------<br><br>
Message: 2<br>
Date: Tue, 17 Mar 2009 08:39:45 -0400<br>
From: Jennifer Agarwal <<a href="mailto:jsagarwal@exqss.com">jsagarwal@exqss.com</a>><br>
Subject: Re: [Openswan Users] oenswan 2.4.10 kernel 2.6.22 can only<br>
run behind firewall(natted).<br>
To: <<a href="mailto:users@openswan.org">users@openswan.org</a>><br>
Message-ID: <BLU131-W1059394EB5DF9218913549AF980@phx.gbl><br>
Content-Type: text/plain; charset="iso-8859-1"<br>
<br>
<br>
Hi,<br>
<br>
It is my understanding these kernel options are used by NETKEY and should be either<br>
turned off or loaded as modules when using KLIPS.<br>
<br>
Also it looks like the ip address of PC B (eth1) you have listed as 192.168.1.231 and<br>
then in the ipsec.conf file for PC A you have the right=192.168.1.132. Could this be<br>
causing your issues?<br>
<br>
-Jennifer<br>
<br>
<br>
Jennifer Agarwal<br>
President / Principal Engineer<br>
<br>
Exquisite Software Solutions, LLC<br>
(240) 483-8619<br>
<a href="mailto:jsagarwal@exqss.com">jsagarwal@exqss.com</a>=========================================================<br>
> Hi all:<br>
> openswan conflits with following kernel OPTIONS:# CONFIG_INET_AH is not set<br>
> # CONFIG_INET_ESP is not set<br>
> # CONFIG_INET_IPCOMP is not set<br>
> # CONFIG_INET_XFRM_TUNNEL is not set<br>
<br>
> when these options is disabled,everything is fine....<br>
<br>
<br>
<br>
> 2009/3/16 <<a href="mailto:users-request@openswan.org">users-request@openswan.org</a>><br>
<br>
> Send Users mailing list submissions to<br>
> <a href="mailto:users@openswan.org">users@openswan.org</a><br>
><br>
> To subscribe or unsubscribe via the World Wide Web, visit<br>
> <a href="http://lists.openswan.org/mailman/listinfo/users" target="_blank">http://lists.openswan.org/mailman/listinfo/users</a><br>
> or, via email, send a message with subject or body 'help' to<br>
<a href="mailto:users-request@openswan.org">users-request@openswan.org</a><br>
><br>
> You can reach the person managing the list at<br>
> <a href="mailto:users-owner@openswan.org">users-owner@openswan.org</a><br>
><br>
> When replying, please edit your Subject line so it is more specific<br>
> than "Re: Contents of Users digest..."<br>
><br>
><br>
> Today's Topics:<br>
><br>
> 1. multiple tunnels road-warriors/net-to-net and l2tp/non-l2tp<br>
> (Bob Miller)<br>
> 2. Re: multiple tunnels road-warriors/net-to-net and<br>
> l2tp/non-l2tp (Paul Wouters)<br>
> 3. oenswan 2.4.10 kernel 2.6.22 can only run behind<br>
> firewall(natted). (Zhiping Liu)<br>
><br>
><br>
> ----------------------------------------------------------------------<br>
><br>
> Message: 3<br>
> Date: Mon, 16 Mar 2009 15:31:27 +0800<br>
> From: Zhiping Liu <<a href="mailto:flyingzpl@gmail.com">flyingzpl@gmail.com</a>><br>
> Subject: [Openswan Users] oenswan 2.4.10 kernel 2.6.22 can only run<br>
> behind firewall(natted).<br>
> To: <a href="mailto:users@openswan.org">users@openswan.org</a><br>
> Message-ID:<br>
> <<a href="mailto:92eb98380903160031s2b01e2eboa5355ce32f749a5@mail.gmail.com">92eb98380903160031s2b01e2eboa5355ce32f749a5@mail.gmail.com</a>><br>
> Content-Type: text/plain; charset="iso-8859-1"<br>
><br>
> Hi everyone:<br>
> I have a strange problem,IPSEC SA can established,but can only forward<br>
> package through NAT.<br>
><br>
><br>
> 1.WITHOUT NAT NetWork topology: <javascript:void(0)><br>
><br>
> PC A:<br>
> eth0:192.168.100.234<br>
> eth1:192.168.1.234<br>
> PC B:<br>
> eth0:192.168.111.231<br>
> eth1:192.168.1.231<br>
><br>
> My pc(Windows XP,trying to access 192.168.111.231,set 192.168.100.234 as<br>
> gateway):<br>
> eth0:192.168.100.10<br>
><br>
> 2.ipsec.conf (PC A)<br>
> -bash-3.2$ cat /etc/ipsec.conf<br>
> version 2.0 # conforms to second version of ipsec.conf specification<br>
> config setup<br>
> plutodebug = all<br>
> klipsdebug = all<br>
> nat_traversal=no<br>
> interfaces = "ipsec0=eth1"<br>
> include /etc/ipsec.d/examples/no_oe.conf<br>
> conn aa<br>
> type = tunnel<br>
> auto = start<br>
> keyexchange = ike<br>
> authby = secret<br>
> auth = esp<br>
> esp = 3DES-SHA1<br>
> ike = 3DES-SHA1-MODP1024<br>
> aggrmode = yes<br>
> pfs = yes<br>
> pfsgroup = MODP1024<br>
> left = 192.168.1.234<br>
> leftsubnet = <a href="http://192.168.100.0/255.255.255.0" target="_blank">192.168.100.0/255.255.255.0</a><br>
> right = 192.168.1.132<br>
> rightsubnet = <a href="http://192.168.111.0/255.255.255.0" target="_blank">192.168.111.0/255.255.255.0</a><br>
> leftid = @aaa<br>
> rightid = @bbb<br>
><br>
> 3.tcp dump result on PC A<br>
><br>
> >From eth1,there is result from peer node,<a href="http://192.168.1.132" target="_blank">192.168.1.132</a>:<br>
