RV: [Openswan Users] RE: My ipsec0 device drops nat-t packets
Ivan Lopez
ilopez at enress.gov.ar
Mon Mar 14 10:35:14 CET 2005
Hi:
Thanks for your reply, Mario. Unfortuelly this patches don't apply to 2.4.26 with 26sec backport(at least for me). I spend my last weekend trying to apply this patches to a serie of kernels (2.4.26 from debian (it was my fault because pom-ng don't apply to debian kernels >= 2.4.20), 2.6.10 from Debian and vanilla) whitout any luck. Finally I've downloaded 2.6.9 vanilla kernel and the ipsec-0* patches for that kernel (which are attached to a mail in netfilter mailing list, anywhere else???) and I've applied policy patch from pom-ng. Then I´ve configured the kernel and (thanks god!) it seems to work Ok. My roadwarrior behind NAT using IPSEC/L2TPD works.
For my rules, I´ve followed a discussion in netfilter mailing list
http://lists.openswan.org/pipermail/users/2004-June/thread.html#1209
"Tunnels come up, but not all traffic goesthrough"
I´m marking the encripted packets when it arrives (mangle PREROUTING) and then assuming all packets marked are coming from ipsec (just like it were coming from ipsec* interface).
I´m trying now DNAT l2tp packets and thus use listen_addr in ltpd.conf like Jacco advices. May be Jacco already has got experience with it. When I finish my rules I´ll send it you and we´ll be able to talk about it.
I´m a newbie in ipsec and I´m sorry if this question was solved before. One of this:
I have only roadwarriors. They start the connections. Shall I up the rules that manage "marked" packets when the first connection goes up? ¿or it is relativelly safe up them when ipsec starts and there are no connections at all?. There isn´t associations in that moment I think the kernel rejects unencripted packets. Is this right?
Cheers.
Ivan
-----Mensaje original-----
De: mario.lobo at ipad.com.br [mailto:mario.lobo at ipad.com.br]
Enviado el: Jueves, 10 de Marzo de 2005 15:31
Para: Ivan Lopez
Asunto: Re: RV: [Openswan Users] RE: My ipsec0 device drops nat-t packets
Hi Ivan;
> The question is: Can you give some URL where I can see how a packet
> traverses de iptables chains and where 26sec works?
Using netfilter patches from www.netfilter.org, here is the info:
---------------------------------------------------------------------------------------
[NETFILTER+IPSEC 1/4]
This patch adds new output hooks for IPsec. Packets traverse the hooks like this:
1. -> (plain) FORWARD -> POST_ROUTING -> (encrypted) LOCAL_OUT -> POST_ROUTING
2. -> (plain) LOCAL_OUT -> POST_ROUTING -> (encrypted) LOCAL_OUT -> POST_ROUTING
Author: Patrick McHardy <kaber at trash.net>
Status: Testing, should be fine
[NETFILTER+IPSEC 2/4]
This patch makes packets decapsulated by IPsec traverse the netfilter input hooks again. Packets traverse the hooks like this:
1. -> (encrypted) PRE_ROUTING -> LOCAL_IN -> (plain) PRE_ROUTING -> LOCAL_IN 2. -> (encrypted) PRE_ROUTING -> LOCAL_IN -> (plain) PRE_ROUTING -> FORWARD
Author: Patrick McHardy <kaber at trash.net>
Status: Testing
[NETFILTER+IPSEC 3/4]
This patch adds policy lookups to ip_route_me_harder and makes NAT reroute for any change that affects route/policy in LOCAL_OUT and POST_ROUTING.
Author: Patrick McHardy <kaber at trash.net>
Status: Testing
[NETFILTER+IPSEC 4/4]
This patch makes xfrm_policy_check locate the correct policy after NAT.
---------------------------------------------------------------------------------------
> I´read some posts
> in this mailing list and some pdf from xelerance and I started to
> build my packet filter rules from these.
Could you send those to me or show me the url? I really need to build my rules too. All my attempts with KLIPS ( ipsecN ) so far have failed.
Thanks,
--
//| //||
// | // ||
-//--//---|| ARIO LOBO
// // ||
---------------------------------
mario.lobo at ipad.com.br
http://www.ipad.com.br
On 10 Mar 2005 at 12:27, Ivan Lopez wrote:
> Problem solved. It was only a kernel problem, not openswan problem.
> I´m using Debian 2.4.26 kernel with 26sec backport now and it seems
> work very well. But, of course, I haven´t ipsec0 interface anymore.
> The question is: Can you give some URL where I can see how a packet
> traverses de iptables chains and where 26sec works?. I´read some posts
> in this mailing list and some pdf from xelerance and I started to
> build my packet filter rules from these, but I´d like to know a bit
> more. Best Regards. Ivan
>
>
> -----Mensaje original-----
> De: Ing. Ivan Lopez [mailto:ivan_n_lopez at hotmail.com]
> Enviado el: Sábado, 05 de Marzo de 2005 13:50
> Para: users at openswan.org
> Asunto: [Openswan Users] RE: My ipsec0 device drops nat-t packets
>
>
> Hi people:
> Thanks for your answer. Unafortunelly it still doen't work I was
> trying a lot of things whitout luck. It' works fine when I connect my
> roadwarrior (w2k with NAT-T patch) to Internet from a dialed
> connection (I´had public IP in that case). But it doesn't work for my
> cablemodem (private IP in that case).
>
> My ipsec config follows:
> ipsec.conf:
> ----------
> # basic configuration
>
> config setup
>
> # Debug-logging controls: "none" for (almost) none, "all" for lots.
