[Openswan Users] Protocols being stripped
Eaton, Andy
Andy at seas.wustl.edu
Mon Feb 21 11:22:14 CET 2005
Hello all,
I have finally gotten OpenSWAN 2.3.0 up and connected to a Cisco 3030.
If I can figure out this last part, I will be extremely happy. When I
am finished, I will gladly put together an extensive how to about how to
do this. There is quite a bit that has to happen cisco side that is
undocumented as well. As soon as Cisco knows what you are doing, "That
is unsupported sorry we can't help."
Anyway, I am not sure who to contact about putting a link on OpenSWAN's
site when I am finished. On to the problem.
The problem that I am seeing is that the tcp port is being stripped out
of packets by the time it gets back to the tunneled machine.
For example:
If I start a telnet on 80 from 4.225 to 16.31 in the following
scenario I see...
192.168.4.225 --> OpenSWAN/GW --> Cisco 3030 --> 172.16.16.31
Ethereal Dump from 4.225
Example to 16.31
192.168.4.225 172.16.16.31 TCP 4044 > http [SYN] Seq=0 Ack=0
Win=16384 Len=0 MSS=1460
172.16.16.31 192.168.4.225 TCP 1 > 4044 [SYN, ACK] Seq=0 Ack=1
Win=65535 Len=0 MSS=1460
192.168.4.225 172.16.16.31 TCP 4044 > 1 [RST] Seq=1
Ack=1889516043 Win=0 Len=0
192.168.4.225 172.16.16.31 TCP 4044 > http [SYN] Seq=0 Ack=0
Win=16384 Len=0 MSS=1460
172.16.16.31 192.168.4.225 TCP [TCP Dup ACK 1631#1] 1 > 4044
[ACK] Seq=1 Ack=1 Win=65535 Len=0
192.168.4.225 172.16.16.31 TCP 4044 > 1 [RST] Seq=1
Ack=1889516043 Win=0 Len=0
172.16.16.31 192.168.4.225 TCP 1 > 4044 [SYN, ACK] Seq=0 Ack=1
Win=65535 Len=0 MSS=1460
192.168.4.225 172.16.16.31 TCP 4044 > 1 [RST] Seq=1
Ack=1889516043 Win=0 Len=0
Ethereal dump from 4.225
Example to Google
192.168.4.225 216.109.118.68 TCP 4063 > http [SYN] Seq=0 Ack=0
Win=16384 Len=0 MSS=1460
216.109.118.6 8192.168.4.225 TCP http > 4063 [SYN, ACK] Seq=0
Ack=1 Win=65535 Len=0 MSS=1460
192.168.4.225 216.109.118.68 TCP 4063 > http [ACK] Seq=1 Ack=1
Win=17520 Len=0
As you can see, in the first example, the protocol that is returned to
the initiator is protocol 1 and not http. Where as to google it comes
back correctly.
If I take a tcpdump at my OpenSWAN edge, I see the following:
At Openswan/gw edge eth0
IP 24.107.189.229 > 128.252.21.15: ESP(spi=0x6311ab3b,seq=0x149)
IP 128.252.21.15 > 24.107.189.229: ESP(spi=0x9d28e7f2,seq=0x7b)
IP 172.16.16.31.80 > 192.168.4.225.4073: S 396238645:396238645(0) ack
848397758 win 65535 <mss 1460,nop,nop,sackOK>
IP 24.107.189.229 > 172.16.16.31: ESP(spi=0x6311ab3b,seq=0x14a)
IP 24.107.189.229 > 128.252.21.15: ESP(spi=0x6311ab3b,seq=0x14b)
IP 128.252.21.15 > 24.107.189.229: ESP(spi=0x9d28e7f2,seq=0x7c)
IP 172.16.16.31.80 > 192.168.4.225.4073: S 396238645:396238645(0) ack
848397758 win 65535 <mss 1460,nop,nop,sackOK>
IP 24.107.189.229 > 172.16.16.31: ESP(spi=0x6311ab3b,seq=0x14c)
IP 128.252.21.15 > 24.107.189.229: ESP(spi=0x9d28e7f2,seq=0x7d)
IP 172.16.16.31.80 > 192.168.4.225.4073: . ack 1 win 65535
IP 24.107.189.229 > 172.16.16.31: ESP(spi=0x6311ab3b,seq=0x14d)
The returned port is port 80 at eth0
I see the following as soon as it gets to vlan4:
At Openswan/gw Vlan4
IP 192.168.4.225.4089 > 172.16.16.31.80: S 419075865:419075865(0) win
16384 <mss 1460,nop,nop,sackOK>
IP 172.16.16.31.1 > 192.168.4.225.4089: S 2661280272:2661280272(0) ack
419075866 win 65535 <mss 1460,nop,nop,sackOK>
IP 192.168.4.225.4089 > 172.16.16.31.1: R 419075866:419075866(0) win 0
ethertype IPv4 (0x0800), length 62: IP 192.168.4.225.4089 >
172.16.16.31.80: S 419075865:419075865(0) win 16384 <mss
1460,nop,nop,sackOK>
IP 172.16.16.31.1 > 192.168.4.225.4089: . ack 1 win 65535
IP 192.168.4.225.4089 > 172.16.16.31.1: R 419075866:419075866(0) win 0
IP 172.16.16.31.1 > 192.168.4.225.4089: S 2661280272:2661280272(0) ack
419075866 win 65535 <mss 1460,nop,nop,sackOK>
IP 192.168.4.225.4089 > 172.16.16.31.1: R 419075866:419075866(0) win 0
Now the returned port is port 1 at vlan4.
It almost seems like a vlan issue.
Any help appreciated,
Thanks again,
Andrew Eaton
More information about the Users
mailing list