><br>
> -bash-3.2$ sudo ./tcpdump -i eth1 host 192.168.1.132 -vv<br>
> tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 96<br>
> bytes<br>
> 14:16:32.753634 IP (tos 0x0, ttl 64, id 51990, offset 0, flags [none],<br>
> proto<br>
> ESP (50), length 112) 192.168.1.234 > <a href="http://192.168.1.132" target="_blank">192.168.1.132</a>:<br>
> ESP(spi=0xa1015406,seq=0x2), length 92<br>
> 14:16:52.764378 IP (tos 0x0, ttl 64, id 32957, offset 0, flags [none],<br>
> proto<br>
> ESP (50), length 112) 192.168.1.132 > <a href="http://192.168.1.234" target="_blank">192.168.1.234</a>:<br>
> ESP(spi=0x1c703a00,seq=0x2), length 92<br>
> 14:16:37.729272 arp who-has 192.168.1.132 tell 192.168.1.234<br>
> 14:16:37.729482 arp reply 192.168.1.132 is-at 00:19:db:47:0c:60 (oui<br>
> Unknown)<br>
><br>
> 4 packets captured<br>
> 4 packets received by filter<br>
> 0 packets dropped by kernel<br>
><br>
> But no result for ipsec0(192.168.100.10 is my IP)<br>
> -bash-3.2$ sudo ./tcpdump -i ipsec0 -vv<br>
> tcpdump: listening on ipsec0, link-type EN10MB (Ethernet), capture size 96<br>
> bytes<br>
> 14:16:32.744483 IP (tos 0x0, ttl 127, id 31949, offset 0, flags [none],<br>
> proto ICMP (1), length 60) 192.168.100.10 > <a href="http://192.168.111.132" target="_blank">192.168.111.132</a>: ICMP echo<br>
> request, id 768, seq 35072, length 40<br>
> 14:16:32.747816 IP (tos 0x0, ttl 64, id 7320, offset 0, flags [DF], proto<br>
> UDP (17), length 74) 192.168.1.234.filenet-pa > 192.168.111.1.domain: [udp<br>
> sum ok] 3304+ PTR? 132.111.168.192.in-addr.arpa. (46)<br>
><br>
> 2 packets captured<br>
> 13 packets received by filter<br>
> 0 packets dropped by kernel<br>
> -bash-3.2$<br>
><br>
> 4.ipsec log file(can only see message send out)<br>
> Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_tunnel_hard_header:<br>
> skb->dev=ipsec0 dev=ipsec0.<br>
> Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_tunnel_hard_header:<br>
> Revectored 0p00000000->0pdc883a24 len=84 type=2048 dev=ipsec0->eth1<br>
> dev_addr=00:50:c2:1c:97:92 ip=c0a864ea->c0a86f01<br>
> Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_strip_hard_header:<br>
> >>><br>
> skb->len=98 hard_header_len:14 00:50:c2:1c:97:92:00:50:c2:1c:97:92:08:00<br>
> Mar 16 12:49:32 SSLVPN kernel: klips_debug: IP: ihl:20 ver:4 tos:0<br>
> tlen:84<br>
> id:0 DF frag_off:0 ttl:64 proto:1 (ICMP) chk:58732 saddr:192.168.100.234<br>
> daddr:192.168.111.1 type:code=8:0<br>
> Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_strip_hard_header:<br>
> Original head,tailroom: 2,28<br>
> Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_findroute:<br>
> 192.168.100.234:0-><a href="http://192.168.111.1:0" target="_blank">192.168.111.1:0</a> 1<br>
> Mar 16 12:49:32 SSLVPN kernel: klips_debug:rj_match: * See if we match<br>
> exactly as a host destination<br>
> Mar 16 12:49:32 SSLVPN kernel: klips_debug:rj_match: ** try to match a<br>
> leaf,<br>
> t=0pde630180<br>
> Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_SAlookup: checking<br>
> for<br>
> local udp/500 IKE packet saddr=c0a864ea, er=0pde630180, daddr=c0a86f01,<br>
> er_dst=c0a80184, proto=1 sport=0 dport=0<br>
> Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_sa_getbyid: linked entry<br>
> in<br>
> ipsec_sa table for hash=168 of<br>
> <a href="mailto:SA%3Atun.1002@192.168.1.132">SA:tun.1002@192.168.1.132</a> <<a href="mailto:SA%253Atun.1002@192.168.1.132">SA%3Atun.1002@192.168.1.132</a>><<br>
> <a href="mailto:SA%253Atun.1002@192.168.1.132">SA%3Atun.1002@192.168.1.132</a> <<a href="mailto:SA%25253Atun.1002@192.168.1.132">SA%253Atun.1002@192.168.1.132</a>>>requested.<br>
> Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_bundle: found<br>
> ipsec_sa -- SA:<IPIP> <a href="mailto:tun.1002@192.168.1.132">tun.1002@192.168.1.132</a><br>
> Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_bundle: calling<br>
> room for <IPIP>, <a href="mailto:SA%3Atun.1002@192.168.1.132">SA:tun.1002@192.168.1.132</a> <<a href="mailto:SA%253Atun.1002@192.168.1.132">SA%3Atun.1002@192.168.1.132</a>> <<br>
> <a href="mailto:SA%253Atun.1002@192.168.1.132">SA%3Atun.1002@192.168.1.132</a> <<a href="mailto:SA%25253Atun.1002@192.168.1.132">SA%253Atun.1002@192.168.1.132</a>>><br>
> Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_bundle:<br>
> Required<br>
> head,tailroom: 20,0<br>
> Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_bundle: calling<br>
> room for <ESP_3DES_HMAC_SHA1>,<br>
> <a href="mailto:SA%3Aesp.1867139c@192.168.1.132">SA:esp.1867139c@192.168.1.132</a> <<a href="mailto:SA%253Aesp.1867139c@192.168.1.132">SA%3Aesp.1867139c@192.168.1.132</a>><<br>