>
> interfaces=%defaultroute
>
> klipsdebug=none
>
> plutodebug=none
>
> uniqueids=yes
>
> nat_traversal=yes
>
> overridemtu=1300
>
> virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/1
>
> # Conexiones
>
> # PC Wxp omalvasio L2TP/IPSEC
>
> conn L2TP-BFAMA
>
> #type=transport
>
> authby=rsasig
>
> pfs=no
>
> # Gateway lado izquierdo (bfama)
>
> left=45.45.45.45
>
> leftnexthop=45.45.45.1
>
> leftid=....
>
> leftprotoport=17/0
>
> #
>
> # Lado derecho: PC Omalvasio
>
> #
>
> right=%any
>
> rightsubnet=vhost:%no,%priv
>
> rightid=....
>
> rightrsasigkey=%cert
>
> rightnexthop=%defaultroute
>
> rightprotoport=17/1701
>
> #Autorizo la conexion, pero no la inicio
>
> auto=add
>
> conn L2TP-BFAMA-old
>
> #type=transport
>
> authby=rsasig
>
> pfs=no
>
> # Gateway lado izquierdo (bfama)
>
> left=45.45.45.45
>
> leftnexthop=45.45.45.1
>
> leftid="..."
>
> leftcert=openswan-cert.pem
>
> leftprotoport=17/1701
>
> #
>
> # Lado derecho: PC Omalvasio
>
> #
>
> right=%any
>
> rightsubnet=vhost:%no,%priv
>
> rightid="...."
>
> rightrsasigkey=%cert
>
> rightnexthop=%defaultroute
>
> rightprotoport=17/1701
>
> #Autorizo la conexion, pero no la inicio
>
> auto=add
>
> #Disable Opportunistic Encryption
>
> include /etc/ipsec.d/examples/no_oe.conf
>
>
> I can't view any logs from l2tpd (when roadwarrior is gehind NAT)
> because I think l2tpd never got any packet. ipsec0 interface drops everything. In klips debug I noticed there are messages saying "Mar 5 11:06:47 bfama
> kernel: klips_debug:ipsec_rcv: SA:esp.8e1d5296 at 45.45.45.45 does not agree with expected NAT-T policy." What are those?
>
> Here is a piece of klips debug:
> Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_address_process:
> ips_said.dst set to 200.68.215.117.
>
> Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_address_process:
> successful.
>
> Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_msg_interp: processing
> ext 24 0pcd7e1f10 with processor 0pc0302570.
>
> Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_address_process:
>
> Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_address_process: found
> address family=2, AF_INET, 255.255.255.255.
>
> Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_address_process: found
> dst mask address.
>
> Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_alloc_eroute: eroute
> struct already allocated
>
> Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_address_parse:
> extr->eroute set to 45.45.45.45/32:1701->200.68.215.117/32:1701
>
> Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_address_process:
> successful.
>
> Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_msg_interp: processing
> ext 26 0pcd7e1f28 with processor 0pc02fc6e0.
>
> Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_x_protocol_process:
> c7e21e00
>
> Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_x_protocol_process:
> protocol = 17.
>
> Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_msg_interp: parsing
> message type 14(x-addflow(eroute)) with msg_parser 0pc0300560.
>
> Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_x_addflow_parse: .
>
> Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_x_addflow_parse:
> calling breakeroute and/or makeroute for
> 45.45.45.45/32->200.68.215.117/32
>
> Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_x_addflow_parse:
> calling makeroute.
>
> Mar 5 11:06:47 bfama kernel: klips_debug:ipsec_makeroute: attempting
> to allocate 192 bytes to insert eroute for 45.45.45.45/32->200.68.215.117/32,
> SA: esp.ee3ab5c6 at 200.68.215.117, PID:2855, skb=0p00000000, ident:NULL->NULL
>
> Mar 5 11:06:47 bfama kernel: klips_debug:ipsec_makeroute:
> 141a1000c82dadf3c844d775110006a506a50000 /
> 141aff00ffffffffffffffffff00ffffffff0000
>
> Mar 5 11:06:47 bfama kernel: klips_debug:ipsec_makeroute: calling
> rj_addroute now
>
> Mar 5 11:06:47 bfama kernel: klips_debug:ipsec_makeroute: pid=02855
> count= 0 lasttime= 0 45.45.45.45/32 -> 200.68.215.117/32 =>
> esp.ee3ab5c6 at 200.68.215.117
>
> Mar 5 11:06:47 bfama kernel: klips_debug:ipsec_makeroute: succeeded.
>
> Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_x_addflow_parse:
> makeroute call successful.
>
> Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_msg_hdr_build:
>
> Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_msg_hdr_build: on_entry
> &pfkey_ext=0pc7e21b7c pfkey_ext=0pc7e21cdc *pfkey_ext=0p00000000.
>
> Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_msg_hdr_build: on_exit
> &pfkey_ext=0pc7e21b7c pfkey_ext=0pc7e21cdc *pfkey_ext=0pc3d2de20.
>
> Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_safe_build: error=0
>
> Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_safe_build:success.
>
> Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_sa_build: spi=ee3ab5c6
> replay=0 sa_state=0 auth=0 encrypt=0 flags=0
>
> Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_safe_build: error=0
>
> Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_safe_build:success.
>
> Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_address_build:
> exttype=5 proto=0 prefixlen=0
>
> Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_address_build: found
> address family AF_INET.
>
> Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_address_build: found
> address=45.45.45.45:1701.
>
> Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_address_build:
> successful created len: 3.
>
> Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_safe_build: error=0
>
> Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_safe_build:success.
>
> Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_address_build:
> exttype=6 proto=0 prefixlen=0
>
> Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_address_build: found
> address family AF_INET.
>
> Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_address_build: found
> address=200.68.215.117:1701.
>
> Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_address_build:
> successful created len: 3.
>
> Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_safe_build: error=0
>
> Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_safe_build:success.
>
> Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_address_build:
> exttype=21 proto=0 prefixlen=0
>
> Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_address_build: found
> address family AF_INET.
