[Openswan Users] Possible bug?

Jochen Witte jwitte at alpha-lab.net
Sat Feb 26 10:10:20 CET 2005 

Hello,

I experienced some latencies in a VPN, which is configured like this:

                                          Internet     
                                             |
10.128.0.0/24 <---> LEFTGW <---> LEFTEXTFW <---> RIGHTGW <--->10.49.0.0/20
                 (OpenSWAN 2.1.5)              (FreeSWAN) 
		(Kernel 2.6.10)		     (Kernel 2.4.?)
        

Sometimes TCP-connections do not come up at all. Ping works well.
The problem arises, when trying to connect with e.g. ssh from LEFT subnet
to RIGHT subnet. Both ends masquerade their subnets.

This is my config:

---snip---
conn LEFT-RIGHT
        type=tunnel
        authby=rsasig
        keyexchange=ike
        keyingtries=1
        left=LEFTGW
        leftsubnet=10.128.0.0/24
        leftnexthop=EXTFW
        leftid=@my_id
        leftrsasigkey=.....
        # 10.49.0.0, netmask 255.255.248.0 
        right=RIGHTGW
        rightsubnet=10.49.0.0/20
        rightnexthop=next hop of RIGHTGW
        rightid=@their_id
        rightrsasigkey=.....
        auto=start
---snip---

Now for the strange part: I try to connect with ssh from 10.128.0.23 (left
subnet) to 10.49.2.2 (right subnet) and this is what I see on my LEFTEXTFW (!!!!!!!)

---snip---
[root at LEFTEXTFW root]# tcpdump -i eth1 host 10.49.2.2
tcpdump: listening on eth1
09:43:07.891168 LEFTGW > 10.49.2.2: ESP(spi=0xc21dfd10,seq=0x41) (DF)
09:43:08.125144 LEFTGW > 10.49.2.2: ESP(spi=0xc21dfd10,seq=0x42) (DF)
09:43:08.605192 LEFTGW > 10.49.2.2: ESP(spi=0xc21dfd10,seq=0x43) (DF)
09:43:09.565159 LEFTGW > 10.49.2.2: ESP(spi=0xc21dfd10,seq=0x44) (DF)
---snip---

Wooo. What do these packages have to do here? They will get dropped,
since 10.49.0.0 is not routable in the internet. Here is, what
happens on LEFTGW (external interface):

---snip---
[root at LEFTGW ~]# tethereal -i eth1 host 10.49.2.2
Capturing on eth1
  0.000000    10.49.2.2 -> 10.128.0.23  TCP ssh > 50372 [SYN, ACK] Seq=0 Ack=1 Win=5792 Len=0 MSS=1460 TSV=65583238 TSER=388064315 WS=0
  0.032785    10.49.2.2 -> 10.128.0.23  SSH Server Protocol: SSH-2.0-OpenSSH_3.5p1
  0.033218 LEFTGW -> 10.49.2.2    ESP ESP (SPI=0xc21dfd10)
  0.263878    10.49.2.2 -> 10.128.0.23  SSH [TCP Retransmission] Encrypted response packet len=22
  0.264241 LEFTGW -> 10.49.2.2    ESP ESP (SPI=0xc21dfd10)
  0.743811    10.49.2.2 -> 10.128.0.23  SSH [TCP Retransmission] Encrypted response packet len=22
  0.744178 LEFTGW -> 10.49.2.2    ESP ESP (SPI=0xc21dfd10)
  1.703859    10.49.2.2 -> 10.128.0.23  SSH [TCP Retransmission] Encrypted response packet len=22
  1.704258 LEFTGW -> 10.49.2.2    ESP ESP (SPI=0xc21dfd10)
  3.623836    10.49.2.2 -> 10.128.0.23  SSH [TCP Retransmission] Encrypted response packet len=22
  3.653833    10.49.2.2 -> 10.128.0.23  TCP ssh > 50372 [ACK] Seq=23 Ack=25 Win=5792 Len=0 TSV=65583604 TSER=388064681
  3.663339    10.49.2.2 -> 10.128.0.23  SSH Encrypted response packet len=544
  3.722869    10.49.2.2 -> 10.128.0.23  TCP ssh > 50372 [ACK] Seq=567 Ack=657 Win=6952 Len=0 TSV=65583611 TSER=388064683
  3.752842    10.49.2.2 -> 10.128.0.23  TCP ssh > 50372 [ACK] Seq=567 Ack=681 Win=6952 Len=0 TSV=65583614 TSER=388064690
  3.765224    10.49.2.2 -> 10.128.0.23  SSH Encrypted response packet len=424
  3.872798    10.49.2.2 -> 10.128.0.23  TCP ssh > 50372 [ACK] Seq=991 Ack=1097 Win=8216 Len=0 TSV=65583626 TSER=388064698
  3.924459    10.49.2.2 -> 10.128.0.23  SSH Encrypted response packet len=736
  4.046790    10.49.2.2 -> 10.128.0.23  TCP ssh > 50372 [ACK] Seq=1727 Ack=1113 Win=8216 Len=0 TSV=65583643 TSER=388064720
  4.073906    10.49.2.2 -> 10.128.0.23  TCP ssh > 50372 [ACK] Seq=1727 Ack=1161 Win=8216 Len=0 TSV=65583646 TSER=388064723
  4.076855    10.49.2.2 -> 10.128.0.23  SSH Encrypted response packet len=48
  4.115941    10.49.2.2 -> 10.128.0.23  SSH Encrypted response packet len=80
  4.148844    10.49.2.2 -> 10.128.0.23  SSH Encrypted response packet
  len=80
---snip---

Line 3,5,7,9 show the packages You can see in the sniff on the LEFTEXTFW.
My conclusion: SOME (!) of my packages are not sent over the tunnel, but
LEFTGW uses ESP and routes the particular packages directly instead. I
assume this is a bug, or have I got something wrong?

Here is setkey -D:

---snip---
RIGHTGW LEFTGW 
	esp mode=tunnel spi=1987264469(0x76733fd5) reqid=16385(0x00004001)
	E: 3des-cbc  ...
	A: hmac-md5  ...
	seq=0x00000000 replay=64 flags=0x00000000 state=mature 
	created: Feb 26 08:15:35 2005	current: Feb 26 08:58:23 2005
	diff: 2568(s)	hard: 0(s)	soft: 0(s)
	last: Feb 26 08:41:29 2005	hard: 0(s)	soft: 0(s)
	current: 14316(bytes)	hard: 0(bytes)	soft: 0(bytes)
	allocated: 104	hard: 0	soft: 0
	sadb_seq=1 pid=761 refcnt=0
LEFTGW RIGHTGW 
	esp mode=tunnel spi=3256745232(0xc21dfd10) reqid=16385(0x00004001)
	E: 3des-cbc  ...
	A: hmac-md5  ...
	seq=0x00000000 replay=64 flags=0x00000000 state=mature 
	created: Feb 26 08:15:35 2005	current: Feb 26 08:58:23 2005
	diff: 2568(s)	hard: 0(s)	soft: 0(s)
	last: Feb 26 08:41:29 2005	hard: 0(s)	soft: 0(s)
	current: 18904(bytes)	hard: 0(bytes)	soft: 0(bytes)
	allocated: 121	hard: 0	soft: 0
	sadb_seq=0 pid=761 refcnt=0

---snip---

The "bad" packages use the second SPI, which is wrong, since we are in
tunnel mode.

Any help is greatly appreciated!

Jochen

More information about the Users mailing list