Thread: [Ipsec-tools-devel] ipcomp/racoon on linux 2.6.12
Brought to you by:
mit_warlord,
netbsd
From: Marco B. <pu...@ho...> - 2005-06-20 14:43:16
|
Hello everybody. I have tried to setup a compressed tunnel between two linux 2.6.12-racoon (ipsec-tools 0.5.2) systems. Tunnels were successfully established by racoon, but when ipcomp was involed no ping packet flow was happening when these packets were bigger than 300 bytes. This were my setkey setup files: spdadd 10.1.2.0/24 10.1.1.0/24 any -P out ipsec ipcomp/tunnel/172.16.1.247-172.16.1.226/use esp/transport//require; spdadd 10.1.1.0/24 10.1.2.0/24 any -P in ipsec ipcomp/tunnel/172.16.1.226-172.16.1.247/use esp/transport//require; setkey -D output 172.16.1.226 172.16.1.247 ipcomp mode=tunnel spi=959814928(0x39359d10) reqid=0(0x00000000) C: deflate seq=0x00000000 replay=0 flags=0x00000000 state=mature created: Jun 20 16:36:11 2005 current: Jun 20 16:36:24 2005 diff: 13(s) hard: 2400(s) soft: 1920(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=6 pid=1218 refcnt=0 172.16.1.226 172.16.1.247 unspec mode=tunnel spi=2886730210(0xac1001e2) reqid=0(0x00000000) seq=0x00000000 replay=0 flags=0x00000000 state=mature created: Jun 20 16:36:11 2005 current: Jun 20 16:36:24 2005 diff: 13(s) hard: 0(s) soft: 0(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=5 pid=1218 refcnt=0 172.16.1.226 172.16.1.247 esp mode=transport spi=216750884(0x0ceb5b24) reqid=0(0x00000000) E: 3des-cbc 0381b871 a652e56b 9f434bc1 c5c65425 76572abf 5558d9b6 A: hmac-md5 8bd44351 5e35c156 395e4849 ecf176bc seq=0x00000000 replay=4 flags=0x00000000 state=mature created: Jun 20 16:36:11 2005 current: Jun 20 16:36:24 2005 diff: 13(s) hard: 2400(s) soft: 1920(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=4 pid=1218 refcnt=0 172.16.1.247 172.16.1.226 ipcomp mode=tunnel spi=15856(0x00003df0) reqid=0(0x00000000) C: deflate seq=0x00000000 replay=0 flags=0x00000000 state=mature created: Jun 20 16:36:11 2005 current: Jun 20 16:36:24 2005 diff: 13(s) hard: 2400(s) soft: 1920(s) last: Jun 20 16:36:12 2005 hard: 0(s) soft: 0(s) current: 1050(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 3 hard: 0 soft: 0 sadb_seq=3 pid=1218 refcnt=0 172.16.1.247 172.16.1.226 unspec mode=tunnel spi=2886730231(0xac1001f7) reqid=0(0x00000000) seq=0x00000000 replay=0 flags=0x00000000 state=mature created: Jun 20 16:36:11 2005 current: Jun 20 16:36:24 2005 diff: 13(s) hard: 0(s) soft: 0(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=2 pid=1218 refcnt=0 172.16.1.247 172.16.1.226 esp mode=transport spi=171982849(0x0a404001) reqid=0(0x00000000) E: 3des-cbc 2ae7d6b8 e677187c a975d8fd 74fe7dd3 e25b6123 89d580e1 A: hmac-md5 7e21caf7 15b9e8af 9012a4c1 b6c72b44 seq=0x00000000 replay=4 flags=0x00000000 state=mature created: Jun 20 16:36:11 2005 current: Jun 20 16:36:24 2005 diff: 13(s) hard: 2400(s) soft: 1920(s) last: Jun 20 16:36:12 2005 hard: 0(s) soft: 0(s) current: 1152(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 3 hard: 0 soft: 0 sadb_seq=1 pid=1218 refcnt=0 10.1.2.10 10.1.1.1 <<<<<<<----??????? I'm pinging from 10.1.2.10 to 10.1.1.1 What is this entry? esp mode=transport spi=0(0x00000000) reqid=0(0x00000000) seq=0x00000000 replay=0 flags=0x00000000 state=larval created: Jun 20 16:36:10 2005 current: Jun 20 16:36:24 2005 diff: 14(s) hard: 30(s) soft: 0(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=0 pid=1218 refcnt=0 then I tried this (both systems have the same mirrored setkey