[Openswan dev] 2.6.34rc3 broke 6in4 ?

Paul Wouters paul at xelerance.com
Tue May 24 21:36:43 EDT 2011 

On Wed, 25 May 2011, David McCullough wrote:

> It worse than that I think,  try the change I just pushed.

Partial fix. The packet now gets encrypted, send away, gets an encrypted
reply, which gets dropped. This happens even when I run:

echo 0 > /proc/sys/net/ipsec/inbound_policy_check

klipsdebug says:

ipsec_tunnel_start_xmit: STARTING
klips_debug:ipsec_xmit_strip_hard_header: >>> skb->len=118 hard_header_len:14 52:54:00:73:49:04:52:54:00:73:49:04:86:dd 
klips_debug:   IPV6: prio:0 ver:6 flow:000000 pllen:64 hopl:64 nexthdr:58 (ICMP) saddr:2001:888:2003:1 daddr:2a00:1450:8005:
klips_debug:ipsec_xmit_strip_hard_header: Original head,tailroom: 10,0
klips_debug:ipsec_findroute: [2001:888:2003:1]:0->[2a00:1450:8005:]:0 58
klips_debug:rj_match: * See if we match exactly as a host destination
klips_debug:rj_match: ** try to match a leaf, t=0pffff880011115c00
klips_debug:ipsec_xmit_SAlookup: checking for local udp/500 IKE, udp/4500 NAT-T, ESP or AH packets saddr=2001:888:2003:1006::1, er=0pffff880011115c00, daddr=2a00:1450:8005::63, er_dst=82.94.220.195, proto=58 sport=0 dport=0
ipsec_sa_getbyid: linked entry in ipsec_sa table for hash=32 of SA:tun.1001 at 82.94.220.195 requested.
ipsec_sa_get: ipsec_sa ffff88001d688c00 SA:tun.1001 at 82.94.220.195, ref:1 reference count (3++) incremented by ipsec_sa_getbyid:563.
klips_debug:ipsec_xmit_init2: found ipsec_sa -- SA:<IPIP> tun.1001 at 82.94.220.195
klips_debug:ipsec_xmit_init2: calling room for <IPIP>, SA:tun.1001 at 82.94.220.195
klips_debug:ipsec_xmit_init2: Required head,tailroom: 20,0
klips_debug:ipsec_xmit_init2: calling room for <ESP_AES_HMAC_SHA1>, SA:esp.5f6580c8 at 82.94.220.195
klips_debug:ipsec_xmit_init2: Required head,tailroom: 24,32
klips_debug:ipsec_xmit_init2: existing head,tailroom: 10,0 before applying xforms with head,tailroom: 44,32 .
klips_debug:ipsec_xmit_init2: mtu:1500 physmtu:1500 tothr:44 tottr:32 mtudiff:76 ippkttotlen:104
klips_info:ipsec_xmit_init2: dev ipsec0 mtu of 1500 decreased by 81 to 1419
klips_debug:ipsec_xmit_init2: allocating 14 bytes for hardheader.
klips_debug:ipsec_xmit_init2: head,tailroom: 24,0 after hard_header stripped.
klips_debug:   IPV6: prio:0 ver:6 flow:000000 pllen:64 hopl:64 nexthdr:58 (ICMP) saddr:2001:888:2003:1 daddr:2a00:1450:8005:
klips_debug:ipsec_xmit_init2: head,tailroom: 76,76 after allocation
klips_debug:   IPV6: prio:0 ver:6 flow:000000 pllen:64 hopl:64 nexthdr:58 (ICMP) saddr:2001:888:2003:1 daddr:2a00:1450:8005:
klips_debug:ipsec_xmit_encap_once: calling output for <IPIP>, SA:tun.1001 at 82.94.220.195
klips_debug:ipsec_xmit_encap_once: pushing 20 bytes, putting 0, proto 4.
klips_debug:ipsec_xmit_encap_once: head,tailroom: 56,76 before xform.
klips_debug:ipsec_xmit_encap_once: after <IPIP>, SA:tun.1001 at 82.94.220.195:
klips_debug:   IP: ihl:20 ver:4 tos:0 tlen:124 id:43694 frag_off:0 ttl:64 proto:41 chk:25978 saddr:192.168.122.102 daddr:82.94.220.195
ipsec_sa_put: ipsec_sa ffff88001d688c00 SA:tun.1001 at 82.94.220.195, ref:1 reference count (4--) decremented by ipsec_xmit_cont:1304.
