[Openswan Users] openswan 2.6.20rc2(klips) kernel 2.6.22 (nat-t patch):ip_route_output failed with error code -22
Zhiping Liu
flyingzpl at gmail.com
Mon Feb 9 03:05:55 EST 2009
Hi list:Please help. SA established,but can't route to destination
Here's two machines:
A:
eth0 192.168.100.201 (local subnet)
eth1 192.168.111.201
default route to 192.168.111.1
connect to Internet through 192.168.111.1
UDP port 50 ,4500 is mapped to A.
B:
Gate way ,connect to Internet with PPPOE
eth1 192.168.60.1 local sub net 192.168.60.0
1.my config file:
conn cylan
type = tunnel
left = %defaultroute
right = RIGHTSIDE_DOMAINNAME
leftsubnet = 192.168.100.0/255.255.255.0
rightsubnet = 192.168.60.0/255.255.255.0
auto = start
keyexchange = ike
authby = secret
auth = esp
pfs = yes
esp = 3DES-SHA1
ike = 3DES-SHA-MODP1024
aggrmode = yes
leftid = @bb
rightid = @aa
2.part of .config (Network option section)
#
# Networking options
#
CONFIG_PACKET=y
# CONFIG_PACKET_MMAP is not set
CONFIG_UNIX=y
# CONFIG_NET_KEY is not set
CONFIG_INET=y
CONFIG_IP_MULTICAST=y
CONFIG_IP_ADVANCED_ROUTER=y
CONFIG_ASK_IP_FIB_HASH=y
# CONFIG_IP_FIB_TRIE is not set
CONFIG_IP_FIB_HASH=y
CONFIG_IP_MULTIPLE_TABLES=y
# CONFIG_IP_ROUTE_MULTIPATH is not set
# CONFIG_IP_ROUTE_VERBOSE is not set
CONFIG_IP_PNP=y
CONFIG_IP_PNP_DHCP=y
# CONFIG_IP_PNP_BOOTP is not set
# CONFIG_IP_PNP_RARP is not set
CONFIG_NET_IPIP=y
CONFIG_NET_IPGRE=y
CONFIG_NET_IPGRE_BROADCAST=y
# CONFIG_IP_MROUTE is not set
# CONFIG_ARPD is not set
# CONFIG_SYN_COOKIES is not set
CONFIG_IPSEC_NAT_TRAVERSAL=y
# CONFIG_INET_AH is not set
# CONFIG_INET_ESP is not set
# CONFIG_INET_IPCOMP is not set
# CONFIG_INET_XFRM_TUNNEL is not set
CONFIG_INET_TUNNEL=y
# CONFIG_INET_XFRM_MODE_TRANSPORT is not set
# CONFIG_INET_XFRM_MODE_TUNNEL is not set
# CONFIG_INET_XFRM_MODE_BEET is not set
CONFIG_INET_DIAG=y
CONFIG_INET_TCP_DIAG=y
# CONFIG_TCP_CONG_ADVANCED is not set
CONFIG_TCP_CONG_CUBIC=y
CONFIG_DEFAULT_TCP_CONG="cubic"
# CONFIG_TCP_MD5SIG is not set
# CONFIG_IP_VS is not set
# CONFIG_IPV6 is not set
# CONFIG_INET6_XFRM_TUNNEL is not set
# CONFIG_INET6_TUNNEL is not set
# CONFIG_NETWORK_SECMARK is not set
CONFIG_NETFILTER=y
# CONFIG_NETFILTER_DEBUG is not set
CONFIG_BRIDGE_NETFILTER=y
2.ifconfig
suibian linux-2.6.22 # ifconfig
eth1 Link encap:Ethernet HWaddr 00:0F:EA:25:51:37
inet addr:192.168.100.201 Bcast:192.168.100.255
Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:20432 errors:2 dropped:2 overruns:1 frame:0
TX packets:21702 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:8654345 (8.2 Mb) TX bytes:4594130 (4.3 Mb)
Interrupt:21 Base address:0x8000
eth3 Link encap:Ethernet HWaddr 00:21:27:95:00:54
inet addr:192.168.111.201 Bcast:192.168.111.255
Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2970 errors:0 dropped:0 overruns:0 frame:0
TX packets:253 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:251151 (245.2 Kb) TX bytes:25370 (24.7 Kb)
Interrupt:21 Base address:0x6000
ipsec0 Link encap:Ethernet HWaddr 00:21:27:95:00:54
inet addr:192.168.111.201 Mask:255.255.255.0
UP RUNNING NOARP MTU:16260 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:147 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:56 errors:0 dropped:0 overruns:0 frame:0
TX packets:56 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:4340 (4.2 Kb) TX bytes:4340 (4.2 Kb)
3.netstat -rn
suibian linux-2.6.22 # netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt
Iface
192.168.100.0 0.0.0.0 255.255.255.0 U 0 0 0
eth1