file): spdadd 10.1.2.0/24 10.1.1.0/24 any -P out ipsec ipcomp/tunnel/172.16.1.247-172.16.1.226/require esp/transport//require; spdadd 10.1.1.0/24 10.1.2.0/24 any -P in ipsec ipcomp/tunnel/172.16.1.226-172.16.1.247/require esp/transport//require; setkey -d output 172.16.1.226 172.16.1.247 ipcomp mode=tunnel spi=996432760(0x3b645b78) reqid=0(0x00000000) C: deflate seq=0x00000000 replay=0 flags=0x00000000 state=mature created: Jun 20 16:37:07 2005 current: Jun 20 16:37:28 2005 diff: 21(s) hard: 2400(s) soft: 1920(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=5 pid=1230 refcnt=0 172.16.1.226 172.16.1.247 unspec mode=tunnel spi=2886730210(0xac1001e2) reqid=0(0x00000000) seq=0x00000000 replay=0 flags=0x00000000 state=mature created: Jun 20 16:37:07 2005 current: Jun 20 16:37:28 2005 diff: 21(s) hard: 0(s) soft: 0(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=4 pid=1230 refcnt=0 172.16.1.226 172.16.1.247 esp mode=transport spi=2131302(0x00208566) reqid=0(0x00000000) E: 3des-cbc 233732a5 cde0ba95 5a71f9cc 943ad569 9a0ac405 caa1cf65 A: hmac-md5 cc4f4859 93133996 a67e7f1a 32412b92 seq=0x00000000 replay=4 flags=0x00000000 state=mature created: Jun 20 16:37:07 2005 current: Jun 20 16:37:28 2005 diff: 21(s) hard: 2400(s) soft: 1920(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=3 pid=1230 refcnt=0 172.16.1.247 172.16.1.226 ipcomp mode=tunnel spi=45414(0x0000b166) reqid=0(0x00000000) C: deflate seq=0x00000000 replay=0 flags=0x00000000 state=mature created: Jun 20 16:37:07 2005 current: Jun 20 16:37:28 2005 diff: 21(s) hard: 2400(s) soft: 1920(s) last: Jun 20 16:37:08 2005 hard: 0(s) soft: 0(s) current: 1536(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 7 hard: 0 soft: 0 sadb_seq=2 pid=1230 refcnt=0 172.16.1.247 172.16.1.226 unspec mode=tunnel spi=2886730231(0xac1001f7) reqid=0(0x00000000) seq=0x00000000 replay=0 flags=0x00000000 state=mature created: Jun 20 16:37:07 2005 current: Jun 20 16:37:28 2005 diff: 21(s) hard: 0(s) soft: 0(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=1 pid=1230 refcnt=0 172.16.1.247 172.16.1.226 esp mode=transport spi=26454545(0x0193aa11) reqid=0(0x00000000) E: 3des-cbc bfec0989 8ba63647 fff8e265 a45648d0 bcb0fc9b e908a9df A: hmac-md5 5b9f6eb0 694a2970 97f93ce5 41a511fe seq=0x00000000 replay=4 flags=0x00000000 state=mature created: Jun 20 16:37:07 2005 current: Jun 20 16:37:28 2005 diff: 21(s) hard: 2400(s) soft: 1920(s) last: Jun 20 16:37:08 2005 hard: 0(s) soft: 0(s) current: 1768(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 7 hard: 0 soft: 0 sadb_seq=0 pid=1230 refcnt=0 This setup without ipcomp is ok: spdadd 10.1.2.0/24 10.1.1.0/24 any -P out ipsec esp/transport/172.16.1.247-172.16.1.226/require spdadd 10.1.2.0/24 10.1.1.0/24 any -P in ipses esp/transport/172.16.1.226-172.16.1.247/require Enabling logging in racoon.conf doesn't show anything. Hints? Is there anybody with working compressed tunnel between linux 2.6.x/racoon systems? |
From: Marco B. <pu...@ho...> - 2005-06-21 09:08:39
|
