[Openswan dev] [Openswan Users] Switching klips to cryptoapi

Ruben Laban r.laban at ism.nl
Thu Nov 5 09:35:36 EST 2009 

On Tuesday 03 November 2009 at 15:44 (CET), Giovani Moda wrote:
> <recipe for switching to cryptoapi>

Let me start by thanking you for this recipe. It works like a charm, mostly.

It compiles just fine.
It loads just fine.
It even encrypts/decrypts packets just fine.

However, when I run tcpdump on ipsec0, the output is "wrong". Let me explain 
by giving an example:

On left I do:

# ping 172.16.1.20 -c 1 -p deadbeefdeadbeef
PATTERN: 0xdeadbeefdeadbeef
PING 172.16.1.20 (172.16.1.20) 56(84) bytes of data.
64 bytes from 172.16.1.20: icmp_seq=1 ttl=64 time=17.0 ms

--- 172.16.1.20 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 17.058/17.058/17.058/0.000 ms

On right I see:
# tcpdump -nvi ipsec0
tcpdump: listening on ipsec0, link-type EN10MB (Ethernet), capture size 96 
bytes
15:25:17.635972 40:00:40:01:dd:69 > 45:00:00:54:00:00, ethertype Unknown 
(0xac10), length 84: 
        0x0000:  040b ac10 0114 0800 3348 5c13 0001 1fdd  ........3H\.....
        0x0010:  f24a ed17 0600 dead beef dead beef dead  .J..............
        0x0020:  beef dead beef dead beef dead beef dead  ................
        0x0030:  beef dead beef dead beef dead beef       ..............
15:25:17.637372 00:00:40:01:d0:1b > 45:00:00:54:4d:4e, ethertype Unknown 
(0xac10), length 84: 
        0x0000:  0114 ac10 040b 0000 3b48 5c13 0001 1fdd  ........;H\.....
        0x0010:  f24a ed17 0600 dead beef dead beef dead  .J..............
        0x0020:  beef dead beef dead beef dead beef dead  ................
        0x0030:  beef dead beef dead beef dead beef       ..............
2 packets captured
2 packets received by filter
0 packets dropped by kernel

For some reason, tcpdump sees 2 bytes "too much". The 040b and 0114 shouldn't 
be there.

This is reproducible on both a 2.6.24 (ubuntu hardy) and 2.6.28 (ubuntu 
jaunty) kernel. I haven't tested any other kernels, yet.

The openswan version used was latest git as of this morning (the commits ml 
shows 3 commits since).
-- 
Regards,

Ruben Laban
Systems and Network Administrator
ISM eCompany

More information about the Dev mailing list