>
> Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_address_build: found
> address=45.45.45.45:0.
>
> Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_address_build:
> successful created len: 3.
>
> Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_safe_build: error=0
>
> Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_safe_build:success.
>
> Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_address_build:
> exttype=22 proto=0 prefixlen=0
>
> Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_address_build: found
> address family AF_INET.
>
> Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_address_build: found
> address=200.68.215.117:0.
>
> Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_address_build:
> successful created len: 3.
>
> Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_safe_build: error=0
>
> Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_safe_build:success.
>
> Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_address_build:
> exttype=23 proto=0 prefixlen=0
>
> Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_address_build: found
> address family AF_INET.
>
> Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_address_build: found
> address=255.255.255.255:0.
>
> Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_address_build:
> successful created len: 3.
>
> Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_safe_build: error=0
>
> Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_safe_build:success.
>
> Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_address_build:
> exttype=24 proto=0 prefixlen=0
>
> Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_address_build: found
> address family AF_INET.
>
> Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_address_build: found
> address=255.255.255.255:0.
>
> Mar 5 11:06:47 bfama kernel: klips_debug:pfkey_address_build:
> successful created len: 3.
>
> Mar 5 11:06:47 bfama kernel: klips_debug: IP: ihl:20 ver:4 tos:0
> tlen:184 id:25220 frag_off:0 ttl:114 proto:17 (UDP) chk:53205
> saddr:200.68.215.117:11364 daddr:45.45.45.45:4500
>
> Mar 5 11:06:47 bfama kernel: klips_debug:ipsec_rcv: ESPinUDP pkt
> without Non-ESP - spi=0x8e1d5296
>
> Mar 5 11:06:47 bfama kernel: klips_debug:ipsec_rcv: removing 8 bytes
> from ESPinUDP packet
>
> Mar 5 11:06:47 bfama kernel: klips_debug: IP: ihl:20 ver:4 tos:0
> tlen:176 id:25220 frag_off:0 ttl:114 proto:50 chk:53205
> saddr:200.68.215.117 daddr:45.45.45.45
>
> Mar 5 11:06:47 bfama kernel: klips_debug:ipsec_rcv: <<< Info --
> skb->dev=eth0 dev=eth0
>
> Mar 5 11:06:47 bfama kernel: klips_debug:ipsec_rcv: assigning packet
> ownership to virtual device ipsec0 from physical device eth0.
>
> Mar 5 11:06:47 bfama kernel: klips_debug: IP: ihl:20 ver:4 tos:0
> tlen:176 id:25220 frag_off:0 ttl:114 proto:50 chk:53205
> saddr:200.68.215.117 daddr:45.45.45.45
>
> Mar 5 11:06:47 bfama kernel: klips_debug:ipsec_rcv_decap_once: decap
> (50) from 200.68.215.117 -> 45.45.45.45
>
> Mar 5 11:06:47 bfama kernel: klips_debug:ipsec_sa_getbyid: linked
> entry in ipsec_sa table for hash=179 of SA:esp.8e1d5296 at 45.45.45.45
> requested.
>
> Mar 5 11:06:47 bfama kernel: klips_debug:ipsec_rcv:
> SA:esp.8e1d5296 at 45.45.45.45, src=200.68.215.117 of pkt agrees with
> expected SA source address policy.
>
> Mar 5 11:06:47 bfama kernel: klips_debug:ipsec_rcv:
> SA:esp.8e1d5296 at 45.45.45.45 First SA in group.
>
> Mar 5 11:06:47 bfama kernel: klips_debug:ipsec_rcv: natt_type=2
> tdbp->ips_natt_type=0 : bad
>
> Mar 5 11:06:47 bfama kernel: klips_debug:ipsec_rcv:
> SA:esp.8e1d5296 at 45.45.45.45 does not agree with expected NAT-T policy.
>
> Mar 5 11:06:47 bfama kernel: klips_debug:ipsec_sa_put: ipsec_sa
> SA:esp.8e1d5296 at 45.45.45.45, ref:172 reference count decremented.
>
> Mar 5 11:06:47 bfama kernel: klips_debug:ipsec_rcv: decap_once failed:
> -12
>
> Mar 5 11:06:48 bfama kernel: klips_debug:ipsec_rcv: suspected ESPinUDP
> packet (NAT-Traversal) [2].
>
> Mar 5 11:06:48 bfama kernel: klips_debug: IP: ihl:20 ver:4 tos:0
> tlen:184 id:25229 frag_off:0 ttl:114 proto:17 (UDP) chk:53196
> saddr:200.68.215.117:11364 daddr:45.45.45.45:4500
>
> Mar 5 11:06:48 bfama kernel: klips_debug:ipsec_rcv: ESPinUDP pkt
> without Non-ESP - spi=0x8e1d5296
>
> Mar 5 11:06:48 bfama kernel: klips_debug:ipsec_rcv: removing 8 bytes
> from ESPinUDP packet
>
> Mar 5 11:06:48 bfama kernel: klips_debug: IP: ihl:20 ver:4 tos:0
> tlen:176 id:25229 frag_off:0 ttl:114 proto:50 chk:53196
> saddr:200.68.215.117 daddr:45.45.45.45
>
> Mar 5 11:06:48 bfama kernel: klips_debug:ipsec_rcv: <<< Info --
> skb->dev=eth0 dev=eth0
>
> Mar 5 11:06:48 bfama kernel: klips_debug:ipsec_rcv: assigning packet
> ownership to virtual device ipsec0 from physical device eth0.