192.168.60.0 0.0.0.0 255.255.255.0 U 0 0 0
ipsec0
192.168.111.0 0.0.0.0 255.255.255.0 U 0 0 0
eth3
192.168.111.0 0.0.0.0 255.255.255.0 U 0 0 0
ipsec0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 192.168.111.1 0.0.0.0 UG 0 0 0
eth3
suibian linux-2.6.22 #
4. IPSEC tunnel established:
out put from `ipsec whack --status`:
000 "cylan": 192.168.100.0/24===192.168.111.201[@bb,+S=C]...202.105.158.145
<RIGHTSIDE_DOMAINNAME>[@aa,+S=C]===192.168.60.0/24; erouted; eroute owner:
#2
000 "cylan": myip=unset; hisip=unset;
000 "cylan": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 0
000 "cylan": policy:
PSK+ENCRYPT+TUNNEL+PFS+UP+AGGRESSIVE+IKEv2ALLOW+lKOD+rKOD; prio: 24,24;
interface: eth3;
000 "cylan": newest ISAKMP SA: #1; newest IPsec SA: #2;
000 "cylan": IKE algorithms wanted: 3DES_CBC(5)_000-SHA1(2)-MODP1024(2);
flags=-strict
000 "cylan": IKE algorithms found: 3DES_CBC(5)_192-SHA1(2)_160-2,
000 "cylan": IKE algorithm newest: 3DES_CBC_192-SHA1-MODP1024
000 "cylan": ESP algorithms wanted: 3DES(3)_000-SHA1(2); flags=-strict
000 "cylan": ESP algorithms loaded: 3DES(3)_192-SHA1(2)_160
000 "cylan": ESP algorithm newest: 3DES_0-HMAC_SHA1; pfsgroup=<Phase1>
000
000 #2: "cylan":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established);
EVENT_SA_REPLACE in 27814s; newest IPSEC; eroute owner; isakmp#1; idle;
import:admin initiate
000 #2: "cylan" used 101s ago; esp.dc7e6e91 at 202.105.158.145
esp.1ab13ad4 at 192.168.111.201 tun.1001 at 202.105.158.145
tun.1002 at 192.168.111.201 ref=3 refhim=1
000 #1: "cylan":4500 STATE_AGGR_I2 (sent AI2, ISAKMP SA established);
EVENT_SA_REPLACE in 2304s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle;
import:admin initiate
000
5.eroute exist
suibian linux-2.6.22 # ipsec eroute
8 192.168.100.0/24 -> 192.168.60.0/24 =>
tun0x1001 at 202.105.158.145
suibian linux-2.6.22 #
6.ping from local sub net to remote sub net shows error message in debug log
file:
ping -I 192.168.100.201 192.168.60.1
package is dropper:
Feb 9 15:58:21 suibian kernel: klips_debug:ipsec_tunnel_neigh_setup:
Feb 9 15:58:21 suibian kernel: klips_debug:ipsec_tunnel_hard_header:
skb->dev=ipsec0 dev=ipsec0.
Feb 9 15:58:21 suibian kernel: klips_debug:ipsec_tunnel_hard_header:
Revectored 0p00000000->0pef1a1aa4 len=84 type=2048 dev=ipsec0->eth3
dev_addr=00:21:27:95:00:54 ip=c0a864c9->c0a83c01
Feb 9 15:58:21 suibian kernel:
Feb 9 15:58:21 suibian kernel:
Feb 9 15:58:21 suibian kernel: ipsec_tunnel_start_xmit:
STARTING<6>klips_debug:ipsec_xmit_strip_hard_header: >>> skb->len=98
hard_header_len:14 00:21:27:95:00:54:00:21:27:95:00:54:08:00
Feb 9 15:58:21 suibian kernel: klips_debug: IP: ihl:20 ver:4 tos:0
tlen:84 id:0 DF frag_off:0 ttl:64 proto:1 (ICMP) chk:6286
saddr:192.168.100.201 daddr:192.168.60.1 type:code=8:0
Feb 9 15:58:21 suibian kernel: klips_debug:ipsec_xmit_strip_hard_header:
Original head,tailroom: 2,28
Feb 9 15:58:21 suibian kernel: klips_debug:ipsec_findroute:
192.168.100.201:0->192.168.60.1:0 1
Feb 9 15:58:21 suibian kernel: klips_debug:rj_match: * See if we match
exactly as a host destination
Feb 9 15:58:21 suibian kernel: klips_debug:rj_match: ** try to match a
leaf, t=0pedf71d80
Feb 9 15:58:21 suibian kernel: klips_debug:ipsec_xmit_SAlookup: checking
for local udp/500 IKE packet saddr=c0a864c9, er=0pedf71d80, daddr=c0a83c01,
er_dst=ca699e91, proto=1 sport=0 dport=0
Feb 9 15:58:21 suibian kernel: ipsec_sa_getbyid: linked entry in ipsec_sa
table for hash=129 of
SA:tun.1001 at 202.105.158.145<SA%3Atun.1001 at 202.105.158.145>requested.
