[Openswan dev] Possible Bug?
Jochen Witte
jwitte at alpha-lab.net
Sat Feb 26 10:12:11 CET 2005
Hello,
I experienced some latencies in a VPN, which is configured like this:
Internet
|
10.128.0.0/24 <---> LEFTGW <---> LEFTEXTFW <---> RIGHTGW <--->10.49.0.0/20
(OpenSWAN 2.1.5) (FreeSWAN)
(Kernel 2.6.10) (Kernel 2.4.?)
Sometimes TCP-connections do not come up at all. Ping works well.
The problem arises, when trying to connect with e.g. ssh from LEFT subnet
to RIGHT subnet. Both ends masquerade their subnets.
This is my config:
---snip---
conn LEFT-RIGHT
type=tunnel
authby=rsasig
keyexchange=ike
keyingtries=1
left=LEFTGW
leftsubnet=10.128.0.0/24
leftnexthop=EXTFW
leftid=@my_id
leftrsasigkey=.....
# 10.49.0.0, netmask 255.255.248.0
right=RIGHTGW
rightsubnet=10.49.0.0/20
rightnexthop=next hop of RIGHTGW
rightid=@their_id
rightrsasigkey=.....
auto=start
---snip---
Now for the strange part: I try to connect with ssh from 10.128.0.23 (left
subnet) to 10.49.2.2 (right subnet) and this is what I see on my LEFTEXTFW (!!!!!!!)
---snip---
[root at LEFTEXTFW root]# tcpdump -i eth1 host 10.49.2.2
tcpdump: listening on eth1
09:43:07.891168 LEFTGW > 10.49.2.2: ESP(spi=0xc21dfd10,seq=0x41) (DF)
09:43:08.125144 LEFTGW > 10.49.2.2: ESP(spi=0xc21dfd10,seq=0x42) (DF)
09:43:08.605192 LEFTGW > 10.49.2.2: ESP(spi=0xc21dfd10,seq=0x43) (DF)
09:43:09.565159 LEFTGW > 10.49.2.2: ESP(spi=0xc21dfd10,seq=0x44) (DF)
---snip---
Wooo. What do these packages have to do here? They will get dropped,
since 10.49.0.0 is not routable in the internet. Here is, what
happens on LEFTGW (external interface):
---snip---
[root at LEFTGW ~]# tethereal -i eth1 host 10.49.2.2
Capturing on eth1
0.000000 10.49.2.2 -> 10.128.0.23 TCP ssh > 50372 [SYN, ACK] Seq=0 Ack=1 Win=5792 Len=0 MSS=1460 TSV=65583238 TSER=388064315 WS=0
0.032785 10.49.2.2 -> 10.128.0.23 SSH Server Protocol: SSH-2.0-OpenSSH_3.5p1
0.033218 LEFTGW -> 10.49.2.2 ESP ESP (SPI=0xc21dfd10)
0.263878 10.49.2.2 -> 10.128.0.23 SSH [TCP Retransmission] Encrypted response packet len=22
0.264241 LEFTGW -> 10.49.2.2 ESP ESP (SPI=0xc21dfd10)
0.743811 10.49.2.2 -> 10.128.0.23 SSH [TCP Retransmission] Encrypted response packet len=22
0.744178 LEFTGW -> 10.49.2.2 ESP ESP (SPI=0xc21dfd10)
1.703859 10.49.2.2 -> 10.128.0.23 SSH [TCP Retransmission] Encrypted response packet len=22
1.704258 LEFTGW -> 10.49.2.2 ESP ESP (SPI=0xc21dfd10)
3.623836 10.49.2.2 -> 10.128.0.23 SSH [TCP Retransmission] Encrypted response packet len=22
3.653833 10.49.2.2 -> 10.128.0.23 TCP ssh > 50372 [ACK] Seq=23 Ack=25 Win=5792 Len=0 TSV=65583604 TSER=388064681
3.663339 10.49.2.2 -> 10.128.0.23 SSH Encrypted response packet len=544
3.722869 10.49.2.2 -> 10.128.0.23 TCP ssh > 50372 [ACK] Seq=567 Ack=657 Win=6952 Len=0 TSV=65583611 TSER=388064683
3.752842 10.49.2.2 -> 10.128.0.23 TCP ssh > 50372 [ACK] Seq=567 Ack=681 Win=6952 Len=0 TSV=65583614 TSER=388064690
3.765224 10.49.2.2 -> 10.128.0.23 SSH Encrypted response packet len=424
3.872798 10.49.2.2 -> 10.128.0.23 TCP ssh > 50372 [ACK] Seq=991 Ack=1097 Win=8216 Len=0 TSV=65583626 TSER=388064698
3.924459 10.49.2.2 -> 10.128.0.23 SSH Encrypted response packet len=736
4.046790 10.49.2.2 -> 10.128.0.23 TCP ssh > 50372 [ACK] Seq=1727 Ack=1113 Win=8216 Len=0 TSV=65583643 TSER=388064720
4.073906 10.49.2.2 -> 10.128.0.23 TCP ssh > 50372 [ACK] Seq=1727 Ack=1161 Win=8216 Len=0 TSV=65583646 TSER=388064723
4.076855 10.49.2.2 -> 10.128.0.23 SSH Encrypted response packet len=48
4.115941 10.49.2.2 -> 10.128.0.23 SSH Encrypted response packet len=80
4.148844 10.49.2.2 -> 10.128.0.23 SSH Encrypted response packet
len=80
---snip---
Line 3,5,7,9 show the packages You can see in the sniff on the LEFTEXTFW.
My conclusion: SOME (!) of my packages are not sent over the tunnel, but
LEFTGW uses ESP and routes the particular packages directly instead. I
assume this is a bug, or have I got something wrong?
Here is setkey -D:
---snip---
RIGHTGW LEFTGW
esp mode=tunnel spi=1987264469(0x76733fd5) reqid=16385(0x00004001)
E: 3des-cbc ...
A: hmac-md5 ...
seq=0x00000000 replay=64 flags=0x00000000 state=mature
created: Feb 26 08:15:35 2005 current: Feb 26 08:58:23 2005
diff: 2568(s) hard: 0(s) soft: 0(s)
last: Feb 26 08:41:29 2005 hard: 0(s) soft: 0(s)
current: 14316(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 104 hard: 0 soft: 0
sadb_seq=1 pid=761 refcnt=0
LEFTGW RIGHTGW
esp mode=tunnel spi=3256745232(0xc21dfd10) reqid=16385(0x00004001)
E: 3des-cbc ...
A: hmac-md5 ...
seq=0x00000000 replay=64 flags=0x00000000 state=mature
created: Feb 26 08:15:35 2005 current: Feb 26 08:58:23 2005
diff: 2568(s) hard: 0(s) soft: 0(s)
last: Feb 26 08:41:29 2005 hard: 0(s) soft: 0(s)
current: 18904(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 121 hard: 0 soft: 0
sadb_seq=0 pid=761 refcnt=0
---snip---
The "bad" packages use the second SPI, which is wrong, since we are in
tunnel mode.
Any help is greatly appreciated!
Jochen
More information about the Dev
mailing list