>
> Mar 5 11:06:48 bfama kernel: klips_debug: IP: ihl:20 ver:4 tos:0
> tlen:176 id:25229 frag_off:0 ttl:114 proto:50 chk:53196
> saddr:200.68.215.117 daddr:45.45.45.45
>
> Mar 5 11:06:48 bfama kernel: klips_debug:ipsec_rcv_decap_once: decap
> (50) from 200.68.215.117 -> 45.45.45.45
>
> Mar 5 11:06:48 bfama kernel: klips_debug:ipsec_sa_getbyid: linked
> entry in ipsec_sa table for hash=179 of SA:esp.8e1d5296 at 45.45.45.45
> requested.
>
> Mar 5 11:06:48 bfama kernel: klips_debug:ipsec_rcv:
> SA:esp.8e1d5296 at 45.45.45.45, src=200.68.215.117 of pkt agrees with
> expected SA source address policy.
>
> Mar 5 11:06:48 bfama kernel: klips_debug:ipsec_rcv:
> SA:esp.8e1d5296 at 45.45.45.45 First SA in group.
>
> Mar 5 11:06:48 bfama kernel: klips_debug:ipsec_rcv: natt_type=2
> tdbp->ips_natt_type=0 : bad
>
> Mar 5 11:06:48 bfama kernel: klips_debug:ipsec_rcv:
> SA:esp.8e1d5296 at 45.45.45.45 does not agree with expected NAT-T policy.
>
> Mar 5 11:06:48 bfama kernel: klips_debug:ipsec_sa_put: ipsec_sa
> SA:esp.8e1d5296 at 45.45.45.45, ref:172 reference count decremented.
>
> Mar 5 11:06:48 bfama kernel: klips_debug:ipsec_rcv: decap_once failed:
> -12
>
> Mar 5 11:06:50 bfama kernel: klips_debug:ipsec_rcv: suspected ESPinUDP
> packet (NAT-Traversal) [2].
>
> Mar 5 11:06:50 bfama kernel: klips_debug: IP: ihl:20 ver:4 tos:0
> tlen:184 id:25251 frag_off:0 ttl:114 proto:17 (UDP) chk:53174
> saddr:200.68.215.117:11364 daddr:45.45.45.45:4500
>
> Mar 5 11:06:50 bfama kernel: klips_debug:ipsec_rcv: ESPinUDP pkt
> without Non-ESP - spi=0x8e1d5296
>
> Mar 5 11:06:50 bfama kernel: klips_debug:ipsec_rcv: removing 8 bytes
> from ESPinUDP packet
>
> Mar 5 11:06:50 bfama kernel: klips_debug: IP: ihl:20 ver:4 tos:0
> tlen:176 id:25251 frag_off:0 ttl:114 proto:50 chk:53174
> saddr:200.68.215.117 daddr:45.45.45.45
>
> Mar 5 11:06:50 bfama kernel: klips_debug:ipsec_rcv: <<< Info --
> skb->dev=eth0 dev=eth0
>
> Mar 5 11:06:50 bfama kernel: klips_debug:ipsec_rcv: assigning packet
> ownership to virtual device ipsec0 from physical device eth0.
>
> Mar 5 11:06:50 bfama kernel: klips_debug: IP: ihl:20 ver:4 tos:0
> tlen:176 id:25251 frag_off:0 ttl:114 proto:50 chk:53174
> saddr:200.68.215.117 daddr:45.45.45.45
>
> Mar 5 11:06:50 bfama kernel: klips_debug:ipsec_rcv_decap_once: decap
> (50) from 200.68.215.117 -> 45.45.45.45
>
> Mar 5 11:06:50 bfama kernel: klips_debug:ipsec_sa_getbyid: linked
> entry in ipsec_sa table for hash=179 of SA:esp.8e1d5296 at 45.45.45.45
> requested.
>
> Mar 5 11:06:50 bfama kernel: klips_debug:ipsec_rcv:
> SA:esp.8e1d5296 at 45.45.45.45, src=200.68.215.117 of pkt agrees with
> expected SA source address policy.
>
> Mar 5 11:06:50 bfama kernel: klips_debug:ipsec_rcv:
> SA:esp.8e1d5296 at 45.45.45.45 First SA in group.
>
> Mar 5 11:06:50 bfama kernel: klips_debug:ipsec_rcv: natt_type=2
> tdbp->ips_natt_type=0 : bad
>
> Mar 5 11:06:50 bfama kernel: klips_debug:ipsec_rcv:
> SA:esp.8e1d5296 at 45.45.45.45 does not agree with expected NAT-T policy.
>
> Mar 5 11:06:50 bfama kernel: klips_debug:ipsec_sa_put: ipsec_sa
> SA:esp.8e1d5296 at 45.45.45.45, ref:172 reference count decremented.
>
> Mar 5 11:06:50 bfama kernel: klips_debug:ipsec_rcv: decap_once failed:
> -12
>
> Mar 5 11:06:54 bfama kernel: klips_debug:ipsec_rcv: suspected ESPinUDP
> packet (NAT-Traversal) [2].
>
> Mar 5 11:06:54 bfama kernel: klips_debug: IP: ihl:20 ver:4 tos:0
> tlen:184 id:25274 frag_off:0 ttl:114 proto:17 (UDP) chk:53151
> saddr:200.68.215.117:11364 daddr:45.45.45.45:4500
>
> Mar 5 11:06:54 bfama kernel: klips_debug:ipsec_rcv: ESPinUDP pkt
> without Non-ESP - spi=0x8e1d5296
>
> Mar 5 11:06:54 bfama kernel: klips_debug:ipsec_rcv: removing 8 bytes
> from ESPinUDP packet
>
> Mar 5 11:06:54 bfama kernel: klips_debug: IP: ihl:20 ver:4 tos:0
> tlen:176 id:25274 frag_off:0 ttl:114 proto:50 chk:53151
> saddr:200.68.215.117 daddr:45.45.45.45
>
> Mar 5 11:06:54 bfama kernel: klips_debug:ipsec_rcv: <<< Info --
> skb->dev=eth0 dev=eth0
>
> Mar 5 11:06:54 bfama kernel: klips_debug:ipsec_rcv: assigning packet
> ownership to virtual device ipsec0 from physical device eth0.
