[Openswan Users] L2TP/IPSEC response unencrypted(wasopenswan-2.6.24rc1 NATed MacOS Kernel crash)

Giovani Moda giovani at mrinformatica.com.br
Tue Oct 27 00:12:42 EDT 2009 

> So my current concern with the last patch is that is may break netkey.

In fact it did. By setting protostak=netkey, I was unable to connect using NAT-T and openswan-2.6.24rc1 + your latest patch:

01:27:20.985552 IP 10.1.1.10.4500 > 10.1.1.9.4500: NONESP-encap: isakmp: phase 1 I ident[E]
01:27:20.989607 IP 10.1.1.9.4500 > 10.1.1.10.4500: NONESP-encap: isakmp: phase 1 R ident[E]
01:27:20.993305 IP 10.1.1.10.4500 > 10.1.1.9.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
01:27:21.028567 IP 10.1.1.9.4500 > 10.1.1.10.4500: NONESP-encap: isakmp: phase 2/others R oakley-quick[E]
01:27:21.051405 IP 10.1.1.10.4500 > 10.1.1.9.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
01:27:21.053492 IP 10.1.1.10.4500 > 10.1.1.9.4500: UDP-encap: ESP(spi=0x71442200,seq=0x1), length 156
01:27:22.050637 IP 10.1.1.10.4500 > 10.1.1.9.4500: UDP-encap: ESP(spi=0x71442200,seq=0x2), length 156
01:27:23.079834 IP 10.1.1.9.1701 > 10.1.1.10.1701:  l2tp:[TLS](42/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() |...
01:27:23.080538 IP 10.1.1.9.1701 > 10.1.1.10.1701:  l2tp:[TLS](42/0)Ns=0,Nr=1 ZLB
01:27:23.080806 IP 10.1.1.10 > 10.1.1.9: ICMP 10.1.1.10 udp port 1701 unreachable, length 139
01:27:23.080827 IP 10.1.1.10 > 10.1.1.9: ICMP 10.1.1.10 udp port 1701 unreachable, length 48
01:27:24.049890 IP 10.1.1.10.4500 > 10.1.1.9.4500: UDP-encap: ESP(spi=0x71442200,seq=0x3), length 156
01:27:24.051864 IP 10.1.1.9.1701 > 10.1.1.10.1701:  l2tp:[TLS](42/0)Ns=0,Nr=1 ZLB
01:27:24.052402 IP 10.1.1.10 > 10.1.1.9: ICMP 10.1.1.10 udp port 1701 unreachable, length 48
01:27:24.081143 IP 10.1.1.9.1701 > 10.1.1.10.1701:  l2tp:[TLS](42/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() |...
01:27:24.081888 IP 10.1.1.10 > 10.1.1.9: ICMP 10.1.1.10 udp port 1701 unreachable, length 139
01:27:25.081161 IP 10.1.1.9.1701 > 10.1.1.10.1701:  l2tp:[TLS](42/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() |...
01:27:25.082610 IP 10.1.1.10 > 10.1.1.9: ICMP 10.1.1.10 udp port 1701 unreachable, length 139
01:27:25.191517 IP 10.1.1.10.4500 > 10.1.1.9.4500: isakmp-nat-keep-alive
01:27:26.081784 IP 10.1.1.9.1701 > 10.1.1.10.1701:  l2tp:[TLS](42/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() |...
01:27:26.082560 IP 10.1.1.10 > 10.1.1.9: ICMP 10.1.1.10 udp port 1701 unreachable, length 139
01:27:27.085507 IP 10.1.1.9.1701 > 10.1.1.10.1701:  l2tp:[TLS](42/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() |...
01:27:27.086378 IP 10.1.1.10 > 10.1.1.9: ICMP 10.1.1.10 udp port 1701 unreachable, length 139
01:27:28.056206 IP 10.1.1.10.4500 > 10.1.1.9.4500: UDP-encap: ESP(spi=0x71442200,seq=0x4), length 156
01:27:28.058190 IP 10.1.1.9.1701 > 10.1.1.10.1701:  l2tp:[TLS](42/0)Ns=0,Nr=1 ZLB
01:27:28.058767 IP 10.1.1.10 > 10.1.1.9: ICMP 10.1.1.10 udp port 1701 unreachable, length 48

So I unapplied the patch (only the last one), recompiled, and I was able to connect using netkey again. This was tested on Ubuntu 8.04.


> I would also like to see multiple OSX behind a single NAT working,  but
> thats another discussion ;-)

Now, that's just not for me. No OSX over here. Anyone with the time and resources to do it?

> Hmm, do you get an oops ?  If so it can't hurt to post them,  might help
> figure it out.  Which kernel version is CentOS ?

Every time. I'm attaching a few of them. I've only teste on on kernels 2.6.18.7.1-128.centos.plus and 2.6.18-164.el5, and both of them crashed. I recompiled 2.6.18.7.1-128.centos.plus with old-style NAT-T, since the new style won't work with kernels below 2.6.23, and on the few times I could get the ipsec module running without oopsing, openswan-2.6.24rc1 + your patches got KLIPS and NAT-T working on CentOS. I had previously tested with openswan-2.6.24rc1, netkey and NAT-T and it did work (thanks Paul), but as soon as I loaded ipsec.ko, the oopses where all over the place. They happened while connecting a XP client using NAT-T and also while injecting/removing ipsec module. With your patch, it's now down to the problem while injecting/removing the ipsec module. At least, no more oopses with NAT-T and KLIPS! :-) 

Oh, and your patch broke netkey on CentOS too, so it's safe to assume that it needs to be called specifically when using KLIPS.

> I tend to run Linus kernels, beats me what could cause problems with Ubuntu
> and NAT-T, but again,  and oops may help,

I'm attaching it also. You latest patch did not help with this particular Oops. The only way to get this information I'm attaching was to use kdump. Netconsole was unable to send the Oops to the remote machine.

Hope this helps,

Giovani
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20091027/8943888f/attachment-0001.html 
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: centos-ipsec-module-insert-crash.txt
Url: http://lists.openswan.org/pipermail/users/attachments/20091027/8943888f/attachment-0007.txt 
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: centos-ipsec-module-insert-crash2.txt
Url: http://lists.openswan.org/pipermail/users/attachments/20091027/8943888f/attachment-0008.txt 
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: centos-ipsec-module-insert-crash3.txt
Url: http://lists.openswan.org/pipermail/users/attachments/20091027/8943888f/attachment-0009.txt 
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: centos-ipsec-module-insert-crash4.txt
Url: http://lists.openswan.org/pipermail/users/attachments/20091027/8943888f/attachment-0010.txt 
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: centos-ipsec-module-reinsert-crash.txt
Url: http://lists.openswan.org/pipermail/users/attachments/20091027/8943888f/attachment-0011.txt 
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: centos-ipsec-module-reinsert-crash2.txt
Url: http://lists.openswan.org/pipermail/users/attachments/20091027/8943888f/attachment-0012.txt 
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ubuntu9-ipsec-natt-crash.txt
Url: http://lists.openswan.org/pipermail/users/attachments/20091027/8943888f/attachment-0013.txt

More information about the Users mailing list