This morning I have tried this setkey file: spdadd 10.1.2.0/24 10.1.1.0/24 any -P out ipsec ipcomp/tunnel/172.16.1.247-172.16.1.226/use esp/tunnel/172.16.1.247-172.16.1.226/require; spdadd 10.1.1.0/24 10.1.2.0/24 any -P in ipsec ipcomp/tunnel/172.16.1.226-172.16.1.247/use esp/tunnel/172.16.1.226-172.16.1.247/require; Packet smaller than 295 bytes (ping -s 287) are flowing, packet bigger than >=296 aren't flowing. Here is the tcpdump on the gateway receiving a packet >=269 byte: 11:20:05.618300 172.16.1.247 > 172.16.1.226: ESP(spi=0x01f4934d,seq=0x543) (DF) 11:20:05.618716 172.16.1.247 > 172.16.1.226: IPComp(cpi=0x33d3) (DF) 11:20:06.617780 172.16.1.247 > 172.16.1.226: ESP(spi=0x01f4934d,seq=0x544) (DF) 11:20:06.617780 172.16.1.247 > 172.16.1.226: IPComp(cpi=0x33d3) (DF) They are correctly received but it appears that they are dropped somewhere. Here is the tcpdump on the sending system: 11:01:50.932293 IP 172.16.1.247 > 172.16.1.226: ESP(spi=0x098c1a3c,seq=0x3e1) 11:01:51.932172 IP 172.16.1.247 > 172.16.1.226: ESP(spi=0x098c1a3c,seq=0x3e2) 11:01:52.931988 IP 172.16.1.247 > 172.16.1.226: ESP(spi=0x098c1a3c,seq=0x3e3) 11:01:53.931844 IP 172.16.1.247 > 172.16.1.226: ESP(spi=0x098c1a3c,seq=0x3e4) 11:01:54.931691 IP 172.16.1.247 > 172.16.1.226: ESP(spi=0x098c1a3c,seq=0x3e5) Any feedback are welcome. Marco Berizzi wrote: > Hello everybody. > I have tried to setup a compressed tunnel between > two linux 2.6.12-racoon (ipsec-tools 0.5.2) systems. > Tunnels were successfully established by racoon, > but when ipcomp was involed no ping packet flow was > happening when these packets were bigger than 300 bytes. > > This were my setkey setup files: > > spdadd 10.1.2.0/24 10.1.1.0/24 any -P out ipsec > ipcomp/tunnel/172.16.1.247-172.16.1.226/use > esp/transport//require; > > spdadd 10.1.1.0/24 10.1.2.0/24 any -P in ipsec > ipcomp/tunnel/172.16.1.226-172.16.1.247/use > esp/transport//require; > > > setkey -D output > > 172.16.1.226 172.16.1.247 > ipcomp mode=tunnel spi=959814928(0x39359d10) reqid=0(0x00000000) > C: deflate seq=0x00000000 replay=0 flags=0x00000000 state=mature > created: Jun 20 16:36:11 2005 current: Jun 20 16:36:24 2005 > diff: 13(s) hard: 2400(s) soft: 1920(s) > last: hard: 0(s) soft: 0(s) > current: 0(bytes) hard: 0(bytes) soft: 0(bytes) > allocated: 0 hard: 0 soft: 0 > sadb_seq=6 pid=1218 refcnt=0 > 172.16.1.226 172.16.1.247 > unspec mode=tunnel spi=2886730210(0xac1001e2) reqid=0(0x00000000) > seq=0x00000000 replay=0 flags=0x00000000 state=mature > created: Jun 20 16:36:11 2005 current: Jun 20 16:36:24 2005 > diff: 13(s) hard: 0(s) soft: 0(s) > last: hard: 0(s) soft: 0(s) > current: 0(bytes) hard: 0(bytes) soft: 0(bytes) > allocated: 0 hard: 0 soft: 0 > sadb_seq=5 pid=1218 refcnt=0 > 172.16.1.226 172.16.1.247 > esp mode=transport spi=216750884(0x0ceb5b24) reqid=0(0x00000000) > E: 3des-cbc 0381b871 a652e56b 9f434bc1 c5c65425 76572abf 5558d9b6 > A: hmac-md5 8bd44351 5e35c156 395e4849 ecf176bc > seq=0x00000000 replay=4 flags=0x00000000 state=mature > created: Jun 20 16:36:11 2005 current: Jun 20 16:36:24 2005 > diff: 13(s) hard: 2400(s) soft: 1920(s) > last: hard: 0(s) soft: 0(s) > current: 0(bytes) hard: 0(bytes) soft: 0(bytes) > allocated: 0 hard: 0 soft: 0 > sadb_seq=4 pid=1218 refcnt=0 > 172.16.1.247 172.16.1.226 > ipcomp mode=tunnel spi=15856(0x00003df0) reqid=0(0x00000000) > C: deflate seq=0x00000000 replay=0 flags=0x00000000 state=mature > created: Jun 20 16:36:11 2005 current: Jun 20 16:36:24 2005 > diff: 13(s) hard: 2400(s) soft: 1920(s) > last: Jun 20 16:36:12 2005 hard: 0(s) soft: 0(s) > current: 1050(bytes) hard: 0(bytes) soft: 0(bytes) > allocated: 3 hard: 0 soft: 0 > sadb_seq=3 pid=1218 refcnt=0 > 172.16.1.247 172.16.1.226 > unspec mode=tunnel spi=2886730231(0xac1001f7) reqid=0(0x00000000) > seq=0x00000000 replay=0 flags=0x00000000 state=mature > created: Jun 20 16:36:11 2005 current: Jun 20 16:36:24 2005 > diff: 13(s) hard: 0(s) soft: 