>
> Mar 5 11:06:54 bfama kernel: klips_debug: IP: ihl:20 ver:4 tos:0
> tlen:176 id:25274 frag_off:0 ttl:114 proto:50 chk:53151
> saddr:200.68.215.117 daddr:45.45.45.45
>
> Mar 5 11:06:54 bfama kernel: klips_debug:ipsec_rcv_decap_once: decap
> (50) from 200.68.215.117 -> 45.45.45.45
>
> Mar 5 11:06:54 bfama kernel: klips_debug:ipsec_sa_getbyid: linked
> entry in ipsec_sa table for hash=179 of SA:esp.8e1d5296 at 45.45.45.45
> requested.
>
> Mar 5 11:06:54 bfama kernel: klips_debug:ipsec_rcv:
> SA:esp.8e1d5296 at 45.45.45.45, src=200.68.215.117 of pkt agrees with
> expected SA source address policy.
>
> Mar 5 11:06:54 bfama kernel: klips_debug:ipsec_rcv:
> SA:esp.8e1d5296 at 45.45.45.45 First SA in group.
>
> Mar 5 11:06:54 bfama kernel: klips_debug:ipsec_rcv: natt_type=2
> tdbp->ips_natt_type=0 : bad
>
> Mar 5 11:06:54 bfama kernel: klips_debug:ipsec_rcv:
> SA:esp.8e1d5296 at 45.45.45.45 does not agree with expected NAT-T policy.
>
> Mar 5 11:06:54 bfama kernel: klips_debug:ipsec_sa_put: ipsec_sa
> SA:esp.8e1d5296 at 45.45.45.45, ref:172 reference count decremented.
>
> Mar 5 11:06:54 bfama kernel: klips_debug:ipsec_rcv: decap_once failed:
> -12
>
> Mar 5 11:07:02 bfama kernel: klips_debug:ipsec_rcv: suspected ESPinUDP
> packet (NAT-Traversal) [2].
>
> Mar 5 11:07:02 bfama kernel: klips_debug: IP: ihl:20 ver:4 tos:0
> tlen:100 id:25277 frag_off:0 ttl:114 proto:17 (UDP) chk:53232
> saddr:200.68.215.117:11364 daddr:45.45.45.45:4500
>
> Mar 5 11:07:02 bfama kernel: klips_debug:ipsec_rcv: IKE packet - not
> handled here
>
> Mar 5 11:07:02 bfama kernel: IP12_drop_LCL2VPN:01 IN= OUT=ipsec0
> SRC=45.45.45.45 DST=200.68.215.117 LEN=100 TOS=0x00 PREC=0x00 TTL=64
> ID=2119 DF PROTO=UDP SPT=4500 DPT=11364 LEN=80
>
> Mar 5 11:07:02 bfama kernel: klips_debug:ipsec_rcv: suspected ESPinUDP
> packet (NAT-Traversal) [2].
>
> Mar 5 11:07:02 bfama kernel: klips_debug: IP: ihl:20 ver:4 tos:0
> tlen:116 id:25278 frag_off:0 ttl:114 proto:17 (UDP) chk:53215
> saddr:200.68.215.117:11364 daddr:45.45.45.45:4500
>
> Mar 5 11:07:02 bfama kernel: klips_debug:ipsec_rcv: IKE packet - not
> handled here
>
> Mar 5 11:07:02 bfama kernel: debug:pfkey_safe_build: error=0
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_safe_build:success.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_build:
> exttype=6 proto=0 prefixlen=0
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_build: found
> address family AF_INET.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_build: found
> address=0.0.0.0:0.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_build:
> successful created len: 3.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_safe_build: error=0
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_safe_build:success.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_build:
> exttype=21 proto=0 prefixlen=0
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_build: found
> address family AF_INET.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_build: found
> address=45.45.45.45:0.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_build:
> successful created len: 3.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_safe_build: error=0
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_safe_build:success.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_build:
> exttype=22 proto=0 prefixlen=0
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_build: found
> address family AF_INET.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_build: found
> address=200.68.215.117:0.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_build:
> successful created len: 3.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_safe_build: error=0
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_safe_build:success.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_build:
> exttype=23 proto=0 prefixlen=0
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_build: found
> address family AF_INET.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_build: found
> address=255.255.255.255:0.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_build:
> successful created len: 3.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_safe_build: error=0
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_safe_build:success.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_build:
> exttype=24 proto=0 prefixlen=0
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_build: found
> address family AF_INET.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_build: found
> address=255.255.255.255:0.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_build:
> successful created len: 3.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_safe_build: error=0
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_safe_build:success.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_build:
> pfkey_msg=0pc2fb46f0 allocated 184 bytes, &(extensions[0])=0pc7e21cdc
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_build: copying 24
> bytes from extensions[1] (type=1)
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_build: copying 24
> bytes from extensions[5] (type=5)
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_build: copying 24
> bytes from extensions[6] (type=6)
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_build: copying 24
> bytes from extensions[21] (type=21)
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_build: copying 24
> bytes from extensions[22] (type=22)
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_build: copying 24
> bytes from extensions[23] (type=23)
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_build: copying 24
> bytes from extensions[24] (type=24)
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_build: extensions
> permitted=05e00063, seen=01e00063, required=01e00043.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_upmsg: allocating 184
> bytes...
