[Openswan dev] decrypted packet appears at wrong ipsec interface
hiren joshi
joshihirenn at gmail.com
Tue Jan 13 07:24:59 EST 2009
Hello,
The following patch is working for me:
--- net/ipsec/ipsec_rcv.c.orig Tue Dec 23 13:10:46 2008
+++ net/ipsec/ipsec_rcv.c Tue Dec 23 15:29:00 2008
@@ -1619,18 +1619,44 @@ int klips26_rcv_encap(struct sk_buff *sk
{
struct ipsec_rcv_state nirs, *irs = &nirs;
struct iphdr *ipp;
+ char name[9];
+ struct net_device *ipsecdev = NULL, *prvdev = NULL;
+ struct ipsecpriv *prv = NULL;
+ int i;
/* Don't unlink in the middle of a turnaround */
KLIPS_INC_USE;
memset(irs, 0, sizeof(*irs));
- /* XXX fudge it so that all nat-t stuff comes from ipsec0 */
- /* eventually, the SA itself will determine which device
- * it comes from
- */
- {
- skb->dev = ipsec_get_device(0);
+ if(skb->dev) {
+ KLIPS_PRINT(debug_rcv,
+ "klips_debug:klips26_rcv_encap: "
+ "<<< Info -- ");
+ KLIPS_PRINTMORE(debug_rcv, "skb->dev=%s ",
+ skb->dev->name ? skb->dev->name : "NULL");
+ KLIPS_PRINTMORE(debug_rcv, "\n");
+
+ if(skb->dev->name) {
+ for(i = 0; i < IPSEC_NUM_IF; i++) {
+ sprintf(name, IPSEC_DEV_FORMAT, i);
+ ipsecdev = __ipsec_dev_get(name);
+ prv = ipsecdev ? (struct ipsecpriv *)(ipsecdev->priv) :
NULL;
+ prvdev = prv ? (struct net_device *)(prv->dev) : NULL;
+ if(prvdev && !strcmp(prvdev->name, skb->dev->name)) {
+ skb->dev = ipsecdev;
+ KLIPS_PRINT(debug_rcv && prvdev,
+ "klips_debug:klips26_rcv_encap: "
+ "assigning packet ownership to virtual device
%s from physical device %s.\n",
+ name, prvdev->name);
+ break;
+ }
+ }
+ }
+ } else {
+ KLIPS_PRINT(debug_rcv,
+ "klips_debug:klips26_rcv_encap: "
+ "device supplied with skb is NULL\n");
}
/* set up for decap loop */
Does it look right?
Below are the details.
Thanks for your time.
Regadrs,
-hiren
-------ipsec.conf-------
version 2
config setup
interfaces="ipsec0=eth1 ipsec1=eth2 "
uniqueids=no
nat_traversal=yes
crlcheckinterval=3600
conn %default
leftupdown=/usr/lib/ipsec/_updown
rightupdown=/usr/lib/ipsec/_updown
conn rw-1
auto=add
type=tunnel
left=172.16.2.2
leftnexthop=172.16.2.1
right=%any
authby=secret
leftsubnet=192.168.88.0/24
rightsubnet="vhost:%v4:0.0.0.0/0"
-------/proc/net/ipsec_tncfg---------
ipsec0 -> eth1 mtu=16260(1500) -> 1500
ipsec1 -> eth2 mtu=16260(1500) -> 1500
ipsec2 -> NULL mtu=0(0) -> 0
ipsec3 -> NULL mtu=0(0) -> 0
-------ip addr ls---------
1: lo: <LOOPBACK,UP> mtu 1500 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:0c:29:11:5a:84 brd ff:ff:ff:ff:ff:ff
inet 192.168.88.13/24 brd 192.168.88.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:0c:29:11:5a:8e brd ff:ff:ff:ff:ff:ff
inet 172.16.1.2/24 brd 172.16.1.255 scope global eth1
4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:0c:29:11:5a:98 brd ff:ff:ff:ff:ff:ff
inet 172.16.2.2/24 brd 172.16.2.255 scope global eth2
9: imq0: <NOARP,UP> mtu 1500 qdisc hfsc qlen 30
link/void
10: imq1: <NOARP> mtu 1500 qdisc noop qlen 30
link/void
19: ipsec0: <NOARP,UP> mtu 16260 qdisc pfifo_fast qlen 10
link/ether 00:0c:29:11:5a:8e brd ff:ff:ff:ff:ff:ff
inet 172.16.1.2/24 brd 172.16.1.255 scope global ipsec0
20: ipsec1: <NOARP,UP> mtu 16260 qdisc pfifo_fast qlen 10
link/ether 00:0c:29:11:5a:98 brd ff:ff:ff:ff:ff:ff
inet 172.16.2.2/24 brd 172.16.2.255 scope global ipsec1
21: ipsec2: <NOARP> mtu 0 qdisc noop qlen 10
link/void
22: ipsec3: <NOARP> mtu 0 qdisc noop qlen 10
link/void
--------eroutes--------
0 192.168.88.0/24 -> 172.16.3.3/32 => tun0x100e at 172.16.2.1
-------tcpdump-------
17:31:02.003027 eth2 < 172.16.2.1.4500 > 172.16.2.2.4500: udp 100
17:31:02.003027 if20 < 172.16.3.3 > 192.168.88.13: icmp: echo request
17:31:02.003418 if20 > 192.168.88.13 > 172.16.3.3: icmp: echo reply
17:31:02.003488 eth2 > 172.16.2.2.4500 > 172.16.2.1.4500: udp 100
-------klipsdebug--all---------
: klips_debug:klips26_rcv_encap: <<< Info -- skb->dev=eth2
: klips_debug:klips26_rcv_encap: assigning packet ownership to virtual
device ipsec1 from physical device eth2.
