[Openswan Users] [Tunnel established, no traffic]
Ralf Guenthner
r.guenthner at iq-optimize.de
Tue Aug 21 05:58:20 EDT 2007
Paul Wouters wrote:
> Then the packets are dropped because of bad crypto. Usually this means
> some NAT is happening to the packets. With netkey there is no way to
> see that With klips, you can run for a few packets with klipsdebug
> enabled (ipsec klipsdebug --all, send a few pings, then run ipsec
> klipsdebug --none) to see why packets were being dropped.
Hi
I used the klipsdebug command on one gateway and as far as I can see
there are no DROPS pertaining to the tunnel in question (sorry for length)
Aug 21 11:15:30 ditagmgw-new kernel:
klips_debug:ipsec_tunnel_start_xmit: >>> skb->len=74 hard_header_len:14
00:00:e2:70:44:eb:00:00:e2:70:44:eb:08:00
Aug 21 11:15:30 ditagmgw-new kernel: klips_debug: IP: ihl:20 ver:4
tos:0 tlen:60 id:20423 frag_off:0 ttl:126 proto:1 (ICMP) chk:29407
saddr:192.168.205.55 daddr:194.152.41.162 type:code=8:0
Aug 21 11:15:30 ditagmgw-new kernel: klips_debug: @000: 08 00 93 5a 02
00 b8 01 61 62 63 64 65 66 67 68
Aug 21 11:15:30 ditagmgw-new kernel: klips_debug: @010: 69 6a 6b 6c 6d
6e 6f 70 71 72 73 74 75 76 77 61
Aug 21 11:15:30 ditagmgw-new kernel: klips_debug: @020: 62 63 64 65 66
67 68 69
Aug 21 11:15:30 ditagmgw-new kernel:
klips_debug:ipsec_tunnel_start_xmit: checking for local udp/500 IKE
packet saddr=c0a8cd37, er=c7c3f060, daddr=c29829a2, er_dst=55b4b4eb,
proto=1 sport=0 dport=0
Aug 21 11:15:30 ditagmgw-new kernel:
klips_debug:ipsec_tunnel_start_xmit: Original head,tailroom: 76,1450
Aug 21 11:15:30 ditagmgw-new kernel:
klips_debug:ipsec_tunnel_start_xmit: found Tunnel Descriptor Block --
SA:<IPIP> tun0x114f at 85.180.180.235
Aug 21 11:15:30 ditagmgw-new kernel:
klips_debug:ipsec_tunnel_start_xmit: calling room for <IPIP>,
SA:tun0x114f at 85.180.180.235
Aug 21 11:15:30 ditagmgw-new kernel:
klips_debug:ipsec_tunnel_start_xmit: Required head,tailroom: 20,0
Aug 21 11:15:30 ditagmgw-new kernel:
klips_debug:ipsec_tunnel_start_xmit: calling room for <COMP_DEFLATE>,
SA:comp0x150 at 85.180.180.235
Aug 21 11:15:30 ditagmgw-new kernel:
klips_debug:ipsec_tunnel_start_xmit: Required head,tailroom: 0,0
Aug 21 11:15:30 ditagmgw-new kernel:
klips_debug:ipsec_tunnel_start_xmit: calling room for
<ESP_AES_HMAC_SHA1>, SA:esp0x1e12193b at 85.180.180.235
Aug 21 11:15:30 ditagmgw-new kernel:
klips_debug:ipsec_tunnel_start_xmit: Required head,tailroom: 24,16
Aug 21 11:15:30 ditagmgw-new kernel:
klips_debug:ipsec_tunnel_start_xmit: existing head,tailroom: 76,1450
before applying xforms with head,tailroom: 44,16 .
Aug 21 11:15:30 ditagmgw-new kernel:
klips_debug:ipsec_tunnel_start_xmit: mtu:1427 physmtu:1500 tothr:44
tottr:16 mtudiff:-13 ippkttotlen:60
Aug 21 11:15:30 ditagmgw-new kernel:
klips_debug:ipsec_tunnel_start_xmit: head,tailroom: 90,1450 after
hard_header stripped.
