[Openswan Users] oenswan 2.4.10 kernel 2.6.22 can only run behind firewall(natted).

Zhiping Liu flyingzpl at gmail.com
Mon Mar 16 03:31:27 EDT 2009


Hi everyone:
I have a strange problem,IPSEC SA can established,but can only forward
package through NAT.


1.WITHOUT NAT   NetWork topology: <javascript:void(0)>

PC A:
eth0:192.168.100.234
eth1:192.168.1.234
PC B:
eth0:192.168.111.231
eth1:192.168.1.231

My pc(Windows XP,trying to access 192.168.111.231,set 192.168.100.234 as
gateway):
eth0:192.168.100.10

2.ipsec.conf (PC A)
-bash-3.2$ cat /etc/ipsec.conf
version 2.0     # conforms to second version of ipsec.conf specification
config setup
        plutodebug = all
        klipsdebug = all
        nat_traversal=no
    interfaces = "ipsec0=eth1"
include /etc/ipsec.d/examples/no_oe.conf
conn aa
        type = tunnel
        auto = start
        keyexchange = ike
        authby = secret
        auth = esp
        esp = 3DES-SHA1
        ike = 3DES-SHA1-MODP1024
        aggrmode = yes
        pfs = yes
        pfsgroup = MODP1024
        left = 192.168.1.234
        leftsubnet = 192.168.100.0/255.255.255.0
        right = 192.168.1.132
        rightsubnet = 192.168.111.0/255.255.255.0
        leftid = @aaa
        rightid = @bbb

3.tcp dump result on PC A

>From eth1,there is result from peer node,192.168.1.132:

-bash-3.2$ sudo ./tcpdump -i eth1 host 192.168.1.132 -vv
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 96
bytes
14:16:32.753634 IP (tos 0x0, ttl 64, id 51990, offset 0, flags [none], proto
ESP (50), length 112) 192.168.1.234 > 192.168.1.132:
ESP(spi=0xa1015406,seq=0x2), length 92
14:16:52.764378 IP (tos 0x0, ttl 64, id 32957, offset 0, flags [none], proto
ESP (50), length 112) 192.168.1.132 > 192.168.1.234:
ESP(spi=0x1c703a00,seq=0x2), length 92
14:16:37.729272 arp who-has 192.168.1.132 tell 192.168.1.234
14:16:37.729482 arp reply 192.168.1.132 is-at 00:19:db:47:0c:60 (oui
Unknown)

4 packets captured
4 packets received by filter
0 packets dropped by kernel

But no result for ipsec0(192.168.100.10 is my IP)
-bash-3.2$ sudo ./tcpdump -i ipsec0 -vv
tcpdump: listening on ipsec0, link-type EN10MB (Ethernet), capture size 96
bytes
14:16:32.744483 IP (tos 0x0, ttl 127, id 31949, offset 0, flags [none],
proto ICMP (1), length 60) 192.168.100.10 > 192.168.111.132: ICMP echo
request, id 768, seq 35072, length 40
14:16:32.747816 IP (tos 0x0, ttl 64, id 7320, offset 0, flags [DF], proto
UDP (17), length 74) 192.168.1.234.filenet-pa > 192.168.111.1.domain: [udp
sum ok] 3304+ PTR? 132.111.168.192.in-addr.arpa. (46)

2 packets captured
13 packets received by filter
0 packets dropped by kernel
-bash-3.2$