> <a href="mailto:SA%253Aesp.1867139c@192.168.1.132">SA%3Aesp.1867139c@192.168.1.132</a> <<a href="mailto:SA%25253Aesp.1867139c@192.168.1.132">SA%253Aesp.1867139c@192.168.1.132</a>>><br>
> Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_bundle:<br>
> Required<br>
> head,tailroom: 16,16<br>
> Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_bundle:<br>
> existing<br>
> head,tailroom: 2,28 before applying xforms with head,tailroom: 36,16 .<br>
> Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_bundle:<br>
> mtu:1500<br>
> physmtu:1500 tothr:36 tottr:16 mtudiff:52 ippkttotlen:84<br>
> Mar 16 12:49:32 SSLVPN kernel: klips_info:ipsec_xmit_encap_bundle: dev<br>
> ipsec0 mtu of 1500 decreased by 57 to 1443<br>
> Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_bundle:<br>
> allocating 14 bytes for hardheader.<br>
> Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_bundle:<br>
> head,tailroom: 16,28 after hard_header stripped.<br>
> Mar 16 12:49:32 SSLVPN kernel: klips_debug: IP: ihl:20 ver:4 tos:0<br>
> tlen:84<br>
> id:0 DF frag_off:0 ttl:64 proto:1 (ICMP) chk:58732 saddr:192.168.100.234<br>
> daddr:192.168.111.1 type:code=8:0<br>
> Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_bundle:<br>
> head,tailroom: 68,104 after allocation<br>
> Mar 16 12:49:32 SSLVPN kernel: klips_debug: IP: ihl:20 ver:4 tos:0<br>
> tlen:84<br>
> id:0 DF frag_off:0 ttl:64 proto:1 (ICMP) chk:58732 saddr:192.168.100.234<br>
> daddr:192.168.111.1 type:code=8:0<br>
> Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_once: calling<br>
> output for <IPIP>, <a href="mailto:SA%3Atun.1002@192.168.1.132">SA:tun.1002@192.168.1.132</a> <<a href="mailto:SA%253Atun.1002@192.168.1.132">SA%3Atun.1002@192.168.1.132</a>><<br>
> <a href="mailto:SA%253Atun.1002@192.168.1.132">SA%3Atun.1002@192.168.1.132</a> <<a href="mailto:SA%25253Atun.1002@192.168.1.132">SA%253Atun.1002@192.168.1.132</a>>><br>
> Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_once: pushing<br>
> 20<br>
> bytes, putting 0, proto 4.<br>
> Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_once:<br>
> head,tailroom: 48,104 before xform.<br>
> Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_once: after<br>
> <IPIP>, <a href="mailto:SA%3Atun.1002@192.168.1.132">SA:tun.1002@192.168.1.132</a> <<a href="mailto:SA%253Atun.1002@192.168.1.132">SA%3Atun.1002@192.168.1.132</a>> <<br>
> <a href="mailto:SA%253Atun.1002@192.168.1.132">SA%3Atun.1002@192.168.1.132</a> <<a href="mailto:SA%25253Atun.1002@192.168.1.132">SA%253Atun.1002@192.168.1.132</a>>>:<br>
> Mar 16 12:49:32 SSLVPN kernel: klips_debug: IP: ihl:20 ver:4 tos:0<br>
> tlen:104 id:46843 frag_off:0 ttl:64 proto:4 chk:16088 saddr:192.168.1.234<br>
> daddr:192.168.1.132<br>
> Mar 16 12:49:32 SSLVPN kernel: klips_debug: IP: ihl:20 ver:4 tos:0<br>
> tlen:104 id:46843 frag_off:0 ttl:64 proto:4 chk:16088 saddr:192.168.1.234<br>
> daddr:192.168.1.132<br>
> Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_once: calling<br>
> output for <ESP_3DES_HMAC_SHA1>,<br>
> <a href="mailto:SA%3Aesp.1867139c@192.168.1.132">SA:esp.1867139c@192.168.1.132</a> <<a href="mailto:SA%253Aesp.1867139c@192.168.1.132">SA%3Aesp.1867139c@192.168.1.132</a>><<br>
> <a href="mailto:SA%253Aesp.1867139c@192.168.1.132">SA%3Aesp.1867139c@192.168.1.132</a> <<a href="mailto:SA%25253Aesp.1867139c@192.168.1.132">SA%253Aesp.1867139c@192.168.1.132</a>>><br>
> Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_once: pushing<br>
> 16<br>
> bytes, putting 16, proto 50.<br>
> Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_once:<br>
> head,tailroom: 32,88 before xform.<br>
> Mar 16 12:49:32 SSLVPN kernel: klips_dmp: at pre-encrypt, len=136:<br>
> Mar 16 12:49:32 SSLVPN kernel: klips_debug: @000: 45 00 00 88 b6 fb 00 00<br>
> 40 32 3e d8 c0 a8 01 ea<br>
> Mar 16 12:49:32 SSLVPN kernel: klips_debug: @010: c0 a8 01 84 18 67 13 9c<br>
> 00 00 00 02 c0 a8 01 ea<br>
> Mar 16 12:49:32 SSLVPN kernel: klips_debug: @020: c0 a8 01 84 45 00 00 54<br>
> 00 00 40 00 40 01 e5 6c<br>
> Mar 16 12:49:32 SSLVPN kernel: klips_debug: @030: c0 a8 64 ea c0 a8 6f 01<br>
> 08 00 38 4f 3a 37 00 00<br>
> Mar 16 12:49:32 SSLVPN kernel: klips_debug: @040: 0d 20 35 2d 00 00 00 00<br>
> 00 00 00 00 00 00 00 00<br>
> Mar 16 12:49:32 SSLVPN kernel: klips_debug: @050: 00 00 00 00 00 00 00 00<br>
> 00 00 00 00 00 00 00 00<br>
> Mar 16 12:49:32 SSLVPN kernel: klips_debug: @060: 00 00 00 00 00 00 00 10<br>
> 00 00 00 00 00 00 00 00<br>
> Mar 16 12:49:32 SSLVPN kernel: klips_debug: @070: 68 8d 0c 08 34 c7 99 bf<br>
