[Openswan dev] ip_hdr discrepancies

Sybille Ebert sybille.ebert at gmx.net
Fri Dec 19 08:11:23 EST 2008 

Hello,

I have compiled OpenSwan 2.6.19 on CentOS 5.2 kernel 2.6.18-92.1.22.el5.

In order to make it work, I had to comment out the following in
ipsec_kversion.h:

#if !(defined(CONFIG_SLE_VERSION) && defined(CONFIG_SLE_SP) &&
COINFIG_SLE_VERSION == 10 && CONFIG_SLE_SP >=2)
# define ip_hdr(skb) ((skb)->nh.iph)
#endif

(Note COINFIG instead of CONFIG. Redhat backport-avoiding #if above this
works fine, though.)

After that, it compiled OK. However, my tunnels don't work. I can
successfuly establish SA, and I can see ping entering ipsec0, but there
is no ESP traffic. This is what happens:

000 #1: "sample":500 STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE in 1578s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0);
idle; import:admin initiate
000


ipsec_tunnel_start_xmit:
STARTING<6>klips_debug:ipsec_xmit_strip_hard_header: >>> skb->len=98
hard_header_len:14 00:0c:29:cd:31:a8:00:0c:29:cd:31:a8:08:00
klips_debug:   IP: ihl:20 ver:4 tos:0 tlen:84 id:0 DF frag_off:0 ttl:64
proto:1 (ICMP) chk:27578 saddr:192.168.2.66 daddr:10.0.2.5 type:code=8:0
klips_debug:ipsec_xmit_strip_hard_header: Original head,tailroom: 18,140
klips_debug:ipsec_findroute: 192.168.2.66:0->10.0.2.5:0 1
klips_debug:rj_match: * See if we match exactly as a host destination
klips_debug:rj_match: ** try to match a leaf, t=0pf68fa0c0
klips_debug:rj_match: *** start searching up the tree, t=0pf68fa0c0
klips_debug:rj_match: **** t=0pf68fa0d8
klips_debug:rj_match: **** t=0pf7f71b00
klips_debug:rj_match: ***** cp2=0pf7d0ada8 cp3=0pf77931f0
klips_debug:rj_match: ***** not found.
klips_debug:ipsec_xmit_SAlookup: checking for local udp/500 IKE packet
saddr=c0a80242, er=0p00000000, daddr=a000205, er_dst=0, proto=1 sport=0
dport=0
klips_debug:ipsec_xmit_encap_bundle: shunt SA of DROP or no eroute:
dropping.
klips_debug:ipsec_xsm: processing completed due to IPSEC_XMIT_STOLEN.
klips_debug:ipsec_tunnel_start_xmit: encap_bundle failed: 2
klips_debug:ipsec_tunnel_hard_header: skb->dev=ipsec0 dev=ipsec0.
klips_debug:ipsec_tunnel_hard_header: Revectored 0p00000000->0pf7340168
len=84 type=2048 dev=ipsec0->eth0 dev_addr=00:0c:29:cd

The packet's destination is within rightsubnet. Eliminating any other
causes (routing, firewalling, NAT, setups), I am suspecting that this
could be due to conflict in ip_hdr definition. RedHat clearly uses a
different ip_hdr:

In include/linux/ip.h:
static inline struct iphdr *ip_hdr(const struct sk_buff *skb) {
	return (struct iphdr *)skb_network_header(skb);
}

In include/linux/skbuff.h:
static inline unsigned char *skb_network_header(const struct sk_buff *skb) {
	return skb->nh.raw;
}


Any advice?

Thanks a lot!

S

More information about the Dev mailing list