4.ipsec log file(can only see message send out)
Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_tunnel_hard_header:
skb->dev=ipsec0 dev=ipsec0.
Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_tunnel_hard_header:
Revectored 0p00000000->0pdc883a24 len=84 type=2048 dev=ipsec0->eth1
dev_addr=00:50:c2:1c:97:92 ip=c0a864ea->c0a86f01
Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_strip_hard_header: >>>
skb->len=98 hard_header_len:14 00:50:c2:1c:97:92:00:50:c2:1c:97:92:08:00
Mar 16 12:49:32 SSLVPN kernel: klips_debug:   IP: ihl:20 ver:4 tos:0 tlen:84
id:0 DF frag_off:0 ttl:64 proto:1 (ICMP) chk:58732 saddr:192.168.100.234
daddr:192.168.111.1 type:code=8:0
Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_strip_hard_header:
Original head,tailroom: 2,28
Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_findroute:
192.168.100.234:0->192.168.111.1:0 1
Mar 16 12:49:32 SSLVPN kernel: klips_debug:rj_match: * See if we match
exactly as a host destination
Mar 16 12:49:32 SSLVPN kernel: klips_debug:rj_match: ** try to match a leaf,
t=0pde630180
Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_SAlookup: checking for
local udp/500 IKE packet saddr=c0a864ea, er=0pde630180, daddr=c0a86f01,
er_dst=c0a80184, proto=1 sport=0 dport=0
Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_sa_getbyid: linked entry in
ipsec_sa table for hash=168 of
SA:tun.1002 at 192.168.1.132<SA%3Atun.1002 at 192.168.1.132>requested.
Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_bundle: found
ipsec_sa -- SA:<IPIP> tun.1002 at 192.168.1.132
Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_bundle: calling
room for <IPIP>, SA:tun.1002 at 192.168.1.132 <SA%3Atun.1002 at 192.168.1.132>
Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_bundle: Required
head,tailroom: 20,0
Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_bundle: calling
room for <ESP_3DES_HMAC_SHA1>,
SA:esp.1867139c at 192.168.1.132<SA%3Aesp.1867139c at 192.168.1.132>
Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_bundle: Required
head,tailroom: 16,16
Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_bundle: existing
head,tailroom: 2,28 before applying xforms with head,tailroom: 36,16 .
Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_bundle: mtu:1500
physmtu:1500 tothr:36 tottr:16 mtudiff:52 ippkttotlen:84
Mar 16 12:49:32 SSLVPN kernel: klips_info:ipsec_xmit_encap_bundle: dev
ipsec0 mtu of 1500 decreased by 57 to 1443
Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_bundle:
allocating 14 bytes for hardheader.
Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_bundle:
head,tailroom: 16,28 after hard_header stripped.
Mar 16 12:49:32 SSLVPN kernel: klips_debug:   IP: ihl:20 ver:4 tos:0 tlen:84
id:0 DF frag_off:0 ttl:64 proto:1 (ICMP) chk:58732 saddr:192.168.100.234
daddr:192.168.111.1 type:code=8:0
Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_bundle:
head,tailroom: 68,104 after allocation
Mar 16 12:49:32 SSLVPN kernel: klips_debug:   IP: ihl:20 ver:4 tos:0 tlen:84
id:0 DF frag_off:0 ttl:64 proto:1 (ICMP) chk:58732 saddr:192.168.100.234
daddr:192.168.111.1 type:code=8:0
Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_once: calling
output for <IPIP>, SA:tun.1002 at 192.168.1.132 <SA%3Atun.1002 at 192.168.1.132>
Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_once: pushing 20
bytes, putting 0, proto 4.
Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_once:
head,tailroom: 48,104 before xform.
Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_once: after
<IPIP>, SA:tun.1002 at 192.168.1.132 <SA%3Atun.1002 at 192.168.1.132>:
Mar 16 12:49:32 SSLVPN kernel: klips_debug:   IP: ihl:20 ver:4 tos:0