> 01 02 02 04 04 00 00 00<br>
> Mar 16 12:49:32 SSLVPN kernel: klips_debug: @080: 50 e5 74 64 64 ed 07 00<br>
> Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_alg_esp_encrypt: entering<br>
> with encalg=3, ixt_e=df0c3bc0<br>
> Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_alg_esp_encrypt: calling<br>
> cbc_encrypt encalg=3 ips_key_e=d26c5400 idat=de5f6644 ilen=88 iv=de5f663c,<br>
> encrypt=1<br>
> Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_alg_esp_encrypt: returned<br>
> ret=1<br>
> Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_once: after<br>
> <ESP_3DES_HMAC_SHA1>,<br>
> <a href="mailto:SA%3Aesp.1867139c@192.168.1.132">SA:esp.1867139c@192.168.1.132</a> <<a href="mailto:SA%253Aesp.1867139c@192.168.1.132">SA%3Aesp.1867139c@192.168.1.132</a>><<br>
> <a href="mailto:SA%253Aesp.1867139c@192.168.1.132">SA%3Aesp.1867139c@192.168.1.132</a> <<a href="mailto:SA%25253Aesp.1867139c@192.168.1.132">SA%253Aesp.1867139c@192.168.1.132</a>>><br>
> :<br>
> Mar 16 12:49:32 SSLVPN kernel: klips_debug: IP: ihl:20 ver:4 tos:0<br>
> tlen:136 id:46843 frag_off:0 ttl:64 proto:50 (ESP) chk:16010<br>
> saddr:192.168.1.234 daddr:192.168.1.132<br>
> Mar 16 12:49:32 SSLVPN kernel: klips_debug: IP: ihl:20 ver:4 tos:0<br>
> tlen:136 id:46843 frag_off:0 ttl:64 proto:50 (ESP) chk:16010<br>
> saddr:192.168.1.234 daddr:192.168.1.132<br>
> Mar 16 12:49:32 SSLVPN kernel: klips_error:ipsec_sa_put: null pointer<br>
> passed<br>
> in!<br>
> Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_findroute:<br>
> <a href="http://192.168.1.234:0" target="_blank">192.168.1.234:0</a><br>
> -><a href="http://192.168.1.132:0" target="_blank">192.168.1.132:0</a> 50<br>
> Mar 16 12:49:32 SSLVPN kernel: klips_debug:rj_match: * See if we match<br>
> exactly as a host destination<br>
> Mar 16 12:49:32 SSLVPN kernel: klips_debug:rj_match: ** try to match a<br>
> leaf,<br>
> t=0pde630180<br>
> Mar 16 12:49:32 SSLVPN kernel: klips_debug:rj_match: *** start searching up<br>
> the tree, t=0pde630180<br>
> Mar 16 12:49:32 SSLVPN kernel: klips_debug:rj_match: **** t=0pde630198<br>
> Mar 16 12:49:32 SSLVPN kernel: klips_debug:rj_match: **** t=0pdc8838c0<br>
> Mar 16 12:49:32 SSLVPN kernel: klips_debug:rj_match: ***** cp2=0pd5f31d68<br>
> cp3=0pd8d998d0<br>
> Mar 16 12:49:32 SSLVPN kernel: klips_debug:rj_match: ***** not found.<br>
> Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_restore_hard_header:<br>
> After recursive xforms -- head,tailroom: 32,88<br>
> Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_restore_hard_header:<br>
> With hard_header, final head,tailroom: 18,88<br>
> Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_send: ...done,<br>
> calling<br>
> ip_send() on device:eth1<br>
> Mar 16 12:49:32 SSLVPN kernel: klips_debug: IP: ihl:20 ver:4 tos:0<br>
> tlen:136 id:46843 frag_off:0 ttl:64 proto:50 (ESP) chk:16010<br>
> saddr:192.168.1.234 daddr:192.168.1.132<br>
><br>
><br>
> 5.WITH NAT NetWork topology: <javascript:void(0)><br>
> PC A<br>
> eth0:192.168.100.234<br>
> eth1:192.168.111.234<br>
> Gateway: 192.168.111.1(udp port 500,4500 natted to PC A)<br>
><br>
> Server B:<br>
> ppp0--->pppoe<br>
> eth1:192.168.80.1<br>
><br>
> 6.ipsec.conf (PC A)<br>
> version 2.0 # conforms to second version of ipsec.conf specification<br>
> config setup<br>
> plutodebug = all<br>
> klipsdebug = all<br>
> nat_traversal=yes<br>
> interfaces = "%defaultroute"<br>
> include /etc/ipsec.d/examples/no_oe.conf<br>
> conn cylan<br>
> type = tunnel<br>
> auto = start<br>
> keyexchange = ike<br>
> authby = secret<br>
> auth = esp<br>
> esp = 3DES-SHA1<br>
> ike = 3DES-SHA1-MODP1024<br>
> aggrmode = yes<br>
> pfs = yes<br>
> pfsgroup = MODP1024<br>
> left = %defaultroute<br>
> leftsubnet = <a href="http://192.168.100.0/255.255.255.0" target="_blank">192.168.100.0/255.255.255.0</a><br>
> right = 219.133.245.113<br>
> rightsubnet = <a href="http://192.168.80.0/255.255.255.0" target="_blank">192.168.80.0/255.255.255.0</a><br>
> leftid = @bbb<br>
> rightid = @aaa<br>
><br>
> 7.tcp dump result on PC A<br>
> -bash-3.2$ sudo ./tcpdump -i eth1 host 219.133.245.113<br>
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode<br>
> listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes<br>
> 14:55:14.424375 IP 192.168.111.234.ipsec-nat-t ><br>
> 113.245.133.219.broad.sz.gd.dynamic.163data.com.cn.ipsec-nat-t: UDP-encap:<br>
> ESP(spi=0x4f6ec270,seq=0x2), length 92<br>
> 14:55:23.105922 IP 192.168.111.234.ipsec-nat-t ><br>
> 113.245.133.219.broad.sz.gd.dynamic.163data.com.cn.ipsec-nat-t: UDP-encap:<br>
> ESP(spi=0x4f6ec270,seq=0x3), length 92<br>