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_upmsg: ...allocated at
> 0pc3054210.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_x_addflow_parse:
> sending up x_addflow reply message for satype=11(INT) (proto=61) to
> socket=0pc3b409d0 succeeded.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_x_addflow_parse:
> extr->ips cleaned up and freed.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:ipsec_sa_wipe: removing
> SA=%%trap(0pc55bdc00), SAref=175, table=0(0pce804000), entry=175 from
> the refTable.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:ipsec_sa_put: ipsec_sa
> SA:%%trap, ref:-1 reference count decremented.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_sendmsg: .
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_sendmsg: allocating 88
> bytes for downward message.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_sendmsg: msg sent for
> parsing.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_interp: parsing
> message ver=2, type=4, errno=0, satype=3(ESP), len=11, res=0, seq=16,
> pid=2855.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:ipsec_SAref_alloc: SAref
> requested... head=176, cont=256, tail=255, listsize=256.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:ipsec_SAref_alloc: allocating
> SAref=176, table=0, entry=176 of 65536.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:ipsec_sa_alloc: allocated 528
> bytes for ipsec_sa struct=0pc55bdc00 ref=176.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_interp: allocated
> extr->ips=0pc55bdc00.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_interp: satype 3
> lookups to proto=50.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_parse: parsing
> message ver=2, type=4(delete), errno=0, satype=3(ESP), len=11, res=0,
> seq=16, pid=2855.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_parse: satype
> 3(ESP) conversion to proto gives 50 for msg_type 4(delete).
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_parse: remain=9
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_parse: extensions
> permitted=00000063, required=00000063.
>
> Mar 5 11:07:02 bfama kernel: kl>klips_debug:pfkey_msg_build: copying
> 24 bytes from extensions[1] (type=1)
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_build: copying 24
> bytes from extensions[5] (type=5)
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_build: copying 24
> bytes from extensions[6] (type=6)
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_build: extensions
> permitted=00000063, seen=00000063, required=00000063.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_upmsg: allocating 88
> bytes...
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_upmsg: ...allocated at
> 0pc3054210.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_delete_parse: sending
> up delete reply message for satype=3(ESP) to socket=0pc3b409d0
> succeeded.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:ipsec_sa_wipe: removing
> SA=esp.ee3ab5c6 at 200.68.215.117(0pc55bdc00), SAref=176,
> table=0(0pce804000), entry=176 from the refTable.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:ipsec_sa_put: ipsec_sa
> SA:esp.ee3ab5c6 at 200.68.215.117, ref:-1 reference count decremented.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_sendmsg: .
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_sendmsg: allocating 88
> bytes for downward message.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_sendmsg: msg sent for
> parsing.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_interp: parsing
> message ver=2, type=4, errno=0, satype=3(ESP), len=11, res=0, seq=17,
> pid=2855.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:ipsec_SAref_alloc: SAref
> requested... head=177, cont=256, tail=255, listsize=256.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:ipsec_SAref_alloc: allocating
> SAref=177, table=0, entry=177 of 65536.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:ipsec_sa_alloc: allocated 528
> bytes for ipsec_sa struct=0pc55bdc00 ref=177.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_interp: allocated
> extr->ips=0pc55bdc00.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_interp: satype 3
> lookups to proto=50.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_parse: parsing
> message ver=2, type=4(delete), errno=0, satype=3(ESP), len=11, res=0,
> seq=17, pid=2855.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_parse: satype
> 3(ESP) conversion to proto gives 50 for msg_type 4(delete).
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_parse: remain=9
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_parse: extensions
> permitted=00000063, required=00000063.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_parse: parsing ext
> type=1(security-association) remain=9.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_parse: remain=9
> ext_type=1(security-association) ext_len=3 parsing ext 0pcd865c70 with
> parser pfkey_sa_parse.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_sa_parse: successfully
> found len=3 exttype=1(security-association) spi=8e1d5296 replay=0
> state=1 auth=0 encrypt=0 flags=0 ref=-1.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_parse: Extension
> 1(security-association) parsed.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_parse: parsing ext
> type=5(source-address) remain=6.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_parse: remain=6
> ext_type=5(source-address) ext_len=3 parsing ext 0pcd865c88 with
> parser pfkey_address_parse.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_parse: found
> exttype=5(source-address) family=2(AF_INET) address=200.68.215.117
> proto=0 port=1701.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_parse:
> successful.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_parse: Extension
> 5(source-address) parsed.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_parse: parsing ext
> type=6(destination-address) remain=3.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_parse: remain=3
> ext_type=6(destination-address) ext_len=3 parsing ext 0pcd865ca0 with
> parser pfkey_address_parse.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_parse: found
> exttype=6(destination-address) family=2(AF_INET) address=45.45.45.45
> proto=0 port=1701.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_parse:
> successful.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_parse: Extension
> 6(destination-address) parsed.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_parse: extensions
> permitted=00000063, seen=00000063, required=00000063.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_interp: processing
> ext 1 0pcd865c70 with processor 0pc0302240.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_sa_process: .
>
> Mar 5 11:07:02 bfama kernel: klips_debug: ipsec_alg_sa_init()
> :entering for encalg=0, authalg=0
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_interp: processing
> ext 5 0pcd865c88 with processor 0pc0302570.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_process:
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_process: found
> address family=2, AF_INET, 200.68.215.117.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_process: found
> src address.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_process:
> allocating 16 bytes for saddr.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_process:
> successful.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_interp: processing
> ext 6 0pcd865ca0 with processor 0pc0302570.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_process:
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_process: found
> address family=2, AF_INET, 45.45.45.45.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_process: found
> dst address.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_process:
> allocating 16 bytes for saddr.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_process:
> ips_said.dst set to 45.45.45.45.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_process:
> successful.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_interp: parsing
> message type 4(delete) with msg_parser 0pc02fe9f0.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_delete_parse: .