0(s) > last: hard: 0(s) soft: 0(s) > current: 0(bytes) hard: 0(bytes) soft: 0(bytes) > allocated: 0 hard: 0 soft: 0 > sadb_seq=2 pid=1218 refcnt=0 > 172.16.1.247 172.16.1.226 > esp mode=transport spi=171982849(0x0a404001) reqid=0(0x00000000) > E: 3des-cbc 2ae7d6b8 e677187c a975d8fd 74fe7dd3 e25b6123 89d580e1 > A: hmac-md5 7e21caf7 15b9e8af 9012a4c1 b6c72b44 > seq=0x00000000 replay=4 flags=0x00000000 state=mature > created: Jun 20 16:36:11 2005 current: Jun 20 16:36:24 2005 > diff: 13(s) hard: 2400(s) soft: 1920(s) > last: Jun 20 16:36:12 2005 hard: 0(s) soft: 0(s) > current: 1152(bytes) hard: 0(bytes) soft: 0(bytes) > allocated: 3 hard: 0 soft: 0 > sadb_seq=1 pid=1218 refcnt=0 > > 10.1.2.10 10.1.1.1 <<<<<<<----??????? I'm pinging from > 10.1.2.10 to 10.1.1.1 What is this entry? > > esp mode=transport spi=0(0x00000000) reqid=0(0x00000000) > seq=0x00000000 replay=0 flags=0x00000000 state=larval > created: Jun 20 16:36:10 2005 current: Jun 20 16:36:24 2005 > diff: 14(s) hard: 30(s) soft: 0(s) > last: hard: 0(s) soft: 0(s) > current: 0(bytes) hard: 0(bytes) soft: 0(bytes) > allocated: 0 hard: 0 soft: 0 > sadb_seq=0 pid=1218 refcnt=0 > > > then I tried this (both systems have the same > mirrored setkey file): > > spdadd 10.1.2.0/24 10.1.1.0/24 any -P out ipsec > ipcomp/tunnel/172.16.1.247-172.16.1.226/require > esp/transport//require; > > spdadd 10.1.1.0/24 10.1.2.0/24 any -P in ipsec > ipcomp/tunnel/172.16.1.226-172.16.1.247/require > esp/transport//require; > > setkey -d output > > 172.16.1.226 172.16.1.247 > ipcomp mode=tunnel spi=996432760(0x3b645b78) reqid=0(0x00000000) > C: deflate seq=0x00000000 replay=0 flags=0x00000000 state=mature > created: Jun 20 16:37:07 2005 current: Jun 20 16:37:28 2005 > diff: 21(s) hard: 2400(s) soft: 1920(s) > last: hard: 0(s) soft: 0(s) > current: 0(bytes) hard: 0(bytes) soft: 0(bytes) > allocated: 0 hard: 0 soft: 0 > sadb_seq=5 pid=1230 refcnt=0 > 172.16.1.226 172.16.1.247 > unspec mode=tunnel spi=2886730210(0xac1001e2) reqid=0(0x00000000) > seq=0x00000000 replay=0 flags=0x00000000 state=mature > created: Jun 20 16:37:07 2005 current: Jun 20 16:37:28 2005 > diff: 21(s) hard: 0(s) soft: 0(s) > last: hard: 0(s) soft: 0(s) > current: 0(bytes) hard: 0(bytes) soft: 0(bytes) > allocated: 0 hard: 0 soft: 0 > sadb_seq=4 pid=1230 refcnt=0 > 172.16.1.226 172.16.1.247 > esp mode=transport spi=2131302(0x00208566) reqid=0(0x00000000) > E: 3des-cbc 233732a5 cde0ba95 5a71f9cc 943ad569 9a0ac405 caa1cf65 > A: hmac-md5 cc4f4859 93133996 a67e7f1a 32412b92 > seq=0x00000000 replay=4 flags=0x00000000 state=mature > created: Jun 20 16:37:07 2005 current: Jun 20 16:37:28 2005 > diff: 21(s) hard: 2400(s) soft: 1920(s) > last: hard: 0(s) soft: 0(s) > current: 0(bytes) hard: 0(bytes) soft: 0(bytes) > allocated: 0 hard: 0 soft: 0 > sadb_seq=3 pid=1230 refcnt=0 > 172.16.1.247 172.16.1.226 > ipcomp mode=tunnel spi=45414(0x0000b166) reqid=0(0x00000000) > C: deflate seq=0x00000000 replay=0 flags=0x00000000 state=mature > created: Jun 20 16:37:07 2005 current: Jun 20 16:37:28 2005 > diff: 21(s) hard: 2400(s) soft: 1920(s) > last: Jun 20 16:37:08 2005 hard: 0(s) soft: 0(s) > current: 1536(bytes) hard: 0(bytes) soft: 0(bytes) > allocated: 7 hard: 0 soft: 0 > sadb_seq=2 pid=1230 refcnt=0 > 172.16.1.247 172.16.1.226 > unspec mode=tunnel spi=2886730231(0xac1001f7) reqid=0(0x00000000) > seq=0x00000000 replay=0 flags=0x00000000 state=mature > created: Jun 20 16:37:07 2005 current: Jun 20 16:37:28 2005 > diff: 