> 14:55:25.115728 IP 192.168.111.234.ipsec-nat-t ><br>
> 113.245.133.219.broad.sz.gd.dynamic.163data.com.cn.ipsec-nat-t:<br>
> isakmp-nat-keep-alive<br>
> 14:55:25.117799 IP 192.168.111.234.ipsec-nat-t ><br>
> 113.245.133.219.broad.sz.gd.dynamic.163data.com.cn.ipsec-nat-t:<br>
> isakmp-nat-keep-alive<br>
><br>
> 4 packets captured<br>
> 4 packets received by filter<br>
> 0 packets dropped by kernel<br>
><br>
> ipsec0 got ICMP echo replys,it's ok<br>
> -bash-3.2$ sudo ./tcpdump -i ipsec0 -vv<br>
> tcpdump: listening on ipsec0, link-type EN10MB (Ethernet), capture size 96<br>
> bytes<br>
> 14:56:34.183178 IP (tos 0x0, ttl 127, id 44881, offset 0, flags [none],<br>
> proto ICMP (1), length 60) 192.168.100.10 > <a href="http://192.168.80.1" target="_blank">192.168.80.1</a>: ICMP echo<br>
> request,<br>
> id 768, seq 36352, length 40<br>
> 14:56:34.207201 IP (tos 0x0, ttl 64, id 50421, offset 0, flags [none],<br>
> proto<br>
> ICMP (1), length 60) 192.168.80.1 > <a href="http://192.168.100.10" target="_blank">192.168.100.10</a>: ICMP echo reply, id<br>
> 768,<br>
> seq 36352, length 40<br>
><br>
> 2 packets captured<br>
> 2 packets received by filter<br>
> 0 packets dropped by kernel<br>
> -bash-3.2$<br>
><br>
> 8.ipsec log file(with icmp result)<br>
> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_tunnel_neigh_setup:<br>
> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_tunnel_hard_header:<br>
> skb->dev=ipsec0 dev=ipsec0.<br>
> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_tunnel_hard_header:<br>
> Revectored 0p00000000->0pd80e4a24 len=60 type=2048 dev=ipsec0->eth1<br>
> dev_addr=00:50:c2:1c:97:92 ip=c0a8640a->c0a85001<br>
> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_strip_hard_header:<br>
> >>><br>
> skb->len=74 hard_header_len:14 00:50:c2:1c:97:92:00:50:c2:1c:97:92:08:00<br>
> Mar 16 15:10:32 SSLVPN kernel: klips_debug: IP: ihl:20 ver:4 tos:0<br>
> tlen:60<br>
> id:48219 frag_off:0 ttl:127 proto:1 (ICMP) chk:18953 saddr:192.168.100.10<br>
> daddr:192.168.80.1 type:code=8:0<br>
> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_strip_hard_header:<br>
> Original head,tailroom: 18,36<br>
> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_findroute:<br>
> <a href="http://192.168.100.10:0" target="_blank">192.168.100.10:0</a><br>
> -><a href="http://192.168.80.1:0" target="_blank">192.168.80.1:0</a> 1<br>
> Mar 16 15:10:32 SSLVPN kernel: klips_debug:rj_match: * See if we match<br>
> exactly as a host destination<br>
> Mar 16 15:10:32 SSLVPN kernel: klips_debug:rj_match: ** try to match a<br>
> leaf,<br>
> t=0pd85d0e40<br>
> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_SAlookup: checking<br>
> for<br>
> local udp/500 IKE packet saddr=c0a8640a, er=0pd85d0e40, daddr=c0a85001,<br>
> er_dst=db85f571, proto=1 sport=0 dport=0<br>
> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_sa_getbyid: linked entry<br>
> in<br>
> ipsec_sa table for hash=234 of<br>
> <a href="mailto:SA%3Atun.1004@219.133.245.113">SA:tun.1004@219.133.245.113</a> <<a href="mailto:SA%253Atun.1004@219.133.245.113">SA%3Atun.1004@219.133.245.113</a>><<br>
> <a href="mailto:SA%253Atun.1004@219.133.245.113">SA%3Atun.1004@219.133.245.113</a> <<a href="mailto:SA%25253Atun.1004@219.133.245.113">SA%253Atun.1004@219.133.245.113</a>>>requested.<br>
> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_bundle: found<br>
> ipsec_sa -- SA:<IPIP> <a href="mailto:tun.1004@219.133.245.113">tun.1004@219.133.245.113</a><br>
> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_bundle: calling<br>
> room for <IPIP>, <a href="mailto:SA%3Atun.1004@219.133.245.113">SA:tun.1004@219.133.245.113</a><<a href="mailto:SA%253Atun.1004@219.133.245.113">SA%3Atun.1004@219.133.245.113</a>><<br>
> <a href="mailto:SA%253Atun.1004@219.133.245.113">SA%3Atun.1004@219.133.245.113</a> <<a href="mailto:SA%25253Atun.1004@219.133.245.113">SA%253Atun.1004@219.133.245.113</a>>><br>
> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_bundle:<br>
> Required<br>
> head,tailroom: 20,0<br>
> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_bundle: calling<br>
> room for <ESP_3DES_HMAC_SHA1>,<br>
> <a href="mailto:SA%3Aesp.4f6ec270@219.133.245.113">SA:esp.4f6ec270@219.133.245.113</a> <<a href="mailto:SA%253Aesp.4f6ec270@219.133.245.113">SA%3Aesp.4f6ec270@219.133.245.113</a>><<br>
> <a href="mailto:SA%253Aesp.4f6ec270@219.133.245.113">SA%3Aesp.4f6ec270@219.133.245.113</a> <<a href="mailto:SA%25253Aesp.4f6ec270@219.133.245.113">SA%253Aesp.4f6ec270@219.133.245.113</a>>><br>
> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_bundle:<br>
> Required<br>
> head,tailroom: 16,24<br>
> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_bundle:<br>
> existing<br>
> head,tailroom: 18,36 before applying xforms with head,tailroom: 36,24 .<br>
> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_bundle:<br>
> mtu:1500<br>
> physmtu:1500 tothr:36 tottr:24 mtudiff:60 ippkttotlen:60<br>
> Mar 16 15:10:32 SSLVPN kernel: klips_info:ipsec_xmit_encap_bundle: dev<br>
> ipsec0 mtu of 1500 decreased by 65 to 1435<br>
> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_bundle:<br>
> allocating 14 bytes for hardheader.<br>
> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_bundle:<br>
> head,tailroom: 32,36 after hard_header stripped.<br>
> Mar 16 15:10:32 SSLVPN kernel: klips_debug: IP: ihl:20 ver:4 tos:0<br>
> tlen:60<br>
> id:48219 frag_off:0 ttl:127 proto:1 (ICMP) chk:18953 saddr:192.168.100.10<br>
> daddr:192.168.80.1 type:code=8:0<br>
> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_bundle:<br>
> head,tailroom: 68,128 after allocation<br>
> Mar 16 15:10:32 SSLVPN kernel: klips_debug: IP: ihl:20 ver:4 tos:0<br>
> tlen:60<br>
> id:48219 frag_off:0 ttl:127 proto:1 (ICMP) chk:18953 saddr:192.168.100.10<br>
> daddr:192.168.80.1 type:code=8:0<br>
> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_once: calling<br>
> output for <IPIP>, <a href="mailto:SA%3Atun.1004@219.133.245.113">SA:tun.1004@219.133.245.113</a><<a href="mailto:SA%253Atun.1004@219.133.245.113">SA%3Atun.1004@219.133.245.113</a>><br>
> <<a href="mailto:SA%253Atun.1004@219.133.245.113">SA%3Atun.1004@219.133.245.113</a> <<a href="mailto:SA%25253Atun.1004@219.133.245.113">SA%253Atun.1004@219.133.245.113</a>>><br>
> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_once: pushing<br>
> 20<br>
> bytes, putting 0, proto 4.<br>
> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_once:<br>
> head,tailroom: 48,128 before xform.<br>
> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_once: after<br>
> <IPIP>, <a href="mailto:SA%3Atun.1004@219.133.245.113">SA:tun.1004@219.133.245.113</a> <<a href="mailto:SA%253Atun.1004@219.133.245.113">SA%3Atun.1004@219.133.245.113</a>> <<br>
> <a href="mailto:SA%253Atun.1004@219.133.245.113">SA%3Atun.1004@219.133.245.113</a> <<a href="mailto:SA%25253Atun.1004@219.133.245.113">SA%253Atun.1004@219.133.245.113</a>>>:<br>
> Mar 16 15:10:32 SSLVPN kernel: klips_debug: IP: ihl:20 ver:4 tos:0<br>
> tlen:80<br>
> id:43802 frag_off:0 ttl:64 proto:4 chk:52741 saddr:192.168.111.234<br>
> daddr:219.133.245.113<br>
> Mar 16 15:10:32 SSLVPN kernel: klips_debug: IP: ihl:20 ver:4 tos:0<br>
> tlen:80<br>
> id:43802 frag_off:0 ttl:64 proto:4 chk:52741 saddr:192.168.111.234<br>
> daddr:219.133.245.113<br>
> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_once: calling<br>
> output for <ESP_3DES_HMAC_SHA1>,<br>
> <a href="mailto:SA%3Aesp.4f6ec270@219.133.245.113">SA:esp.4f6ec270@219.133.245.113</a> <<a href="mailto:SA%253Aesp.4f6ec270@219.133.245.113">SA%3Aesp.4f6ec270@219.133.245.113</a>><<br>
> <a href="mailto:SA%253Aesp.4f6ec270@219.133.245.113">SA%3Aesp.4f6ec270@219.133.245.113</a> <<a href="mailto:SA%25253Aesp.4f6ec270@219.133.245.113">SA%253Aesp.4f6ec270@219.133.245.113</a>>><br>
> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_once: pushing<br>
> 16<br>
> bytes, putting 16, proto 50.<br>
> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_once:<br>
> head,tailroom: 32,112 before xform.<br>
> Mar 16 15:10:32 SSLVPN kernel: klips_dmp: at pre-encrypt, len=112:<br>
> Mar 16 15:10:32 SSLVPN kernel: klips_debug: @000: 45 00 00 70 ab 1a 00 00<br>
> 40 32 ce 05 c0 a8 6f ea<br>
> Mar 16 15:10:32 SSLVPN kernel: klips_debug: @010: db 85 f5 71 4f 6e c2 70<br>
> 00 00 00 08 c0 a8 6f ea<br>
> Mar 16 15:10:32 SSLVPN kernel: klips_debug: @020: db 85 f5 71 45 00 00 3c<br>
> bc 5b 00 00 7f 01 4a 09<br>
> Mar 16 15:10:32 SSLVPN kernel: klips_debug: @030: c0 a8 64 0a c0 a8 50 01<br>
> 08 00 ba 5b 03 00 90 00<br>
> Mar 16 15:10:32 SSLVPN kernel: klips_debug: @040: 61 62 63 64 65 66 67 68<br>
> 69 6a 6b 6c 6d 6e 6f 70<br>
> Mar 16 15:10:32 SSLVPN kernel: klips_debug: @050: 71 72 73 74 75 76 77 61<br>
> 62 63 64 65 66 67 68 69<br>
> Mar 16 15:10:32 SSLVPN kernel: klips_debug: @060: 01 02 02 04 00 00 00 00<br>
> 00 00 00 00 00 00 00 00<br>
> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_alg_esp_encrypt: entering<br>
> with encalg=3, ixt_e=df0c3bc0<br>
> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_alg_esp_encrypt: calling<br>
> cbc_encrypt encalg=3 ips_key_e=de5f6800 idat=d1f03c44 ilen=64 iv=d1f03c3c,<br>
> encrypt=1<br>
> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_alg_esp_encrypt: returned<br>