tlen:104 id:46843 frag_off:0 ttl:64 proto:4 chk:16088 saddr:192.168.1.234
daddr:192.168.1.132
Mar 16 12:49:32 SSLVPN kernel: klips_debug:   IP: ihl:20 ver:4 tos:0
tlen:104 id:46843 frag_off:0 ttl:64 proto:4 chk:16088 saddr:192.168.1.234
daddr:192.168.1.132
Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_once: calling
output for <ESP_3DES_HMAC_SHA1>,
SA:esp.1867139c at 192.168.1.132<SA%3Aesp.1867139c at 192.168.1.132>
Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_once: pushing 16
bytes, putting 16, proto 50.
Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_once:
head,tailroom: 32,88 before xform.
Mar 16 12:49:32 SSLVPN kernel: klips_dmp: at pre-encrypt, len=136:
Mar 16 12:49:32 SSLVPN kernel: klips_debug:   @000: 45 00 00 88 b6 fb 00 00
40 32 3e d8 c0 a8 01 ea
Mar 16 12:49:32 SSLVPN kernel: klips_debug:   @010: c0 a8 01 84 18 67 13 9c
00 00 00 02 c0 a8 01 ea
Mar 16 12:49:32 SSLVPN kernel: klips_debug:   @020: c0 a8 01 84 45 00 00 54
00 00 40 00 40 01 e5 6c
Mar 16 12:49:32 SSLVPN kernel: klips_debug:   @030: c0 a8 64 ea c0 a8 6f 01
08 00 38 4f 3a 37 00 00
Mar 16 12:49:32 SSLVPN kernel: klips_debug:   @040: 0d 20 35 2d 00 00 00 00
00 00 00 00 00 00 00 00
Mar 16 12:49:32 SSLVPN kernel: klips_debug:   @050: 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
Mar 16 12:49:32 SSLVPN kernel: klips_debug:   @060: 00 00 00 00 00 00 00 10
00 00 00 00 00 00 00 00
Mar 16 12:49:32 SSLVPN kernel: klips_debug:   @070: 68 8d 0c 08 34 c7 99 bf
01 02 02 04 04 00 00 00
Mar 16 12:49:32 SSLVPN kernel: klips_debug:   @080: 50 e5 74 64 64 ed 07 00
Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_alg_esp_encrypt: entering
with encalg=3, ixt_e=df0c3bc0
Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_alg_esp_encrypt: calling
cbc_encrypt encalg=3 ips_key_e=d26c5400 idat=de5f6644 ilen=88 iv=de5f663c,
encrypt=1
Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_alg_esp_encrypt: returned
ret=1
Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_once: after
<ESP_3DES_HMAC_SHA1>,
SA:esp.1867139c at 192.168.1.132<SA%3Aesp.1867139c at 192.168.1.132>
:
Mar 16 12:49:32 SSLVPN kernel: klips_debug:   IP: ihl:20 ver:4 tos:0
tlen:136 id:46843 frag_off:0 ttl:64 proto:50 (ESP) chk:16010
saddr:192.168.1.234 daddr:192.168.1.132
Mar 16 12:49:32 SSLVPN kernel: klips_debug:   IP: ihl:20 ver:4 tos:0
tlen:136 id:46843 frag_off:0 ttl:64 proto:50 (ESP) chk:16010
saddr:192.168.1.234 daddr:192.168.1.132
Mar 16 12:49:32 SSLVPN kernel: klips_error:ipsec_sa_put: null pointer passed
in!
Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_findroute: 192.168.1.234:0
->192.168.1.132:0 50
Mar 16 12:49:32 SSLVPN kernel: klips_debug:rj_match: * See if we match
exactly as a host destination
Mar 16 12:49:32 SSLVPN kernel: klips_debug:rj_match: ** try to match a leaf,
t=0pde630180
Mar 16 12:49:32 SSLVPN kernel: klips_debug:rj_match: *** start searching up
the tree, t=0pde630180
Mar 16 12:49:32 SSLVPN kernel: klips_debug:rj_match: **** t=0pde630198
Mar 16 12:49:32 SSLVPN kernel: klips_debug:rj_match: **** t=0pdc8838c0
Mar 16 12:49:32 SSLVPN kernel: klips_debug:rj_match: ***** cp2=0pd5f31d68
cp3=0pd8d998d0
Mar 16 12:49:32 SSLVPN kernel: klips_debug:rj_match: ***** not found.
Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_restore_hard_header:
After recursive xforms -- head,tailroom: 32,88
Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_restore_hard_header:
With hard_header, final head,tailroom: 18,88
Mar 16 12:49:32 SSLVPN kernel: klips_debug:ipsec_xmit_send: ...done, calling
ip_send() on device:eth1
Mar 16 12:49:32 SSLVPN kernel: klips_debug:   IP: ihl:20 ver:4 tos:0
tlen:136 id:46843 frag_off:0 ttl:64 proto:50 (ESP) chk:16010
saddr:192.168.1.234 daddr:192.168.1.132


