[Openswan dev] 2.6.34rc3 broke 6in4 ?

David McCullough david_mccullough at mcafee.com
Thu May 26 09:07:54 EDT 2011


Jivin Paul Wouters lays it down ...
> On Wed, 25 May 2011, David McCullough wrote:
> 
> > It worse than that I think,  try the change I just pushed.
> 
> Partial fix. The packet now gets encrypted, send away, gets an encrypted
> reply, which gets dropped. This happens even when I run:
> 
> echo 0 > /proc/sys/net/ipsec/inbound_policy_check

Try the latest,  I am not seeing this behaviour,  but there is something
fishy with the routing cache on one of my hosts that I can't explain.

So linux-2.6.26 seems ok but linux-2.6.38 is giving me some issues,  first
packet works,  following packets fail until routing cache times out.  Haven't
figured out why yet but should have it sometime tomorrow,  the packets don't
even reach ipsec,

Cheers,
Davidm

> klipsdebug says:
> 
> ipsec_tunnel_start_xmit: STARTING
> klips_debug:ipsec_xmit_strip_hard_header: >>> skb->len=118 hard_header_len:14 52:54:00:73:49:04:52:54:00:73:49:04:86:dd 
> klips_debug:   IPV6: prio:0 ver:6 flow:000000 pllen:64 hopl:64 nexthdr:58 (ICMP) saddr:2001:888:2003:1 daddr:2a00:1450:8005:
> klips_debug:ipsec_xmit_strip_hard_header: Original head,tailroom: 10,0
> klips_debug:ipsec_findroute: [2001:888:2003:1]:0->[2a00:1450:8005:]:0 58
> klips_debug:rj_match: * See if we match exactly as a host destination
> klips_debug:rj_match: ** try to match a leaf, t=0pffff880011115c00
> klips_debug:ipsec_xmit_SAlookup: checking for local udp/500 IKE, udp/4500 NAT-T, ESP or AH packets saddr=2001:888:2003:1006::1, er=0pffff880011115c00, daddr=2a00:1450:8005::63, er_dst=82.94.220.195, proto=58 sport=0 dport=0
> ipsec_sa_getbyid: linked entry in ipsec_sa table for hash=32 of SA:tun.1001 at 82.94.220.195 requested.
> ipsec_sa_get: ipsec_sa ffff88001d688c00 SA:tun.1001 at 82.94.220.195, ref:1 reference count (3++) incremented by ipsec_sa_getbyid:563.
> klips_debug:ipsec_xmit_init2: found ipsec_sa -- SA:<IPIP> tun.1001 at 82.94.220.195
> klips_debug:ipsec_xmit_init2: calling room for <IPIP>, SA:tun.1001 at 82.94.220.195
> klips_debug:ipsec_xmit_init2: Required head,tailroom: 20,0
> klips_debug:ipsec_xmit_init2: calling room for <ESP_AES_HMAC_SHA1>, SA:esp.5f6580c8 at 82.94.220.195
> klips_debug:ipsec_xmit_init2: Required head,tailroom: 24,32
> klips_debug:ipsec_xmit_init2: existing head,tailroom: 10,0 before applying xforms with head,tailroom: 44,32 .
> klips_debug:ipsec_xmit_init2: mtu:1500 physmtu:1500 tothr:44 tottr:32 mtudiff:76 ippkttotlen:104
> klips_info:ipsec_xmit_init2: dev ipsec0 mtu of 1500 decreased by 81 to 1419
> klips_debug:ipsec_xmit_init2: allocating 14 bytes for hardheader.
> klips_debug:ipsec_xmit_init2: head,tailroom: 24,0 after hard_header stripped.
> klips_debug:   IPV6: prio:0 ver:6 flow:000000 pllen:64 hopl:64 nexthdr:58 (ICMP) saddr:2001:888:2003:1 daddr:2a00:1450:8005:
> klips_debug:ipsec_xmit_init2: head,tailroom: 76,76 after allocation
> klips_debug:   IPV6: prio:0 ver:6 flow:000000 pllen:64 hopl:64 nexthdr:58 (ICMP) saddr:2001:888:2003:1 daddr:2a00:1450:8005:
> klips_debug:ipsec_xmit_encap_once: calling output for <IPIP>, SA:tun.1001 at 82.94.220.195
> klips_debug:ipsec_xmit_encap_once: pushing 20 bytes, putting 0, proto 4.
> klips_debug:ipsec_xmit_encap_once: head,tailroom: 56,76 before xform.
> klips_debug:ipsec_xmit_encap_once: after <IPIP>, SA:tun.1001 at 82.94.220.195:
> klips_debug:   IP: ihl:20 ver:4 tos:0 tlen:124 id:43694 frag_off:0 ttl:64 proto:41 chk:25978 saddr:192.168.122.102 daddr:82.94.220.195