ipsec_sa_get: ipsec_sa ffff88001115cc00 SA:esp.5f6580c8 at 82.94.220.195, ref:2 reference count (3++) incremented by ipsec_xmit_cont:1309.
klips_debug:ipsec_xmit_encap_once: calling output for <ESP_AES_HMAC_SHA1>, SA:esp.5f6580c8 at 82.94.220.195
klips_debug:ipsec_xmit_encap_once: pushing 24 bytes, putting 20, proto 50.
klips_debug:ipsec_xmit_encap_once: head,tailroom: 32,56 before xform.
klips_debug:ipsec_alg_esp_encrypt: entering with encalg=12, ixt_e=ffffffffa06163d8
klips_debug:ipsec_alg_esp_encrypt: calling cbc_encrypt encalg=12 ips_key_e=ffff880011050540 idat=ffff88001d21c04c ilen=112 iv=ffff88001d21c03c, encrypt=1
klips_debug:ipsec_alg_esp_encrypt: returned ret=112
klips_debug:ipsec_xmit_encap_once: after <ESP_AES_HMAC_SHA1>, SA:esp.5f6580c8 at 82.94.220.195:
klips_debug:   IP: ihl:20 ver:4 tos:0 tlen:168 id:43694 frag_off:0 ttl:64 proto:50 (ESP) chk:25978 saddr:192.168.122.102 daddr:82.94.220.195
ipsec_sa_put: ipsec_sa ffff88001115cc00 SA:esp.5f6580c8 at 82.94.220.195, ref:2 reference count (4--) decremented by ipsec_xmit_cont:1304.
klips_debug:ipsec_findroute: 192.168.122.102:0->82.94.220.195:0 50
klips_debug:rj_match: * See if we match exactly as a host destination
klips_debug:rj_match: ** try to match a leaf, t=0pffff880011115c00
klips_debug:rj_match: *** start searching up the tree, t=0pffff880011115c00
klips_debug:rj_match: **** t=0pffff880011115c30
klips_debug:rj_match: **** t=0pffff88001467c2f8
klips_debug:rj_match: ***** cp2=0pffff88001d07cad8 cp3=0pffff88001d68a6e0
klips_debug:rj_match: ***** not found.
klips_debug:ipsec_tunnel_start_xmit: encapsuling packet into UDP (NAT-Traversal) (2 8)
klips_debug:ipsec_xmit_restore_hard_header: After recursive xforms -- head,tailroom: 32,48
klips_debug:ipsec_xmit_restore_hard_header: With hard_header, final head,tailroom: 18,48
klips_debug:ipsec_xmit_send: ...done, calling ip_send() on device:eth0
klips_debug:   IP: ihl:20 ver:4 tos:0 tlen:176 id:43694 frag_off:0 ttl:64 proto:17 (UDP) chk:25950 saddr:192.168.122.102:4500 daddr:82.94.220.195:4500
UDP_ENCAP_ESPINUDP_NON_IKE: len=480 0x0
UDP_ENCAP_ESPINUDP: IKE packet detected
UDP_ENCAP_ESPINUDP_NON_IKE: len=148 0xb65cdc32
UDP_ENCAP_ESPINUDP: ESP IN UDP packet detected
starting processing ESP packet
klips_debug: ipsec_rcv_init(st=0,nxt=1)
klips_debug:ipsec_rcv: <<< Info -- skb->dev=eth0 
klips_debug:ipsec_rcv_init: assigning packet ownership to virtual device ipsec0 from physical device eth0.
klips_debug:   IP: ihl:20 ver:4 tos:0 tlen:168 id:29249 frag_off:0 ttl:53 proto:50 (ESP) chk:43211 saddr:82.94.220.195 daddr:192.168.122.102
klips_debug: ipsec_rcv_decap_init(st=1,nxt=2)
klips_debug: ipsec_rcv_decap_lookup(st=2,nxt=3)
klips_debug: ipsec_rcv_auth_init(st=3,nxt=4)
ipsec_sa_getbyid: linked entry in ipsec_sa table for hash=90 of SA:esp.32dc5cb6 at 192.168.122.102 requested.
ipsec_sa_getbyid: no entries in ipsec_sa table for hash=90 of SA:esp.32dc5cb6 at 192.168.122.102.
klips_debug:ipsec_rcv: no ipsec_sa for SA:esp.32dc5cb6 at 192.168.122.102: incoming packet with no SA dropped
klips_debug:ipsec_rsm: processing completed due to IPSEC_RCV_SAIDNOTFOUND.

More information about the Dev mailing list