5.WITH NAT   NetWork topology: <javascript:void(0)>
PC A
eth0:192.168.100.234
eth1:192.168.111.234
Gateway: 192.168.111.1(udp port 500,4500 natted to PC A)

Server B:
ppp0--->pppoe
eth1:192.168.80.1

6.ipsec.conf (PC A)
version 2.0     # conforms to second version of ipsec.conf specification
config setup
        plutodebug = all
        klipsdebug = all
        nat_traversal=yes
    interfaces = "%defaultroute"
include /etc/ipsec.d/examples/no_oe.conf
conn cylan
        type = tunnel
        auto = start
        keyexchange = ike
        authby = secret
        auth = esp
        esp = 3DES-SHA1
        ike = 3DES-SHA1-MODP1024
        aggrmode = yes
        pfs = yes
        pfsgroup = MODP1024
        left = %defaultroute
        leftsubnet = 192.168.100.0/255.255.255.0
        right = 219.133.245.113
        rightsubnet = 192.168.80.0/255.255.255.0
        leftid = @bbb
        rightid = @aaa

7.tcp dump result on PC A
-bash-3.2$ sudo ./tcpdump -i eth1 host 219.133.245.113
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
14:55:14.424375 IP 192.168.111.234.ipsec-nat-t >
113.245.133.219.broad.sz.gd.dynamic.163data.com.cn.ipsec-nat-t: UDP-encap:
ESP(spi=0x4f6ec270,seq=0x2), length 92
14:55:23.105922 IP 192.168.111.234.ipsec-nat-t >
113.245.133.219.broad.sz.gd.dynamic.163data.com.cn.ipsec-nat-t: UDP-encap:
ESP(spi=0x4f6ec270,seq=0x3), length 92
14:55:25.115728 IP 192.168.111.234.ipsec-nat-t >
113.245.133.219.broad.sz.gd.dynamic.163data.com.cn.ipsec-nat-t:
isakmp-nat-keep-alive
14:55:25.117799 IP 192.168.111.234.ipsec-nat-t >
113.245.133.219.broad.sz.gd.dynamic.163data.com.cn.ipsec-nat-t:
isakmp-nat-keep-alive

4 packets captured
4 packets received by filter
0 packets dropped by kernel

ipsec0 got ICMP echo replys,it's ok
-bash-3.2$ sudo ./tcpdump -i ipsec0 -vv
tcpdump: listening on ipsec0, link-type EN10MB (Ethernet), capture size 96
bytes
14:56:34.183178 IP (tos 0x0, ttl 127, id 44881, offset 0, flags [none],
proto ICMP (1), length 60) 192.168.100.10 > 192.168.80.1: ICMP echo request,
id 768, seq 36352, length 40
14:56:34.207201 IP (tos 0x0, ttl 64, id 50421, offset 0, flags [none], proto
ICMP (1), length 60) 192.168.80.1 > 192.168.100.10: ICMP echo reply, id 768,
seq 36352, length 40

2 packets captured
2 packets received by filter
0 packets dropped by kernel
-bash-3.2$