>
> Mar 5 11:07:02 bfama kernel: klips_debug:ipsec_sa_getbyid: linked
> entry in ipsec_sa table for hash=179 of SA:esp.8e1d5296 at 45.45.45.45
> requested.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:ipsec_sa_put: ipsec_sa
> SA:esp.8e1d5296 at 45.45.45.45, ref:172 reference count decremented.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:ipsec_sa_delchain: passed
> SA:esp.8e1d5296 at 45.45.45.45
>
> Mar 5 11:07:02 bfama kernel: klips_debug:ipsec_sa_delchain: unlinking
> and delting SA:esp.8e1d5296 at 45.45.45.45<6>.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:ipsec_sa_del: deleting
> SA:esp.8e1d5296 at 45.45.45.45, hashval=179.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:ipsec_sa_del: successfully
> deleted first ipsec_sa in chain.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:ipsec_sa_wipe: removing
> SA=esp.8e1d5296 at 45.45.45.45(0pcdf09c00), SAref=172,
> table=0(0pce804000), entry=172 from the refTable.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:ipsec_sa_put: ipsec_sa
> SA:esp.8e1d5296 at 45.45.45.45, ref:-1 reference count decremented.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_safe_build:success.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_build:
> pfkey_msg=0pc1c1ccb0 allocated 88 bytes, &(extensions[0])=0pc7e21cec
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_build: copying 24
> bytes from extensions[1] (type=1)
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_build: copying 24
> bytes from extensions[5] (type=5)
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_build: copying 24
> bytes from extensions[6] (type=6)
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_build: extensions
> permitted=00000063, seen=00000063, required=00000063.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_upmsg: allocating 88
> bytes...
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_upmsg: ...allocated at
> 0pc3054210.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_delete_parse: sending
> up delete reply message for satype=3(ESP) to socket=0pc3b409d0
> succeeded.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:ipsec_sa_wipe: removing
> SA=esp.8e1d5296 at 45.45.45.45(0pc55bdc00), SAref=177,
> table=0(0pce804000), entry=177 from the refTable.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:ipsec_sa_put: ipsec_sa
> SA:esp.8e1d5296 at 45.45.45.45, ref:-1 reference count decremented.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_sendmsg: .
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_sendmsg: allocating 120
> bytes for downward message.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_sendmsg: msg sent for
> parsing.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_interp: parsing
> message ver=2, type=15, errno=0, satype=11(INT), len=15, res=0,
> seq=18, pid=2855.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:ipsec_SAref_alloc: SAref
> requested... head=178, cont=256, tail=255, listsize=256.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:ipsec_SAref_alloc: allocating
> SAref=178, table=0, entry=178 of 65536.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:ipsec_sa_alloc: allocated 528
> bytes for ipsec_sa struct=0pcdf09c00 ref=178.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_interp: allocated
> extr->ips=0pcdf09c00.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_parse: parsing
> message ver=2, type=15(x-delflow(eroute)), errno=0, satype=11(INT),
> len=15, res=0, seq=18, pid=2855.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_parse: remain=13
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_parse: extensions
> permitted=05e00c03, required=00000001.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_parse: parsing ext
> type=21(X-source-flow-address) remain=13.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_parse: remain=13
> ext_type=21(X-source-flow-address) ext_len=3 parsing ext 0pc1c1ccc0
> with parser pfkey_address_parse.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_parse: found
> exttype=21(X-source-flow-address) family=2(AF_INET)
> address=45.45.45.45 proto=0 port=1701.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_parse:
> successful.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_parse: Extension
> 21(X-source-flow-address) parsed.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_parse: parsing ext
> type=22(X-dest-flow-address) remain=10.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_parse: remain=10
> ext_type=22(X-dest-flow-address) ext_len=3 parsing ext 0pc1c1ccd8 with
> parser pfkey_address_parse.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_parse: found
> exttype=22(X-dest-flow-address) family=2(AF_INET)
> address=200.68.215.117 proto=0 port=1701.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_parse:
> successful.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_parse: Extension
> 22(X-dest-flow-address) parsed.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_parse: parsing ext
> type=23(X-source-mask) remain=7.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_parse: remain=7
> ext_type=23(X-source-mask) ext_len=3 parsing ext 0pc1c1ccf0 with
> parser pfkey_address_parse.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_parse: found
> exttype=23(X-source-mask) family=2(AF_INET) address=255.255.255.255
> proto=0 port=65535.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_parse:
> successful.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_parse: Extension
> 23(X-source-mask) parsed.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_parse: parsing ext
> type=24(X-dest-mask) remain=4.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_parse: remain=4
> ext_type=24(X-dest-mask) ext_len=3 parsing ext 0pc1c1cd08 with parser
> pfkey_address_parse.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_parse: found
> exttype=24(X-dest-mask) family=2(AF_INET) address=255.255.255.255
> proto=0 port=65535.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_parse:
> successful.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_parse: Extension
> 24(X-dest-mask) parsed.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_process: found
> address family=2, AF_INET, 255.255.255.255.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_process: found
> src mask address.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_alloc_eroute: eroute
> struct already allocated
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_parse:
> extr->eroute set to 45.45.45.45/32:1701->200.68.215.117/0:1701
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_process:
> successful.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_interp: processing
> ext 24 0pc1c1cd08 with processor 0pc0302570.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_process:
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_process: found
> address family=2, AF_INET, 255.255.255.255.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_process: found
> dst mask address.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_alloc_eroute: eroute
> struct already allocated
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_parse:
> extr->eroute set to 45.45.45.45/32:1701->200.68.215.117/32:1701
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_process:
> successful.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_interp: processing
> ext 26 0pc1c1cd20 with processor 0pc02fc6e0.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_x_protocol_process:
> c7e21e00
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_x_protocol_process:
> protocol = 17.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_interp: parsing
> message type 15(x-delflow(eroute)) with msg_parser 0pc0300d30.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_x_delflow_parse: .