Feb 9 15:58:21 suibian kernel: ipsec_sa_get: ipsec_sa e7d71000
SA:tun.1001 at 202.105.158.145 <SA%3Atun.1001 at 202.105.158.145>, ref:1 reference
count (2++) incremented by ipsec_sa_getbyid:552.
Feb 9 15:58:21 suibian kernel: klips_debug:ipsec_xmit_init2: found ipsec_sa
-- SA:<IPIP> tun.1001 at 202.105.158.145
Feb 9 15:58:21 suibian kernel: klips_debug:ipsec_xmit_init2: calling room
for <IPIP>, SA:tun.1001 at 202.105.158.145 <SA%3Atun.1001 at 202.105.158.145>
Feb 9 15:58:21 suibian kernel: klips_debug:ipsec_xmit_init2: Required
head,tailroom: 20,0
Feb 9 15:58:21 suibian kernel: klips_debug:ipsec_xmit_init2: calling room
for <ESP_3DES_HMAC_SHA1>,
SA:esp.dc7e6e91 at 202.105.158.145<SA%3Aesp.dc7e6e91 at 202.105.158.145>
Feb 9 15:58:21 suibian kernel: klips_debug:ipsec_xmit_init2: Required
head,tailroom: 16,24
Feb 9 15:58:21 suibian kernel: klips_debug:ipsec_xmit_init2: existing
head,tailroom: 2,28 before applying xforms with head,tailroom: 36,24 .
Feb 9 15:58:21 suibian kernel: klips_debug:ipsec_xmit_init2: mtu:1500
physmtu:1500 tothr:36 tottr:24 mtudiff:60 ippkttotlen:84
Feb 9 15:58:21 suibian kernel: klips_info:ipsec_xmit_init2: dev ipsec0 mtu
of 1500 decreased by 65 to 1435
Feb 9 15:58:21 suibian kernel: klips_debug:ipsec_xmit_init2: allocating 14
bytes for hardheader.
Feb 9 15:58:21 suibian kernel: klips_debug:ipsec_xmit_init2: head,tailroom:
16,28 after hard_header stripped.
Feb 9 15:58:21 suibian kernel: klips_debug: IP: ihl:20 ver:4 tos:0
tlen:84 id:0 DF frag_off:0 ttl:64 proto:1 (ICMP) chk:6286
saddr:192.168.100.201 daddr:192.168.60.1 type:code=8:0
Feb 9 15:58:21 suibian kernel: klips_debug:ipsec_xmit_init2: head,tailroom:
68,104 after allocation
Feb 9 15:58:21 suibian kernel: klips_debug: IP: ihl:20 ver:4 tos:0
tlen:84 id:0 DF frag_off:0 ttl:64 proto:1 (ICMP) chk:6286
saddr:192.168.100.201 daddr:192.168.60.1 type:code=8:0
Feb 9 15:58:21 suibian kernel: klips_debug:ipsec_xmit_encap_once: calling
output for <IPIP>, SA:tun.1001 at 202.105.158.145<SA%3Atun.1001 at 202.105.158.145>
Feb 9 15:58:21 suibian kernel: klips_debug:ipsec_xmit_encap_once: pushing
20 bytes, putting 0, proto 4.
Feb 9 15:58:21 suibian kernel: klips_debug:ipsec_xmit_encap_once:
head,tailroom: 48,104 before xform.