8.ipsec log file(with icmp result)
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_tunnel_neigh_setup:
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_tunnel_hard_header:
skb->dev=ipsec0 dev=ipsec0.
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_tunnel_hard_header:
Revectored 0p00000000->0pd80e4a24 len=60 type=2048 dev=ipsec0->eth1
dev_addr=00:50:c2:1c:97:92 ip=c0a8640a->c0a85001
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_strip_hard_header: >>>
skb->len=74 hard_header_len:14 00:50:c2:1c:97:92:00:50:c2:1c:97:92:08:00
Mar 16 15:10:32 SSLVPN kernel: klips_debug:   IP: ihl:20 ver:4 tos:0 tlen:60
id:48219 frag_off:0 ttl:127 proto:1 (ICMP) chk:18953 saddr:192.168.100.10
daddr:192.168.80.1 type:code=8:0
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_strip_hard_header:
Original head,tailroom: 18,36
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_findroute: 192.168.100.10:0
->192.168.80.1:0 1
Mar 16 15:10:32 SSLVPN kernel: klips_debug:rj_match: * See if we match
exactly as a host destination
Mar 16 15:10:32 SSLVPN kernel: klips_debug:rj_match: ** try to match a leaf,
t=0pd85d0e40
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_SAlookup: checking for
local udp/500 IKE packet saddr=c0a8640a, er=0pd85d0e40, daddr=c0a85001,
er_dst=db85f571, proto=1 sport=0 dport=0
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_sa_getbyid: linked entry in
ipsec_sa table for hash=234 of
SA:tun.1004 at 219.133.245.113<SA%3Atun.1004 at 219.133.245.113>requested.
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_bundle: found
ipsec_sa -- SA:<IPIP> tun.1004 at 219.133.245.113
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_bundle: calling
room for <IPIP>, SA:tun.1004 at 219.133.245.113 <SA%3Atun.1004 at 219.133.245.113>
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_bundle: Required
head,tailroom: 20,0
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_bundle: calling
room for <ESP_3DES_HMAC_SHA1>,
SA:esp.4f6ec270 at 219.133.245.113<SA%3Aesp.4f6ec270 at 219.133.245.113>
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_bundle: Required
head,tailroom: 16,24
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_bundle: existing
head,tailroom: 18,36 before applying xforms with head,tailroom: 36,24 .
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_bundle: mtu:1500
physmtu:1500 tothr:36 tottr:24 mtudiff:60 ippkttotlen:60
Mar 16 15:10:32 SSLVPN kernel: klips_info:ipsec_xmit_encap_bundle: dev
ipsec0 mtu of 1500 decreased by 65 to 1435
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_bundle:
allocating 14 bytes for hardheader.
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_bundle:
head,tailroom: 32,36 after hard_header stripped.
Mar 16 15:10:32 SSLVPN kernel: klips_debug:   IP: ihl:20 ver:4 tos:0 tlen:60
id:48219 frag_off:0 ttl:127 proto:1 (ICMP) chk:18953 saddr:192.168.100.10
daddr:192.168.80.1 type:code=8:0
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_bundle:
head,tailroom: 68,128 after allocation
Mar 16 15:10:32 SSLVPN kernel: klips_debug:   IP: ihl:20 ver:4 tos:0 tlen:60
id:48219 frag_off:0 ttl:127 proto:1 (ICMP) chk:18953 saddr:192.168.100.10
daddr:192.168.80.1 type:code=8:0
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_once: calling
output for <IPIP>, SA:tun.1004 at 219.133.245.113<SA%3Atun.1004 at 219.133.245.113>
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_once: pushing 20
bytes, putting 0, proto 4.
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_once:
head,tailroom: 48,128 before xform.
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_once: after
<IPIP>, SA:tun.1004 at 219.133.245.113 <SA%3Atun.1004 at 219.133.245.113>:
Mar 16 15:10:32 SSLVPN kernel: klips_debug:   IP: ihl:20 ver:4 tos:0 tlen:80
id:43802 frag_off:0 ttl:64 proto:4 chk:52741 saddr:192.168.111.234
daddr:219.133.245.113
Mar 16 15:10:32 SSLVPN kernel: klips_debug:   IP: ihl:20 ver:4 tos:0 tlen:80
id:43802 frag_off:0 ttl:64 proto:4 chk:52741 saddr:192.168.111.234
daddr:219.133.245.113
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_once: calling
output for <ESP_3DES_HMAC_SHA1>,
SA:esp.4f6ec270 at 219.133.245.113<SA%3Aesp.4f6ec270 at 219.133.245.113>
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_once: pushing 16
bytes, putting 16, proto 50.
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_once:
head,tailroom: 32,112 before xform.
Mar 16 15:10:32 SSLVPN kernel: klips_dmp: at pre-encrypt, len=112:
Mar 16 15:10:32 SSLVPN kernel: klips_debug:   @000: 45 00 00 70 ab 1a 00 00
40 32 ce 05 c0 a8 6f ea
Mar 16 15:10:32 SSLVPN kernel: klips_debug:   @010: db 85 f5 71 4f 6e c2 70
00 00 00 08 c0 a8 6f ea
Mar 16 15:10:32 SSLVPN kernel: klips_debug:   @020: db 85 f5 71 45 00 00 3c
bc 5b 00 00 7f 01 4a 09
Mar 16 15:10:32 SSLVPN kernel: klips_debug:   @030: c0 a8 64 0a c0 a8 50 01
08 00 ba 5b 03 00 90 00
Mar 16 15:10:32 SSLVPN kernel: klips_debug:   @040: 61 62 63 64 65 66 67 68
69 6a 6b 6c 6d 6e 6f 70
Mar 16 15:10:32 SSLVPN kernel: klips_debug:   @050: 71 72 73 74 75 76 77 61
62 63 64 65 66 67 68 69
Mar 16 15:10:32 SSLVPN kernel: klips_debug:   @060: 01 02 02 04 00 00 00 00
00 00 00 00 00 00 00 00
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_alg_esp_encrypt: entering
with encalg=3, ixt_e=df0c3bc0
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_alg_esp_encrypt: calling
cbc_encrypt encalg=3 ips_key_e=de5f6800 idat=d1f03c44 ilen=64 iv=d1f03c3c,
encrypt=1
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_alg_esp_encrypt: returned
ret=1
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_encap_once: after
<ESP_3DES_HMAC_SHA1>,
SA:esp.4f6ec270 at 219.133.245.113<SA%3Aesp.4f6ec270 at 219.133.245.113>
:
Mar 16 15:10:32 SSLVPN kernel: klips_debug:   IP: ihl:20 ver:4 tos:0
tlen:112 id:43802 frag_off:0 ttl:64 proto:50 (ESP) chk:52663
saddr:192.168.111.234 daddr:219.133.245.113
Mar 16 15:10:32 SSLVPN kernel: klips_debug:   IP: ihl:20 ver:4 tos:0
tlen:112 id:43802 frag_off:0 ttl:64 proto:50 (ESP) chk:52663
saddr:192.168.111.234 daddr:219.133.245.113
Mar 16 15:10:32 SSLVPN kernel: klips_error:ipsec_sa_put: null pointer passed
in!
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_findroute:
192.168.111.234:0->219.133.245.113:0 50
Mar 16 15:10:32 SSLVPN kernel: klips_debug:rj_match: * See if we match
exactly as a host destination
Mar 16 15:10:32 SSLVPN kernel: klips_debug:rj_match: ** try to match a leaf,
t=0pd85d0e40
Mar 16 15:10:32 SSLVPN kernel: klips_debug:rj_match: *** start searching up
the tree, t=0pd85d0e40
Mar 16 15:10:32 SSLVPN kernel: klips_debug:rj_match: **** t=0pd85d0e58
Mar 16 15:10:32 SSLVPN kernel: klips_debug:rj_match: **** t=0pd80e4f40
Mar 16 15:10:32 SSLVPN kernel: klips_debug:rj_match: ***** cp2=0pd94d9aa8
cp3=0pd8d99990
Mar 16 15:10:32 SSLVPN kernel: klips_debug:rj_match: ***** not found.
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_restore_hard_header:
After recursive xforms -- head,tailroom: 32,112
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_tunnel_start_xmit:
encapsuling packet into UDP (NAT-Traversal) (2 8)
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_restore_hard_header:
With hard_header, final head,tailroom: 18,104
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_xmit_send: ...done, calling
ip_send() on device:eth1
Mar 16 15:10:32 SSLVPN kernel: klips_debug:   IP: ihl:20 ver:4 tos:0