Aug 21 11:15:30 ditagmgw-new kernel: klips_debug: IP: ihl:20 ver:4
tos:0 tlen:60 id:20423 frag_off:0 ttl:126 proto:1 (ICMP) chk:29407
saddr:192.168.205.55 daddr:194.152.41.162 type:code=8:0
Aug 21 11:15:30 ditagmgw-new kernel: klips_debug: @000: 08 00 93 5a 02
00 b8 01 61 62 63 64 65 66 67 68
Aug 21 11:15:30 ditagmgw-new kernel: klips_debug: @010: 69 6a 6b 6c 6d
6e 6f 70 71 72 73 74 75 76 77 61
Aug 21 11:15:30 ditagmgw-new kernel: klips_debug: @020: 62 63 64 65 66
67 68 69
Aug 21 11:15:30 ditagmgw-new kernel:
klips_debug:ipsec_tunnel_start_xmit: data fits in existing skb
Aug 21 11:15:30 ditagmgw-new kernel:
klips_debug:ipsec_tunnel_start_xmit: calling output for <IPIP>,
SA:tun0x114f at 85.180.180.235
Aug 21 11:15:30 ditagmgw-new kernel:
klips_debug:ipsec_tunnel_start_xmit: pushing 20 bytes, putting 0, proto 4.
Aug 21 11:15:30 ditagmgw-new kernel:
klips_debug:ipsec_tunnel_start_xmit: head,tailroom: 70,1450 before xform.
Aug 21 11:15:30 ditagmgw-new kernel:
klips_debug:ipsec_tunnel_start_xmit: after <IPIP>,
SA:tun0x114f at 85.180.180.235:
Aug 21 11:15:30 ditagmgw-new kernel: klips_debug: IP: ihl:20 ver:4
tos:0 tlen:80 id:61153 frag_off:0 ttl:64 proto:4 chk:64801
saddr:193.227.195.35 daddr:85.180.180.235
Aug 21 11:15:30 ditagmgw-new kernel: klips_debug: @000: 45 00 00 3c 4f
c7 00 00 7e 01 72 df c0 a8 cd 37
Aug 21 11:15:30 ditagmgw-new kernel: klips_debug: @010: c2 98 29 a2 08
00 93 5a 02 00 b8 01 61 62 63 64
Aug 21 11:15:30 ditagmgw-new kernel: klips_debug: @020: 65 66 67 68 69
6a 6b 6c 6d 6e 6f 70 71 72 73 74
Aug 21 11:15:30 ditagmgw-new kernel: klips_debug: @030: 75 76 77 61 62
63 64 65 66 67 68 69
Aug 21 11:15:30 ditagmgw-new kernel:
klips_debug:ipsec_tunnel_start_xmit: calling output for <COMP_DEFLATE>,
SA:comp0x150 at 85.180.180.235
Aug 21 11:15:30 ditagmgw-new kernel:
klips_debug:ipsec_tunnel_start_xmit: pushing 0 bytes, putting 0, proto 108.
Aug 21 11:15:30 ditagmgw-new kernel:
klips_debug:ipsec_tunnel_start_xmit: head,tailroom: 70,1450 before xform.
Aug 21 11:15:30 ditagmgw-new kernel:
klips_debug:ipsec_tunnel_start_xmit: packet did not compress (flags = 1).
Aug 21 11:15:30 ditagmgw-new kernel:
klips_debug:ipsec_tunnel_start_xmit: after <COMP_DEFLATE>,
SA:comp0x150 at 85.180.180.235:
Aug 21 11:15:30 ditagmgw-new kernel: klips_debug: IP: ihl:20 ver:4
tos:0 tlen:80 id:61153 frag_off:0 ttl:64 proto:4 chk:64801
saddr:193.227.195.35 daddr:85.180.180.235
Aug 21 11:15:30 ditagmgw-new kernel: klips_debug: @000: 45 00 00 3c 4f
c7 00 00 7e 01 72 df c0 a8 cd 37
Aug 21 11:15:30 ditagmgw-new kernel: klips_debug: @010: c2 98 29 a2 08
00 93 5a 02 00 b8 01 61 62 63 64
Aug 21 11:15:30 ditagmgw-new kernel: klips_debug: @020: 65 66 67 68 69
6a 6b 6c 6d 6e 6f 70 71 72 73 74
Aug 21 11:15:30 ditagmgw-new kernel: klips_debug: @030: 75 76 77 61 62
63 64 65 66 67 68 69
Aug 21 11:15:30 ditagmgw-new kernel:
klips_debug:ipsec_tunnel_start_xmit: calling output for
<ESP_AES_HMAC_SHA1>, SA:esp0x1e12193b at 85.180.180.235
Aug 21 11:15:30 ditagmgw-new kernel:
klips_debug:ipsec_tunnel_start_xmit: pushing 24 bytes, putting 16, proto 50.