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_x_delflow_parse:
> calling breakeroute for 45.45.45.45/32->200.68.215.117/32
>
> Mar 5 11:07:02 bfama kernel: klips_debug:ipsec_breakroute: attempting
> to delete eroute for 45.45.45.45/32:1701->200.68.215.117/32:1701 17
>
> Mar 5 11:07:02 bfama kernel: klips_debug:ipsec_breakroute: deleted
> eroute=0pcd7e1b70, ident=0p00000000->0p00000000, first=0p00000000,
> last=0p00000000
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_hdr_build:
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_hdr_build: on_entry
> &pfkey_ext=0pc7e21c00 pfkey_ext=0pc7e21cdc *pfkey_ext=0p00000000.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_msg_hdr_build: on_exit
> &pfkey_ext=0pc7e21c00 pfkey_ext=0pc7e21cdc *pfkey_ext=0pc06f2e60.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_safe_build: error=0
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_safe_build:success.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_sa_build: spi=00000000
> replay=0 sa_state=0 auth=0 encrypt=0 flags=0
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_safe_build: error=0
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_safe_build:success.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_build:
> exttype=21 proto=0 prefixlen=0
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_build: found
> address family AF_INET.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_build: found
> address=45.45.45.45:0.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_build:
> successful created len: 3.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_safe_build: error=0
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_safe_build:success.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_build:
> exttype=22 proto=0 prefixlen=0
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_build: found
> address family AF_INET.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_build: found
> address=200.68.215.117:0.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_build:
> successful created len: 3.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_safe_build: error=0
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_safe_build:success.
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_build:
> exttype=23 proto=0 prefixlen=0
>
> Mar 5 11:07:02 bfama kernel: klips_debug:pfkey_address_build: found
> address family AF_INET.
>
> Mar 5 11:07:05 bfama kernel: klips_debug:ipsec_rcv: suspected ESPinUDP
> packet (NAT-Traversal) [2].
>
> Mar 5 11:07:05 bfama kernel: klips_debug: IP: ihl:20 ver:4 tos:0
> tlen:29 id:25299 frag_off:0 ttl:114 proto:17 (UDP) chk:53281
> saddr:200.68.215.117:11364 daddr:45.45.45.45:4500
>
> Mar 5 11:07:05 bfama kernel: klips_debug:ipsec_rcv: NAT-keepalive from
> 200.68.215.117.
>
> Mar 5 11:07:18 bfama kernel: klips_debug:@ flags = 6 @key=0pcdfecf90
> key =
> 00000000->00000000 @mask=0p00000000
>
> Mar 5 11:07:18 bfama kernel: klips_debug:@ flags = 6 @key=0pcdfecfa4
> key =
> ffffffff->ffffffff @mask=0p00000000
>
> Mar 5 11:07:18 bfama kernel: klips_debug: off = 0
>
> Mar 5 11:07:18 bfama kernel: klips_debug:ipsec_eroute_get_info:
> buffer=0pc6658000, *start=0p00000000, offset=0, length=3072
>
> Mar 5 11:07:18 bfama kernel: klips_debug:rj_walktree: for:
> rn=0pc12c87b8 rj_b=-3 rj_flags=6 leaf key = 00000000->00000000
>
> Mar 5 11:07:18 bfama kernel: klips_debug:rj_walktree: processing
> leaves, rn=0pc12c87e8 rj_b=-3 rj_flags=6 leaf key = ffffffff->ffffffff
>
> Mar 5 11:07:18 bfama kernel: klips_debug:rj_walktree: while:
> base=0p00000000 rn=0pc12c87b8 rj_b=-3 rj_flags=6 leaf key =
> 00000000->00000000
>
> Mar 5 11:07:25 bfama kernel: klips_debug:ipsec_rcv: suspected ESPinUDP
> packet (NAT-Traversal) [2].
>
> Mar 5 11:07:25 bfama kernel: klips_debug: IP: ihl:20 ver:4 tos:0
> tlen:29 id:25315 frag_off:0 ttl:114 proto:17 (UDP) chk:53265
> saddr:200.68.215.117:11364 daddr:45.45.45.45:4500
>
> Mar 5 11:07:25 bfama kernel: klips_debug:ipsec_rcv: NAT-keepalive from
> 200.68.215.117.
>
> Mar 5 11:07:45 bfama kernel: klips_debug:ipsec_rcv: suspected ESPinUDP
> packet (NAT-Traversal) [2].
>
> Mar 5 11:07:45 bfama kernel: klips_debug: IP: ihl:20 ver:4 tos:0
> tlen:29 id:25444 frag_off:0 ttl:114 proto:17 (UDP) chk:53136
> saddr:200.68.215.117:11364 daddr:45.45.45.45:4500
>
> Mar 5 11:07:45 bfama kernel: klips_debug:ipsec_rcv: NAT-keepalive from
> 200.68.215.117.
>
> Have you got any idea. Thanks in advance
> Ivan.
> --------------------------------
>
>
>
> Ivan Lopez wrote:
>
> > In that scenario, IPSEC connection stablished perfectly but then
> > ipsec0 device starts to drops packets (I can see it with ifconfig)
>
> Could be an MTU problem. Did you check the logs for errors? See also:
> http://www.jacco2.dds.nl/networking/freeswan-l2tp.html#MTUproblems
>
> Jacco
> --
> Jacco de Leeuw mailto:jacco2 at dds.nl
> Zaandam, The Netherlands http://www.jacco2.dds.nl
> _______________________________________________
> Users mailing list
> Users at openswan.org http://lists.openswan.org/mailman/listinfo/users
> _______________________________________________
> Users mailing list
> Users at openswan.org http://lists.openswan.org/mailman/listinfo/users
More information about the Users
mailing list