tlen:120 id:43802 frag_off:0 ttl:64 proto:17 (UDP) chk:52688 saddr:
192.168.111.234:4500 daddr:219.133.245.113:4500
Mar 16 15:10:32 SSLVPN kernel: klips_debug:   IP: ihl:20 ver:4 tos:0
tlen:112 id:50426 frag_off:0 ttl:62 proto:50 (ESP) chk:46576
saddr:219.133.245.113 daddr:192.168.111.234
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_rcv_decap_once: decap (50)
from 219.133.245.113 -> 192.168.111.234
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_sa_getbyid: linked entry in
ipsec_sa table for hash=113 of
SA:esp.a4cc5288 at 192.168.111.234<SA%3Aesp.a4cc5288 at 192.168.111.234>requested.
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_rcv:
SA:esp.a4cc5288 at 192.168.111.234 <SA%3Aesp.a4cc5288 at 192.168.111.234>,
src=219.133.245.113 of pkt agrees with expected SA source address policy.
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_rcv:
SA:esp.a4cc5288 at 192.168.111.234 <SA%3Aesp.a4cc5288 at 192.168.111.234> First SA
in group.
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_rcv: natt_type=2
tdbp->ips_natt_type=2 : ok
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_rcv: packet from
219.133.245.113 received with seq=8 (iv)=0x528c134e3bcb1e22 iplen=92
esplen=80 sa=esp.a4cc5288 at 192.168.111.234
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_rcv: encalg = 3, authalg =
3.
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_rcv: authentication
successful.
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_rcv: encalg=3 esphlen=16
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_alg_esp_encrypt: entering
with encalg=3, ixt_e=df0c3bc0
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_alg_esp_encrypt: calling
cbc_encrypt encalg=3 ips_key_e=d88e4000 idat=d1f03c4c ilen=64 iv=d1f03c44,
encrypt=0
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_alg_esp_encrypt: returned
ret=1
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_rcv: padlen=2, contents:
0x<offset>: 0x<value> 0x<value> ...
Mar 16 15:10:32 SSLVPN kernel: klips_debug:           00: 01 02
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_rcv: packet decrypted from
219.133.245.113: next_header = 4, padding = 2
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_rcv: trimming to 60.
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_rcv: after
<ESP_3DES_HMAC_SHA1>,
SA:esp.a4cc5288 at 192.168.111.234<SA%3Aesp.a4cc5288 at 192.168.111.234>
:
Mar 16 15:10:32 SSLVPN kernel: klips_debug:   IP: ihl:20 ver:4 tos:0 tlen:80
id:50426 frag_off:0 ttl:62 proto:4 chk:46629 saddr:219.133.245.113
daddr:192.168.111.234
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_rcv:
SA:esp.a4cc5288 at 192.168.111.234 <SA%3Aesp.a4cc5288 at 192.168.111.234>, Another
IPSEC header to process.
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_rcv: ESP SA sets
skb->nfmark=0x170000.
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_rcv: IPIP tunnel stripped.
Mar 16 15:10:32 SSLVPN kernel: klips_debug:   IP: ihl:20 ver:4 tos:0 tlen:60
id:50425 frag_off:0 ttl:64 proto:1 (ICMP) chk:32875 saddr:192.168.80.1
daddr:192.168.100.10 type:code=0:0
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_rcv: IPIP SA sets
skb->nfmark=0x170000.
Mar 16 15:10:32 SSLVPN kernel: klips_debug:ipsec_rcv: netif_rx() called.


9.udp.c manully patched...
start line:1097
if (ret < 0) {
if(xfrm4_rcv_encap_func != NULL) {
  ret = (*xfrm4_rcv_encap_func)(skb, up->encap_type);
  UDP_INC_STATS_BH(UDP_MIB_INDATAGRAMS,up->pcflag);
} else {
  UDP_INC_STATS_BH(UDP_MIB_INERRORS,up->pcflag);
  ret = 1;
}
return ret;

}


-- 
from Romeo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20090316/f07b3c83/attachment-0001.html 


More information about the Users mailing list