: klips_debug: IP: ihl:20 ver:4 tos:0 tlen:120 id:27746 frag_off:0 ttl:127
proto:50 (ESP) chk:29415 saddr:172.16.2.1 daddr:172.16.2.2
: klips_debug:ipsec_rcv_decap_once: decap (50) from 172.16.2.1 -> 172.16.2.2
: klips_debug:ipsec_sa_getbyid: linked entry in ipsec_sa table for hash=46
of SA:esp.6c0ad7d8 at 172.16.2.2 <SA%3Aesp.6c0ad7d8 at 172.16.2.2> requested.
: klips_debug:ipsec_rcv:
SA:esp.6c0ad7d8 at 172.16.2.2<SA%3Aesp.6c0ad7d8 at 172.16.2.2>,
src=172.16.2.1 of pkt agrees with expected SA source address policy.
: klips_debug:ipsec_rcv:
SA:esp.6c0ad7d8 at 172.16.2.2<SA%3Aesp.6c0ad7d8 at 172.16.2.2>First SA in
group.
: klips_debug:ipsec_rcv: natt_type=2 tdbp->ips_natt_type=2 : ok
: klips_debug:ipsec_rcv: packet from 172.16.2.1 received with seq=12
(iv)=0x2068e8f5abeca063 iplen=100 esplen=88 sa=esp.6c0ad7d8 at 172.16.2.2
: klips_debug:ipsec_rcv: encalg = 12, authalg = 2.
: klips_debug:ipsec_rcv: authentication successful.
: klips_debug:ipsec_rcv: encalg=12 esphlen=24
: klips_debug:ipsec_alg_esp_encrypt: entering with encalg=12, ixt_e=d0b535f0
: klips_debug:ipsec_alg_esp_encrypt: calling cbc_encrypt encalg=12
ips_key_e=cc14c800 idat=cc34e654 ilen=64 iv=cc34e644, encrypt=0
: klips_debug:ipsec_alg_esp_encrypt: returned ret=64
: klips_debug:ipsec_rcv: padlen=2, contents: 0x<offset>: 0x<value> 0x<value>
...
: klips_debug: 00: 01 02
: klips_debug:ipsec_rcv: packet decrypted from 172.16.2.1: next_header = 4,
padding = 2
: klips_debug:ipsec_rcv: trimming to 60.
: klips_debug:ipsec_rcv: after <ESP_AES_HMAC_MD5>,
SA:esp.6c0ad7d8 at 172.16.2.2 <SA%3Aesp.6c0ad7d8 at 172.16.2.2>:
: klips_debug: IP: ihl:20 ver:4 tos:0 tlen:80 id:27746 frag_off:0 ttl:127
proto:4 chk:29476 saddr:172.16.2.1 daddr:172.16.2.2
: klips_debug:ipsec_rcv:
SA:esp.6c0ad7d8 at 172.16.2.2<SA%3Aesp.6c0ad7d8 at 172.16.2.2>,
Another IPSEC header to process.
: klips_debug:ipsec_rcv: ESP SA sets skb->nfmark=0x5e0000.
: klips_debug:ipsec_rcv: IPIP tunnel stripped.
: klips_debug: IP: ihl:20 ver:4 tos:0 tlen:60 id:27746 frag_off:0 ttl:128
proto:1 (ICMP) chk:1686 saddr:172.16.3.3 daddr:192.168.88.13 type:code=8:0
: klips_debug:ipsec_rcv: IPIP SA sets skb->nfmark=0x5f0000.
: klips_debug:ipsec_rcv: netif_rx() called.
On Mon, Sep 8, 2008 at 7:39 PM, Paul Wouters <paul at xelerance.com> wrote:
> On Mon, 8 Sep 2008, hiren joshi wrote:
>
> That seems like a step in the right direction. Though we should see if we
>>> can determine this properly by looking up the ipsecX interface belonging
>>> to
>>> the skb->dev->name ethX interface.
>>>
>>
>> The code was just for a PoC.
>>
>
> I know. Thanks for that.
>
> The comment says that there is some motivation for fudging ipsec0 for
>> NATed connections.
>>
>> /* XXX fudge it so that all nat-t stuff comes from ipsec0 */
>> /* eventually, the SA itself will determine which device
>> * it comes from
>> */
>> {
>> skb->dev = ipsec_get_device(0);
>> }
>>
>> Would it be proper to override this fudging by mapping ipsecX to ethX?
>>
>
> Yes, that would be the proper fix. I am not sure yet if there was a
> reason this needed to be fudged.
>
> Paul
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/dev/attachments/20090113/a5cd3635/attachment.html
More information about the Dev
mailing list