Feb 9 15:58:21 suibian kernel: klips_debug:ipsec_xmit_encap_once: after
<IPIP>, SA:tun.1001 at 202.105.158.145 <SA%3Atun.1001 at 202.105.158.145>:
Feb 9 15:58:21 suibian kernel: klips_debug: IP: ihl:20 ver:4 tos:0
tlen:104 id:30113 frag_off:0 ttl:64 proto:4 chk:27524 saddr:192.168.111.201
daddr:202.105.158.145
Feb 9 15:58:21 suibian kernel: ipsec_sa_put: ipsec_sa e7d71000
SA:tun.1001 at 202.105.158.145 <SA%3Atun.1001 at 202.105.158.145>, ref:1 reference
count (3--) decremented by ipsec_xmit_cont:1096.
Feb 9 15:58:21 suibian kernel: ipsec_sa_get: ipsec_sa e7d71800
SA:esp.dc7e6e91 at 202.105.158.145 <SA%3Aesp.dc7e6e91 at 202.105.158.145>, ref:2
reference count (3++) incremented by ipsec_xmit_cont:1101.
Feb 9 15:58:21 suibian kernel: klips_debug:ipsec_xmit_encap_once: calling
output for <ESP_3DES_HMAC_SHA1>,
SA:esp.dc7e6e91 at 202.105.158.145<SA%3Aesp.dc7e6e91 at 202.105.158.145>
Feb 9 15:58:21 suibian kernel: klips_debug:ipsec_xmit_encap_once: pushing
16 bytes, putting 16, proto 50.
Feb 9 15:58:21 suibian kernel: klips_debug:ipsec_xmit_encap_once:
head,tailroom: 32,88 before xform.
Feb 9 15:58:21 suibian kernel: klips_debug:ipsec_alg_esp_encrypt: entering
with encalg=3, ixt_e=f01f8300
Feb 9 15:58:21 suibian kernel: klips_debug:ipsec_alg_esp_encrypt: calling
cbc_encrypt encalg=3 ips_key_e=e03bce00 idat=df18d444 ilen=88 iv=df18d43c,
encrypt=1
Feb 9 15:58:21 suibian kernel: klips_debug:ipsec_alg_esp_encrypt: returned
ret=1
Feb 9 15:58:21 suibian kernel: klips_debug:ipsec_xmit_encap_once: after
<ESP_3DES_HMAC_SHA1>,
SA:esp.dc7e6e91 at 202.105.158.145<SA%3Aesp.dc7e6e91 at 202.105.158.145>
:
Feb 9 15:58:21 suibian kernel: klips_debug: IP: ihl:20 ver:4 tos:0
tlen:136 id:30113 frag_off:0 ttl:64 proto:50 (ESP) chk:27446
saddr:192.168.111.201 daddr:202.105.158.145
Feb 9 15:58:21 suibian kernel: ipsec_sa_put: ipsec_sa e7d71800
SA:esp.dc7e6e91 at 202.105.158.145 <SA%3Aesp.dc7e6e91 at 202.105.158.145>, ref:2
reference count (4--) decremented by ipsec_xmit_cont:1096.
Feb 9 15:58:21 suibian kernel: klips_debug:ipsec_findroute:
192.168.111.201:0->202.105.158.145:0 50
Feb 9 15:58:21 suibian kernel: klips_debug:rj_match: * See if we match
exactly as a host destination
Feb 9 15:58:21 suibian kernel: klips_debug:rj_match: ** try to match a
leaf, t=0pedf71d80
Feb 9 15:58:21 suibian kernel: klips_debug:rj_match: *** start searching up
the tree, t=0pedf71d80
Feb 9 15:58:21 suibian kernel: klips_debug:rj_match: **** t=0pedf71d98
Feb 9 15:58:21 suibian kernel: klips_debug:rj_match: **** t=0pef1a17c0
Feb 9 15:58:21 suibian kernel: klips_debug:rj_match: ***** cp2=0pe4882ea8
cp3=0pee9eec90
Feb 9 15:58:21 suibian kernel: klips_debug:rj_match: ***** not found.
Feb 9 15:58:21 suibian kernel: klips_debug:ipsec_tunnel_start_xmit:
encapsuling packet into UDP (NAT-Traversal) (2 8)
Feb 9 15:58:21 suibian kernel: klips_debug:ipsec_xmit_restore_hard_header:
After recursive xforms -- head,tailroom: 32,80
Feb 9 15:58:21 suibian kernel: klips_debug:ipsec_xmit_restore_hard_header:
With hard_header, final head,tailroom: 18,80
Feb 9 15:58:21 suibian kernel: klips_debug:ipsec_xmit_send: ip_route_output
failed with error code -22, dropped
--
from Romeo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20090209/b0774d67/attachment-0001.html
More information about the Users
mailing list