Aug 21 11:15:30 ditagmgw-new kernel:
klips_debug:ipsec_tunnel_start_xmit: head,tailroom: 46,1434 before xform.
Aug 21 11:15:30 ditagmgw-new kernel: klips_debug:ipsec_alg_esp_encrypt:
entering with encalg=12, ixt_e=c031a220
Aug 21 11:15:30 ditagmgw-new kernel: klips_debug:ipsec_alg_esp_encrypt:
calling cbc_encrypt encalg=12 ips_key_e=c7434000 idat=c95d905a ilen=64
iv=c95d904a, encrypt=1
Aug 21 11:15:30 ditagmgw-new kernel: klips_debug:ipsec_alg_esp_encrypt:
returned ret=64
Aug 21 11:15:30 ditagmgw-new kernel: klips_debug:ipsec_sa_esp_hash:
hashing c95d9042 (88 bytes) to c95d909a (12 bytes)
Aug 21 11:15:30 ditagmgw-new kernel:
klips_debug:ipsec_tunnel_start_xmit: after <ESP_AES_HMAC_SHA1>,
SA:esp0x1e12193b at 85.180.180.235:
Aug 21 11:15:30 ditagmgw-new kernel: klips_debug: IP: ihl:20 ver:4
tos:0 tlen:120 id:61153 frag_off:0 ttl:64 proto:50 chk:64715
saddr:193.227.195.35 daddr:85.180.180.235
Aug 21 11:15:30 ditagmgw-new kernel: klips_debug: @000: 1e 12 19 3b 00
00 00 c1 49 4d ff f5 96 61 55 47
Aug 21 11:15:30 ditagmgw-new kernel: klips_debug: @010: 88 27 3f 4b 45
1f b5 36 84 c7 36 82 47 ee db 51
Aug 21 11:15:30 ditagmgw-new kernel: klips_debug: @020: ae 72 6f b5 31
a5 77 11 ae d2 6d fe f2 67 77 1e
Aug 21 11:15:30 ditagmgw-new kernel: klips_debug: @030: 73 89 4f 35 b3
41 a1 62 21 66 e3 64 47 69 dd 6c
Aug 21 11:15:30 ditagmgw-new kernel: klips_debug: @040: 6c f8 d7 a2 4c
b8 24 a7 3c 3a d5 e9 5d d2 a0 f2
Aug 21 11:15:30 ditagmgw-new kernel: klips_debug: @050: a2 92 fc d9 19
1a e9 c4 6c 33 c6 bb c7 e1 5a 24
Aug 21 11:15:30 ditagmgw-new kernel: klips_debug: @060: d8 ba 65 8a
Aug 21 11:15:30 ditagmgw-new kernel:
klips_debug:ipsec_tunnel_start_xmit: After recursive xforms --
head,tailroom: 46,1434
Aug 21 11:15:30 ditagmgw-new kernel:
klips_debug:ipsec_tunnel_start_xmit: With hard_header, final
head,tailroom: 32,1434
Aug 21 11:15:30 ditagmgw-new kernel:
klips_debug:ipsec_tunnel_start_xmit: ...done, calling ip_send() on
device:eth0
Aug 21 11:15:30 ditagmgw-new kernel: klips_debug: IP: ihl:20 ver:4
tos:0 tlen:120 id:61153 frag_off:0 ttl:64 proto:50 chk:64715
saddr:193.227.195.35 daddr:85.180.180.235
What else can I do?
Thanks
Regards
Ralf G.
More information about the Users
mailing list