21(s) hard: 0(s) soft: 0(s) > last: hard: 0(s) soft: 0(s) > current: 0(bytes) hard: 0(bytes) soft: 0(bytes) > allocated: 0 hard: 0 soft: 0 > sadb_seq=1 pid=1230 refcnt=0 > 172.16.1.247 172.16.1.226 > esp mode=transport spi=26454545(0x0193aa11) reqid=0(0x00000000) > E: 3des-cbc bfec0989 8ba63647 fff8e265 a45648d0 bcb0fc9b e908a9df > A: hmac-md5 5b9f6eb0 694a2970 97f93ce5 41a511fe > seq=0x00000000 replay=4 flags=0x00000000 state=mature > created: Jun 20 16:37:07 2005 current: Jun 20 16:37:28 2005 > diff: 21(s) hard: 2400(s) soft: 1920(s) > last: Jun 20 16:37:08 2005 hard: 0(s) soft: 0(s) > current: 1768(bytes) hard: 0(bytes) soft: 0(bytes) > allocated: 7 hard: 0 soft: 0 > sadb_seq=0 pid=1230 refcnt=0 > > > This setup without ipcomp is ok: > > spdadd 10.1.2.0/24 10.1.1.0/24 any -P out ipsec > esp/transport/172.16.1.247-172.16.1.226/require > > spdadd 10.1.2.0/24 10.1.1.0/24 any -P in ipses > esp/transport/172.16.1.226-172.16.1.247/require > > Enabling logging in racoon.conf doesn't show anything. > > Hints? > Is there anybody with working compressed tunnel between > linux 2.6.x/racoon systems? > > > > ------------------------------------------------------- > SF.Net email is sponsored by: Discover Easy Linux Migration Strategies > from IBM. Find simple to follow Roadmaps, straightforward articles, > informative Webcasts and more! Get everything you need to get up to > speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click > _______________________________________________ > Ipsec-tools-devel mailing list > Ips...@li... > https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel > |
From: Emmanuel D. <ma...@ne...> - 2005-06-21 10:05:05
|
On Tue, Jun 21, 2005 at 11:07:56AM +0200, Marco Berizzi wrote: > Packet smaller than 295 bytes (ping -s 287) are > flowing, packet bigger than >=296 aren't flowing. It's because small packets are not compressed. -- Emmanuel Dreyfus ma...@ne... |
From: Marco B. <pu...@ho...> - 2005-06-21 10:50:00
|
Emmanuel Dreyfus wrote: > On Tue, Jun 21, 2005 at 11:07:56AM +0200, Marco Berizzi wrote: > > Packet smaller than 295 bytes (ping -s 287) are > > flowing, packet bigger than >=296 aren't flowing. > > It's because small packets are not compressed. ;-) I know small packet are not compressed, but bigger packet should be! Could you explain me why the receiving peer is dropping compressed packets? Am I doing anything wrong? |
From: Marco B. <pu...@ho...> - 2005-06-29 08:12:23
|
Emmanuel Dreyfus wrote: > On Tue, Jun 21, 2005 at 11:07:56AM +0200, Marco Berizzi wrote: > > Packet smaller than 295 bytes (ping -s 287) are > > flowing, packet bigger than >=296 aren't flowing. > > It's because small packets are not compressed. Herbert Xu has found why linux is dropping "IPcomped" packet. Here is the message: http://lists.openswan.org/pipermail/users/2005-June/005489.html ----- Original Message ----- From: "Herbert Xu" <he...@go...> To: "Marco Berizzi" <pu...@ho...> Cc: <us...@op...> Sent: Tuesday, June 28, 2005 11:27 PM Subject: Re: [Openswan Users] 26sec using IPcomp > On Tue, Jun 28, 2005 at 04:43:55PM +0200, Marco Berizzi wrote: > > > > Here is setkey -D and ip xfrm state output: > > > > 172.16.1.226 172.16.1.247 > > ipcomp mode=tunnel spi=1206748335(0x47ed84af) reqid=0(0x00000000) > > The SPI/CPI is broken. It should 16-bits. > -- > Visit Openswan at http://www.openswan.org/ > Email: Herbert Xu ~{PmV>HI~} <he...@go...> > Home Page: http://gondor.apana.org.au/~herbert/ > PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt > |
From: <ma...@ne...> - 2005-06-29 17:07:30
|
Marco Berizzi <pu...@ho...> wrote: > Herbert Xu has found why linux is dropping "IPcomped" > packet. Here is the message: (snip) > > > 172.16.1.226 172.16.1.247 > > > ipcomp mode=3Dtunnel spi=3D1206748335(0x47ed84af) reqid=3D0(0x000000= 00) > > The SPI/CPI is broken. It should 16-bits. Can you tell more? I don't know anything about this 16 bit SPI, but I have the same problem and I'm willing to fix it. --=20 Emmanuel Dreyfus Un bouquin en fran=E7ais sur BSD: http://www.eyrolles.com/Informatique/Livre/9782212114638/livre-bsd.php ma...@ne... |
From: Herbert Xu <he...@go...> - 2005-06-29 21:33:28
|
On Wed, Jun 29, 2005 at 07:06:57PM +0200, Emmanuel Dreyfus wrote: > > > > > 172.16.1.226 172.16.1.247 > > > > ipcomp mode=tunnel spi=1206748335(0x47ed84af) reqid=0(0x00000000) > > > The SPI/CPI is broken. It should 16-bits. > > Can you tell more? I don't know anything about this 16 bit SPI, but I > have the same problem and I'm willing to fix it. The SPI for IPComp SAs (otherwise known as the CPI) is a 16-bit value. If a value larger than 0xffff is supplied then you will only be able to send packets since the CPI is clipped back to 16 bits automatically, but you won't receive anything as the incoming 16-bit CPI can't match the larger value stored in the SA database. In this particular case I presume ipsec-tools is allocating the CPI through the ALLOC_SPI message and it isn't setting the maximum SPI value correctly. Cheers, -- Visit Openswan at http://www.openswan.org/ Email: Herbert Xu ~{PmV>HI~} <he...@go...> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt |
From: <ma...@ne...> - 2005-06-29 22:06:13
|
Herbert Xu <he...@go...> wrote: > In this particular case I presume ipsec-tools is allocating the CPI > through the ALLOC_SPI message and it isn't setting the maximum SPI > value correctly. There is a case for it in src/racoon/pfkey.c: else if (satype =3D=3D SADB_X_SATYPE_IPCOMP) { minspi =3D ntohl (0x100); maxspi =3D ntohl (0xffff); } So this is supposed to be handled but there must be a stupid bug somewhere.=20 --=20 Emmanuel Dreyfus Publicit=E9 subliminale: achetez ce livre! http://www.eyrolles.com/Informatique/Livre/9782212114638/livre-bsd.php ma...@ne... |
From: Herbert Xu <he...@go...> - 2005-06-29 22:11:29
|
On Thu, Jun 30, 2005 at 12:06:03AM +0200, Emmanuel Dreyfus wrote: > > There is a case for it in src/racoon/pfkey.c: > else if (satype == SADB_X_SATYPE_IPCOMP) { > minspi = ntohl (0x100); > maxspi = ntohl (0xffff); > } > > So this is supposed to be handled but there must be a stupid bug > somewhere. Is it actually passing those values in an SADB_EXT_SPIRANGE attachment to the kernel? -- Visit Openswan at http://www.openswan.org/ Email: Herbert Xu ~{PmV>HI~} <he...@go...> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt |
From: Herbert Xu <he...@go...> - 2005-06-29 22:11:22
|
On Thu, Jun 30, 2005 at 08:08:00AM +1000, herbert wrote: > On Thu, Jun 30, 2005 at 12:06:03AM +0200, Emmanuel Dreyfus wrote: > > > > There is a case for it in src/racoon/pfkey.c: > > else if (satype == SADB_X_SATYPE_IPCOMP) { > > minspi = ntohl (0x100); > > maxspi = ntohl (0xffff); > > } > > > > So this is supposed to be handled but there must be a stupid bug > > somewhere. > > Is it actually passing those values in an SADB_EXT_SPIRANGE attachment > to the kernel? Actually, the problem is that those fields should be in host-order. Only the sadb_sa_spi is in network order. Cheers, -- Visit Openswan at http://www.openswan.org/ Email: Herbert Xu ~{PmV>HI~} <he...@go...> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt |
From: <ma...@ne...> - 2005-06-30 05:27:44
|
Herbert Xu <he...@go...> wrote: > Actually, the problem is that those fields should be in host-order. > Only the sadb_sa_spi is in network order. If you remove the ntohl, that fixes the problem? --=20 Emmanuel Dreyfus Un bouquin en fran=E7ais sur BSD: http://www.eyrolles.com/Informatique/Livre/9782212114638/livre-bsd.php ma...@ne... |
From: Herbert Xu <he...@go...> - 2005-06-30 05:39:10
|
On Thu, Jun 30, 2005 at 07:27:41AM +0200, Emmanuel Dreyfus wrote: > Herbert Xu <he...@go...> wrote: > > > Actually, the problem is that those fields should be in host-order. > > Only the sadb_sa_spi is in network order. > > If you remove the ntohl, that fixes the problem? Yep. The comment is right though that the kernel should provide default values that actually work for IPComp. I'll get that fixed up. But you need to keep the work-around for the existing kernels. -- Visit Openswan at http://www.openswan.org/ Email: Herbert Xu ~{PmV>HI~} <he...@go...> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt |
From: <ma...@ne...> - 2005-06-30 19:07:30
|
Herbert Xu <he...@go...> wrote: > The comment is right though that the kernel should provide default > values that actually work for IPComp. I'll get that fixed up. > But you need to keep the work-around for the existing kernels. Not sure: IPcomp is broken on NetBSD, and I would bet it is broken on FreeBSD as well. So there is no backward compatibility to ensure. --=20 Emmanuel Dreyfus Un bouquin en fran=E7ais sur BSD: http://www.eyrolles.com/Informatique/Livre/9782212114638/livre-bsd.php ma...@ne... |
From: Aidas K. <a.k...@gm...> - 2005-07-01 03:23:23
|
Herbert meant: If ipsec-tools will be fixed, then even with old, not fixed kernels ipsec will/may work. And this is definitely thing to do. Emmanuel Dreyfus wrote: > Herbert Xu <he...@go...> wrote: > > >>The comment is right though that the kernel should provide default >>values that actually work for IPComp. I'll get that fixed up. >>But you need to keep the work-around for the existing kernels. > > > Not sure: IPcomp is broken on NetBSD, and I would bet it is broken on > FreeBSD as well. So there is no backward compatibility to ensure. > -- Aidas Kasparas IT administrator GM Consult Group, UAB |
From: <ma...@ne...> - 2005-07-01 06:32:08
|
Aidas Kasparas <a.k...@gm...> wrote: > Herbert meant: If ipsec-tools will be fixed, then even with old, not > fixed kernels ipsec will/may work. And this is definitely thing to do. Right, let's do that, then. I'll give it a try later today. We still take about removing ntohs here, right? src/racoon/pfkey.c: else if (satype == SADB_X_SATYPE_IPCOMP) { minspi = ntohl (0x100); maxspi = ntohl (0xffff); } -- Emmanuel Dreyfus http://hcpnet.free.fr/pubz ma...@ne... |
From: Herbert Xu <he...@go...> - 2005-07-01 06:49:19
|
On Fri, Jul 01, 2005 at 08:32:02AM +0200, Emmanuel Dreyfus wrote: > > Right, let's do that, then. I'll give it a try later today. > We still take about removing ntohs here, right? > > src/racoon/pfkey.c: > else if (satype == SADB_X_SATYPE_IPCOMP) { > minspi = ntohl (0x100); > maxspi = ntohl (0xffff); > } Yes. -- Visit Openswan at http://www.openswan.org/ Email: Herbert Xu ~{PmV>HI~} <he...@go...> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt |
From: Emmanuel D. <ma...@ne...> - 2005-07-01 14:51:00
|
On Fri, Jul 01, 2005 at 04:42:16PM +1000, Herbert Xu wrote: > > src/racoon/pfkey.c: > > else if (satype == SADB_X_SATYPE_IPCOMP) { > > minspi = ntohl (0x100); > > maxspi = ntohl (0xffff); > > } With the ntohl removed, the IPcomp SPI are 16-bits long according to setkey -D, but the whole thing is still broken at mine. It loops saying this: 2005-07-01 16:36:59: INFO: respond new phase 2 negotiation: 192.0.2.26[500]<=>192.0.2.228[500] 2005-07-01 16:36:59: ERROR: IPComp SPI size promoted from 16bit to 32bit 2005-07-01 16:36:59: INFO: respond new phase 2 negotiation: 192.0.2.26[500]<=>192.0.2.228[500] 2005-07-01 16:36:59: ERROR: IPComp SPI size promoted from 16bit to 32bit 2005-07-01 16:36:59: INFO: IPsec-SA established: ESP/Tunnel 192.0.2.228[500]->192.0.2.26[500] spi=75292250(0x47cde5a) 2005-07-01 16:36:59: INFO: IPsec-SA established: IPCOMP/Tunnel 192.0.2.228[500]->192.0.2.26[500] spi=47601(0xb9f1) 2005-07-01 16:36:59: INFO: IPsec-SA established: ESP/Tunnel 192.0.2.26[500]->192.0.2.228[500] spi=245925973(0xea88855) 2005-07-01 16:36:59: INFO: IPsec-SA established: IPCOMP/Tunnel 192.0.2.26[500]->192.0.2.228[500] spi=33175(0x8197) 2005-07-01 16:36:59: INFO: IPsec-SA established: ESP/Tunnel 192.0.2.228[500]->192.0.2.26[500] spi=100471249(0x5fd11d1) 2005-07-01 16:36:59: INFO: IPsec-SA established: IPCOMP/Tunnel 192.0.2.228[500]->192.0.2.26[500] spi=26800(0x68b0) 2005-07-01 16:36:59: INFO: IPsec-SA established: ESP/Tunnel 192.0.2.26[500]->192.0.2.228[500] spi=145715754(0x8af722a) 2005-07-01 16:36:59: INFO: IPsec-SA established: IPCOMP/Tunnel 192.0.2.26[500]->192.0.2.228[500] spi=10115(0x2783) -- Emmanuel Dreyfus ma...@ne... |
From: Emmanuel D. <ma...@ne...> - 2005-07-01 17:04:02
|
On Fri, Jul 01, 2005 at 02:50:54PM +0000, Emmanuel Dreyfus wrote: > 2005-07-01 16:36:59: INFO: respond new phase 2 negotiation: 192.0.2.26[500]<=>192.0.2.228[500] > 2005-07-01 16:36:59: ERROR: IPComp SPI size promoted from 16bit to 32bit I made this change and this error disapeared. I don't know if it's okay, though. Moreover, that does not prevent racoon from looping around IPsec-SA establishement. Index: proposal.c =================================================================== RCS file: /cvsroot/ipsec-tools/ipsec-tools/src/racoon/proposal.c,v retrieving revision 1.15 diff -r1.15 proposal.c 1028c1028,1031 < newpr->spisize = 4; --- > if (newpr->proto_id == IPSECDOI_PROTO_IPCOMP) > newpr->spisize = 2; > else > newpr->spisize = 4; -- Emmanuel Dreyfus ma...@ne... |
From: <ma...@ne...> - 2005-06-30 05:27:43
|
Herbert Xu <he...@go...> wrote: > Is it actually passing those values in an SADB_EXT_SPIRANGE attachment > to the kernel? That goes there: if (pfkey_send_getspi( lcconf->sock_pfkey, satype, mode, dst, /* src of SA */ src, /* dst of SA */ minspi, maxspi, pr->reqid_in, iph2->seq) < 0) { Then in pfkey_send_getspi (src/libipsec/pfkey.c): if (need_spirange) { struct sadb_spirange spirange; if (p + sizeof(spirange) > ep) { free(newmsg); return -1; } memset(&spirange, 0, sizeof(spirange)); spirange.sadb_spirange_len = PFKEY_UNIT64(sizeof(spirange)); spirange.sadb_spirange_exttype = SADB_EXT_SPIRANGE; spirange.sadb_spirange_min = min; spirange.sadb_spirange_max = max; Someone that has a testing setup already can add a few prinf here to check that need_spirange is set, and that p + sizeof(spirange) <= ep ? -- Emmanuel Dreyfus http://hcpnet.free.fr/pubz ma...@ne... |