> ret=1<br>
> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_once: after<br>
> <ESP_3DES_HMAC_SHA1>,<br>
> <a href="mailto:SA%3Aesp.4f6ec270@219.133.245.113">SA:esp.4f6ec270@219.133.245.113</a> <<a href="mailto:SA%253Aesp.4f6ec270@219.133.245.113">SA%3Aesp.4f6ec270@219.133.245.113</a>><<br>
> <a href="mailto:SA%253Aesp.4f6ec270@219.133.245.113">SA%3Aesp.4f6ec270@219.133.245.113</a> <<a href="mailto:SA%25253Aesp.4f6ec270@219.133.245.113">SA%253Aesp.4f6ec270@219.133.245.113</a>>><br>
> :<br>
> Mar 16 15:10:32 SSLVPN kernel: klips_debug: IP: ihl:20 ver:4 tos:0<br>
> tlen:112 id:43802 frag_off:0 ttl:64 proto:50 (ESP) chk:52663<br>
> saddr:192.168.111.234 daddr:219.133.245.113<br>
> Mar 16 15:10:32 SSLVPN kernel: klips_debug: IP: ihl:20 ver:4 tos:0<br>
> tlen:112 id:43802 frag_off:0 ttl:64 proto:50 (ESP) chk:52663<br>
> saddr:192.168.111.234 daddr:219.133.245.113<br>
> Mar 16 15:10:32 SSLVPN kernel: klips_error:ipsec_sa_put: null pointer<br>
> passed<br>
> in!<br>
> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_findroute:<br>
> 192.168.111.234:0-><a href="http://219.133.245.113:0" target="_blank">219.133.245.113:0</a> 50<br>
> Mar 16 15:10:32 SSLVPN kernel: klips_debug:rj_match: * See if we match<br>
> exactly as a host destination<br>
> Mar 16 15:10:32 SSLVPN kernel: klips_debug:rj_match: ** try to match a<br>
> leaf,<br>
> t=0pd85d0e40<br>
> Mar 16 15:10:32 SSLVPN kernel: klips_debug:rj_match: *** start searching up<br>
> the tree, t=0pd85d0e40<br>
> Mar 16 15:10:32 SSLVPN kernel: klips_debug:rj_match: **** t=0pd85d0e58<br>
> Mar 16 15:10:32 SSLVPN kernel: klips_debug:rj_match: **** t=0pd80e4f40<br>
> Mar 16 15:10:32 SSLVPN kernel: klips_debug:rj_match: ***** cp2=0pd94d9aa8<br>
> cp3=0pd8d99990<br>
> Mar 16 15:10:32 SSLVPN kernel: klips_debug:rj_match: ***** not found.<br>
> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_restore_hard_header:<br>
> After recursive xforms -- head,tailroom: 32,112<br>
> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_tunnel_start_xmit:<br>
> encapsuling packet into UDP (NAT-Traversal) (2 8)<br>
> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_restore_hard_header:<br>
> With hard_header, final head,tailroom: 18,104<br>
> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_send: ...done,<br>
> calling<br>
> ip_send() on device:eth1<br>
> Mar 16 15:10:32 SSLVPN kernel: klips_debug: IP: ihl:20 ver:4 tos:0<br>
> tlen:120 id:43802 frag_off:0 ttl:64 proto:17 (UDP) chk:52688 saddr:<br>
> <a href="http://192.168.111.234:4500" target="_blank">192.168.111.234:4500</a> daddr:<a href="http://219.133.245.113:4500" target="_blank">219.133.245.113:4500</a><br>
> Mar 16 15:10:32 SSLVPN kernel: klips_debug: IP: ihl:20 ver:4 tos:0<br>
> tlen:112 id:50426 frag_off:0 ttl:62 proto:50 (ESP) chk:46576<br>
> saddr:219.133.245.113 daddr:192.168.111.234<br>
> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_rcv_decap_once: decap (50)<br>
> from 219.133.245.113 -> 192.168.111.234<br>
> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_sa_getbyid: linked entry<br>
> in<br>
> ipsec_sa table for hash=113 of<br>
> <a href="mailto:SA%3Aesp.a4cc5288@192.168.111.234">SA:esp.a4cc5288@192.168.111.234</a> <<a href="mailto:SA%253Aesp.a4cc5288@192.168.111.234">SA%3Aesp.a4cc5288@192.168.111.234</a>><<br>
> <a href="mailto:SA%253Aesp.a4cc5288@192.168.111.234">SA%3Aesp.a4cc5288@192.168.111.234</a> <<a href="mailto:SA%25253Aesp.a4cc5288@192.168.111.234">SA%253Aesp.a4cc5288@192.168.111.234</a>><br>
> >requested.<br>
> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_rcv:<br>
> <a href="mailto:SA%3Aesp.a4cc5288@192.168.111.234">SA:esp.a4cc5288@192.168.111.234</a> <<a href="mailto:SA%253Aesp.a4cc5288@192.168.111.234">SA%3Aesp.a4cc5288@192.168.111.234</a>> <<br>
> <a href="mailto:SA%253Aesp.a4cc5288@192.168.111.234">SA%3Aesp.a4cc5288@192.168.111.234</a> <<a href="mailto:SA%25253Aesp.a4cc5288@192.168.111.234">SA%253Aesp.a4cc5288@192.168.111.234</a>>>,<br>
> src=219.133.245.113 of pkt agrees with expected SA source address policy.<br>
> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_rcv:<br>
> <a href="mailto:SA%3Aesp.a4cc5288@192.168.111.234">SA:esp.a4cc5288@192.168.111.234</a> <<a href="mailto:SA%253Aesp.a4cc5288@192.168.111.234">SA%3Aesp.a4cc5288@192.168.111.234</a>> <<br>
> <a href="mailto:SA%253Aesp.a4cc5288@192.168.111.234">SA%3Aesp.a4cc5288@192.168.111.234</a> <<a href="mailto:SA%25253Aesp.a4cc5288@192.168.111.234">SA%253Aesp.a4cc5288@192.168.111.234</a>>><br>
> First SA<br>
> in group.<br>
> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_rcv: natt_type=2<br>