> ipsec_sa_put: ipsec_sa ffff88001d688c00 SA:tun.1001 at 82.94.220.195, ref:1 reference count (4--) decremented by ipsec_xmit_cont:1304.
> ipsec_sa_get: ipsec_sa ffff88001115cc00 SA:esp.5f6580c8 at 82.94.220.195, ref:2 reference count (3++) incremented by ipsec_xmit_cont:1309.
> klips_debug:ipsec_xmit_encap_once: calling output for <ESP_AES_HMAC_SHA1>, SA:esp.5f6580c8 at 82.94.220.195
> klips_debug:ipsec_xmit_encap_once: pushing 24 bytes, putting 20, proto 50.
> klips_debug:ipsec_xmit_encap_once: head,tailroom: 32,56 before xform.
> klips_debug:ipsec_alg_esp_encrypt: entering with encalg=12, ixt_e=ffffffffa06163d8
> klips_debug:ipsec_alg_esp_encrypt: calling cbc_encrypt encalg=12 ips_key_e=ffff880011050540 idat=ffff88001d21c04c ilen=112 iv=ffff88001d21c03c, encrypt=1
> klips_debug:ipsec_alg_esp_encrypt: returned ret=112
> klips_debug:ipsec_xmit_encap_once: after <ESP_AES_HMAC_SHA1>, SA:esp.5f6580c8 at 82.94.220.195:
> klips_debug:   IP: ihl:20 ver:4 tos:0 tlen:168 id:43694 frag_off:0 ttl:64 proto:50 (ESP) chk:25978 saddr:192.168.122.102 daddr:82.94.220.195
> ipsec_sa_put: ipsec_sa ffff88001115cc00 SA:esp.5f6580c8 at 82.94.220.195, ref:2 reference count (4--) decremented by ipsec_xmit_cont:1304.
> klips_debug:ipsec_findroute: 192.168.122.102:0->82.94.220.195:0 50
> klips_debug:rj_match: * See if we match exactly as a host destination
> klips_debug:rj_match: ** try to match a leaf, t=0pffff880011115c00
> klips_debug:rj_match: *** start searching up the tree, t=0pffff880011115c00
> klips_debug:rj_match: **** t=0pffff880011115c30
> klips_debug:rj_match: **** t=0pffff88001467c2f8
> klips_debug:rj_match: ***** cp2=0pffff88001d07cad8 cp3=0pffff88001d68a6e0
> klips_debug:rj_match: ***** not found.
> klips_debug:ipsec_tunnel_start_xmit: encapsuling packet into UDP (NAT-Traversal) (2 8)
> klips_debug:ipsec_xmit_restore_hard_header: After recursive xforms -- head,tailroom: 32,48
> klips_debug:ipsec_xmit_restore_hard_header: With hard_header, final head,tailroom: 18,48
> klips_debug:ipsec_xmit_send: ...done, calling ip_send() on device:eth0
> klips_debug:   IP: ihl:20 ver:4 tos:0 tlen:176 id:43694 frag_off:0 ttl:64 proto:17 (UDP) chk:25950 saddr:192.168.122.102:4500 daddr:82.94.220.195:4500
> UDP_ENCAP_ESPINUDP_NON_IKE: len=480 0x0
> UDP_ENCAP_ESPINUDP: IKE packet detected
> UDP_ENCAP_ESPINUDP_NON_IKE: len=148 0xb65cdc32
> UDP_ENCAP_ESPINUDP: ESP IN UDP packet detected
> starting processing ESP packet
> klips_debug: ipsec_rcv_init(st=0,nxt=1)
> klips_debug:ipsec_rcv: <<< Info -- skb->dev=eth0 
> klips_debug:ipsec_rcv_init: assigning packet ownership to virtual device ipsec0 from physical device eth0.
> klips_debug:   IP: ihl:20 ver:4 tos:0 tlen:168 id:29249 frag_off:0 ttl:53 proto:50 (ESP) chk:43211 saddr:82.94.220.195 daddr:192.168.122.102
> klips_debug: ipsec_rcv_decap_init(st=1,nxt=2)
> klips_debug: ipsec_rcv_decap_lookup(st=2,nxt=3)
> klips_debug: ipsec_rcv_auth_init(st=3,nxt=4)
> ipsec_sa_getbyid: linked entry in ipsec_sa table for hash=90 of SA:esp.32dc5cb6 at 192.168.122.102 requested.
> ipsec_sa_getbyid: no entries in ipsec_sa table for hash=90 of SA:esp.32dc5cb6 at 192.168.122.102.
> klips_debug:ipsec_rcv: no ipsec_sa for SA:esp.32dc5cb6 at 192.168.122.102: incoming packet with no SA dropped
> klips_debug:ipsec_rsm: processing completed due to IPSEC_RCV_SAIDNOTFOUND.
> 
> 

-- 
David McCullough,      david_mccullough at mcafee.com,  Ph:+61 734352815
McAfee - SnapGear      http://www.mcafee.com         http://www.uCdot.org


More information about the Dev mailing list