[Openswan Users] KLIPS not working with CentOS 5.2

Sybille Ebert sybille.ebert at gmx.net
Thu Jan 8 10:01:34 EST 2009 

Has anybody had any luck with KLIPS on CentOS 5.2?

I am using a patched kernel-2.6.18-92.1.22.el5.src.rpm with
openswan-2.6.20rc1. When I ping the remote side, ping is seen entering
ipsec0 tunnel, but there is no encrypted (ESP) traffic following on eth0.

Klips debug log is attached below.

I have also tried several other combinations of kernels and OpenSwan,
but I cannot make it work. Using protostack=netkey works (ESP packets
leave the box).

S

## begin klips debug log

Jan  6 12:41:27 centos kernel: klips_debug:ipsec_tunnel_hard_header:
skb->dev=ipsec0 dev=ipsec0.
Jan  6 12:41:27 centos kernel: klips_debug:ipsec_tunnel_hard_header:
Revectored 0p00000000->0pe4952e28 len=84 type=2048 dev=ipsec0->eth0
dev_addr=00:0c:29:dd:65:bb ip=0a010001->0a020001
Jan  6 12:41:27 centos kernel:
Jan  6 12:41:27 centos kernel:
Jan  6 12:41:27 centos kernel: ipsec_tunnel_start_xmit:
STARTING<6>klips_debug:ipsec_xmit_strip_hard_header: >>> skb->len=98
hard_header_len:14 00:0c:29:dd:65:bb:00:0c:29:dd:65:bb:08:00
Jan  6 12:41:27 centos kernel: klips_debug:   IP: ihl:20 ver:4 tos:0
tlen:84 id:0 DF frag_off:0 ttl:64 proto:1 (ICMP) chk:9893 saddr:10.1.0.1
daddr:10.2.0.1 type:code=8:0
Jan  6 12:41:27 centos kernel: klips_debug:ipsec_xmit_strip_hard_header:
Original head,tailroom: 2,28
Jan  6 12:41:27 centos kernel: klips_debug:ipsec_findroute:
10.1.0.1:0->10.2.0.1:0 1
Jan  6 12:41:27 centos kernel: klips_debug:rj_match: * See if we match
exactly as a host destination
Jan  6 12:41:27 centos kernel: klips_debug:rj_match: ** try to match a
leaf, t=0pdc04ea80
Jan  6 12:41:27 centos kernel: klips_debug:ipsec_xmit_SAlookup: checking
for local udp/500 IKE packet saddr=a010001, er=0pdc04ea80,
daddr=a020001, er_dst=c0a8012a, proto=1 sport=0 dport=0
Jan  6 12:41:27 centos kernel: ipsec_sa_getbyid: linked entry in
ipsec_sa table for hash=2 of SA:tun.1001 at 192.168.1.42 requested.
Jan  6 12:41:27 centos kernel: ipsec_sa_get: ipsec_sa e2351c00
SA:tun.1001 at 192.168.1.42, ref:1 reference count (2++) incremented by
ipsec_sa_getbyid:552.
Jan  6 12:41:27 centos kernel: klips_debug:ipsec_xmit_init2: found
ipsec_sa -- SA:<IPIP> tun.1001 at 192.168.1.42
Jan  6 12:41:27 centos kernel: klips_debug:ipsec_xmit_init2: calling
room for <IPIP>, SA:tun.1001 at 192.168.1.42
Jan  6 12:41:27 centos kernel: klips_debug:ipsec_xmit_init2: Required
head,tailroom: 20,0
Jan  6 12:41:27 centos kernel: klips_debug:ipsec_xmit_init2: calling
room for <ESP_AES_HMAC_SHA1>, SA:esp.a2beb5dc at 192.168.1.42
Jan  6 12:41:27 centos kernel: klips_debug:ipsec_xmit_init2: Required
head,tailroom: 24,24
Jan  6 12:41:27 centos kernel: klips_debug:ipsec_xmit_init2: existing
head,tailroom: 2,28 before applying xforms with head,tailroom: 44,24 .
Jan  6 12:41:27 centos kernel: klips_debug:ipsec_xmit_init2: mtu:1500
physmtu:1500 tothr:44 tottr:24 mtudiff:68 ippkttotlen:84
Jan  6 12:41:27 centos kernel: klips_info:ipsec_xmit_init2: dev ipsec0
mtu of 1500 decreased by 73 to 1427
Jan  6 12:41:27 centos kernel: klips_debug:ipsec_xmit_init2: allocating
14 bytes for hardheader.
Jan  6 12:41:27 centos kernel: klips_debug:ipsec_xmit_init2:
head,tailroom: 16,28 after hard_header stripped.
Jan  6 12:41:27 centos kernel: klips_debug:   IP: ihl:20 ver:4 tos:0
tlen:84 id:0 DF frag_off:0 ttl:64 proto:1 (ICMP) chk:9893 saddr:10.1.0.1
daddr:10.2.0.1 type:code=8:0
Jan  6 12:41:27 centos kernel: klips_debug:ipsec_xmit_init2:
head,tailroom: 76,96 after allocation
Jan  6 12:41:27 centos kernel: klips_debug:   IP: ihl:20 ver:4 tos:0
tlen:84 id:0 DF frag_off:0 ttl:64 proto:1 (ICMP) chk:9893 saddr:10.1.0.1
daddr:10.2.0.1 type:code=8:0
Jan  6 12:41:27 centos kernel: klips_debug:ipsec_xmit_encap_once:
calling output for <IPIP>, SA:tun.1001 at 192.168.1.42
Jan  6 12:41:27 centos kernel: klips_debug:ipsec_xmit_encap_once:
pushing 20 bytes, putting 0, proto 4.
Jan  6 12:41:27 centos kernel: klips_debug:ipsec_xmit_encap_once:
head,tailroom: 56,96 before xform.
Jan  6 12:41:27 centos kernel: klips_debug:ipsec_xmit_encap_once: after
<IPIP>, SA:tun.1001 at 192.168.1.42:
Jan  6 12:41:27 centos kernel: klips_debug:   IP: ihl:20 ver:4 tos:0
tlen:104 id:30378 frag_off:0 ttl:64 proto:4 chk:32837 saddr:192.168.1.40
daddr:192.168.1.42
Jan  6 12:41:27 centos kernel: ipsec_sa_put: ipsec_sa e2351c00
SA:tun.1001 at 192.168.1.42, ref:1 reference count (3--) decremented by
ipsec_xmit_cont:1096.
Jan  6 12:41:27 centos kernel: ipsec_sa_get: ipsec_sa e386b800
SA:esp.a2beb5dc at 192.168.1.42, ref:2 reference count (3++) incremented by
ipsec_xmit_cont:1101.
Jan  6 12:41:27 centos kernel: klips_debug:ipsec_xmit_encap_once:
calling output for <ESP_AES_HMAC_SHA1>, SA:esp.a2beb5dc at 192.168.1.42
Jan  6 12:41:27 centos kernel: klips_debug:ipsec_xmit_encap_once:
pushing 24 bytes, putting 24, proto 50.
Jan  6 12:41:27 centos kernel: klips_debug:ipsec_xmit_encap_once:
head,tailroom: 32,72 before xform.
Jan  6 12:41:27 centos kernel: klips_debug:ipsec_alg_esp_encrypt:
entering with encalg=12, ixt_e=e8ef1440
Jan  6 12:41:27 centos kernel: klips_debug:ipsec_alg_esp_encrypt:
calling cbc_encrypt encalg=12 ips_key_e=d901a800 idat=c1696a4c ilen=96
iv=c1696a3c, encrypt=1
Jan  6 12:41:27 centos kernel: klips_debug:ipsec_alg_esp_encrypt:
returned ret=96
Jan  6 12:41:27 centos kernel: klips_debug:ipsec_xmit_encap_once: after
<ESP_AES_HMAC_SHA1>, SA:esp.a2beb5dc at 192.168.1.42:
Jan  6 12:41:27 centos kernel: klips_debug:   IP: ihl:20 ver:4 tos:0
tlen:152 id:30378 frag_off:0 ttl:64 proto:50 (ESP) chk:32743
saddr:192.168.1.40 daddr:192.168.1.42
Jan  6 12:41:27 centos kernel: ipsec_sa_put: ipsec_sa e386b800
SA:esp.a2beb5dc at 192.168.1.42, ref:2 reference count (4--) decremented by
ipsec_xmit_cont:1096.
Jan  6 12:41:27 centos kernel: klips_debug:ipsec_findroute:
192.168.1.40:0->192.168.1.42:0 50
Jan  6 12:41:27 centos kernel: klips_debug:rj_match: * See if we match
exactly as a host destination
Jan  6 12:41:27 centos kernel: klips_debug:rj_match: ** try to match a
leaf, t=0pdc04ea80
Jan  6 12:41:27 centos kernel: klips_debug:rj_match: *** start searching
up the tree, t=0pdc04ea80
Jan  6 12:41:27 centos kernel: klips_debug:rj_match: **** t=0pdc04ea98
Jan  6 12:41:27 centos kernel: klips_debug:rj_match: **** t=0pe5be5c00
Jan  6 12:41:27 centos kernel: klips_debug:rj_match: *****
cp2=0pde223ce8 cp3=0pdf05a670
Jan  6 12:41:27 centos kernel: klips_debug:rj_match: ***** not found.
Jan  6 12:41:27 centos kernel:
klips_debug:ipsec_xmit_restore_hard_header: After recursive xforms --
head,tailroom: 32,72
Jan  6 12:41:27 centos kernel:
klips_debug:ipsec_xmit_restore_hard_header: With hard_header, final
head,tailroom: 18,72
Jan  6 12:41:27 centos kernel: klips_debug:ipsec_xmit_send:
ip_route_output failed with error code -22, dropped

## end klips debug log

(Previously, I posted about this to the dev mailinglist, but the
bug I was suspecting had already been fixed by then. I hope this is not
considered as double-posting.)

More information about the Users mailing list