> tdbp->ips_natt_type=2 : ok<br>
> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_rcv: packet from<br>
> 219.133.245.113 received with seq=8 (iv)=0x528c134e3bcb1e22 iplen=92<br>
> esplen=80 sa=<a href="mailto:esp.a4cc5288@192.168.111.234">esp.a4cc5288@192.168.111.234</a><br>
> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_rcv: encalg = 3, authalg =<br>
> 3.<br>
> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_rcv: authentication<br>
> successful.<br>
> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_rcv: encalg=3 esphlen=16<br>
> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_alg_esp_encrypt: entering<br>
> with encalg=3, ixt_e=df0c3bc0<br>
> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_alg_esp_encrypt: calling<br>
> cbc_encrypt encalg=3 ips_key_e=d88e4000 idat=d1f03c4c ilen=64 iv=d1f03c44,<br>
> encrypt=0<br>
> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_alg_esp_encrypt: returned<br>
> ret=1<br>
> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_rcv: padlen=2, contents:<br>
> 0x<offset>: 0x<value> 0x<value> ...<br>
> Mar 16 15:10:32 SSLVPN kernel: klips_debug: 00: 01 02<br>
> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_rcv: packet decrypted from<br>
> <a href="http://219.133.245.113" target="_blank">219.133.245.113</a>: next_header = 4, padding = 2<br>
> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_rcv: trimming to 60.<br>
> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_rcv: after<br>
> <ESP_3DES_HMAC_SHA1>,<br>
> <a href="mailto:SA%3Aesp.a4cc5288@192.168.111.234">SA:esp.a4cc5288@192.168.111.234</a> <<a href="mailto:SA%253Aesp.a4cc5288@192.168.111.234">SA%3Aesp.a4cc5288@192.168.111.234</a>><<br>
> <a href="mailto:SA%253Aesp.a4cc5288@192.168.111.234">SA%3Aesp.a4cc5288@192.168.111.234</a> <<a href="mailto:SA%25253Aesp.a4cc5288@192.168.111.234">SA%253Aesp.a4cc5288@192.168.111.234</a>>><br>
> :<br>
> Mar 16 15:10:32 SSLVPN kernel: klips_debug: IP: ihl:20 ver:4 tos:0<br>
> tlen:80<br>
> id:50426 frag_off:0 ttl:62 proto:4 chk:46629 saddr:219.133.245.113<br>
> daddr:192.168.111.234<br>
> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_rcv:<br>
> <a href="mailto:SA%3Aesp.a4cc5288@192.168.111.234">SA:esp.a4cc5288@192.168.111.234</a> <<a href="mailto:SA%253Aesp.a4cc5288@192.168.111.234">SA%3Aesp.a4cc5288@192.168.111.234</a>> <<br>
> <a href="mailto:SA%253Aesp.a4cc5288@192.168.111.234">SA%3Aesp.a4cc5288@192.168.111.234</a> <<a href="mailto:SA%25253Aesp.a4cc5288@192.168.111.234">SA%253Aesp.a4cc5288@192.168.111.234</a>>>,<br>
> Another<br>
> IPSEC header to process.<br>
> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_rcv: ESP SA sets<br>
> skb->nfmark=0x170000.<br>
> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_rcv: IPIP tunnel stripped.<br>
> Mar 16 15:10:32 SSLVPN kernel: klips_debug: IP: ihl:20 ver:4 tos:0<br>
> tlen:60<br>
> id:50425 frag_off:0 ttl:64 proto:1 (ICMP) chk:32875 saddr:192.168.80.1<br>
> daddr:192.168.100.10 type:code=0:0<br>
> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_rcv: IPIP SA sets<br>
> skb->nfmark=0x170000.<br>
> Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_rcv: netif_rx() called.<br>
><br>
><br>
> 9.udp.c manully patched...<br>
> start line:1097<br>
> if (ret < 0) {<br>
> if(xfrm4_rcv_encap_func != NULL) {<br>
> ret = (*xfrm4_rcv_encap_func)(skb, up->encap_type);<br>
> UDP_INC_STATS_BH(UDP_MIB_INDATAGRAMS,up->pcflag);<br>
> } else {<br>
> UDP_INC_STATS_BH(UDP_MIB_INERRORS,up->pcflag);<br>
> ret = 1;<br>
> }<br>
> return ret;<br>
><br>
> }<br>
><br>
><br>
<br>
<br>
_________________________________________________________________<br>
Use Messenger to talk to your IM friends, even those on Yahoo!<br>
<a href="http://ideas.live.com/programpage.aspx?versionId=7adb59de-a857-45ba-81cc-685ee3e858fe" target="_blank">http://ideas.live.com/programpage.aspx?versionId=7adb59de-a857-45ba-81cc-685ee3e858fe</a><br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <a href="http://lists.openswan.org/pipermail/users/attachments/20090317/febb2cd8/attachment.html" target="_blank">http://lists.openswan.org/pipermail/users/attachments/20090317/febb2cd8/attachment.html</a><br>
<br>
------------------------------<br>
<br>
_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@openswan.org">Users@openswan.org</a><br>
<a href="http://lists.openswan.org/mailman/listinfo/users" target="_blank">http://lists.openswan.org/mailman/listinfo/users</a><br>
<br>
<br>
End of Users Digest, Vol 64, Issue 21<br>
*************************************<br>
</blockquote></div><br><br clear="all"><br>-- <br>from Romeo<br>
</div>