From: SourceForge.net <no...@so...> - 2005-07-19 16:26:19
|
Bugs item #1227395, was opened at 2005-06-25 15:45 Message generated for change (Comment added) made by the You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541482&aid=1227395&group_id=74601 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: None Group: None Status: Open >Resolution: Works For Me Priority: 5 Submitted By: Thomas Eschenbacher (the) Assigned to: Nobody/Anonymous (nobody) Summary: tunnel mode broken in v0.5 and above ? Initial Comment: Hello, I have had serious problems in setting up a connection between a Linux client behind a NAT router (roadwarrior) and a Linux server with a static IP. Both use: kernel 2.6.11-gentoo-r11 + ipsec-tools-0.5 Now I stripped down the problem to a simple scenario, using two Linux hosts within the same class C network. Both are configured to use tunnel mode. On the client side (192.168.2.99) I have the following ipsec.conf: ----------------------------------------- #!/usr/sbin/setkey -f flush; spdflush; spdadd 192.168.2.99/32[any] 192.168.2.131/32[any] any -P out ipsec esp/tunnel/192.168.2.99-192.168.2.131/unique ; spdadd 192.168.2.131/32[any] 192.168.2.99/32[any] any -P in ipsec esp/tunnel/192.168.2.131-192.168.2.99/unique ; ----------------------------------------- On the server side (192.168.2.131) I use the "generate_policy" feature, which seems to work fine. But when the connection establishes, the client side comes up in "ESP/Transport" mode !!! Isn't this nonsense??? Of course nothing works then. Next step: downgrade to ipsec-tools-0.4, noc config changes => things start work, on both sides tunnel mode ! Experiment: Upgrade to ipsec-tools-0.6b3 or 0.5.1 or 0.5.2 => fails, the same as in v0.5. Can someone please help me with this ? I would like to use the combination kernel 2.6.11 + a current version of ipsec-tools + tunnel mode (+ roadwarrior + NAT). (for logs / configs see also http://www.spenneberg.com/4416.html) ---------------------------------------------------------------------- >Comment By: Thomas Eschenbacher (the) Date: 2005-07-19 18:26 Message: Logged In: YES user_id=37622 Aidas, that's it !!! After several months of frustration I got a working tunnel mode connection :-) I only had to change the configure parameter to "--disable-samode-unspec" and everything started to work as expected. I will file a bug report for Gentoo's ipsec-tools package soon... thank you very very much, Thomas ---------------------------------------------------------------------- Comment By: Aidas Kasparas (monas) Date: 2005-07-18 07:49 Message: Logged In: YES user_id=39627 Yes, I had --enable-samode-unspec in my mind. You have to remove this -- under linux "any" samode is not supported by kernel and this setting causes you problems. There was problems with dpd, but those can be dealt by switching DPD off in config file. Rest is sensible (if you do not experiment with IPv6; if you do, then should remove --disable-ipv6 too). ---------------------------------------------------------------------- Comment By: Thomas Eschenbacher (the) Date: 2005-07-18 07:27 Message: Logged In: YES user_id=37622 Hello Aidas, Gentoo uses the following configure options: --------------------------- ./configure --prefix=/usr --host=i686-pc-linux-gnu --mandir=/usr/share/man --infodir=/usr/share/info --datadir=/usr/share --sysconfdir=/etc --localstatedir=/var/lib --build=i686-pc-linux-gnu --enable-hybrid --enable-dpd --enable-natt --enable-adminport --enable-samode-unspec --enable-frag --disable-ipv6 --------------------------- do you mean the "--enable-samode-unspec" switch ? Can you propose a better config line, that should work for my purpose ? ---------------------------------------------------------------------- Comment By: Aidas Kasparas (monas) Date: 2005-07-17 23:44 Message: Logged In: YES user_id=39627 Thomas, have you used --enable-mode-unspecified during configure? If yes, please reconfigure without this option enable and retry. ---------------------------------------------------------------------- Comment By: Thomas Eschenbacher (the) Date: 2005-07-17 16:10 Message: Logged In: YES user_id=37622 Now I simplified the test scenario a bit. I try to establish a tunnel between two hosts in the same local net (laptop, 192.168.2.99 <-> pc, 192.168.2.131). Both using ipsec-tools 0.6 with your patch, running under gentoo linux with kernel 2.6.12. The config files and logfiles are attached. BTW: I have another connection, with kernel 2.6.10+strongswan-2.3.0 on the server side, which I upgraded to ipsec-tools 0.6 on the client side. Even this stopped working and tried to establish transport mode!? Downgrading to v0.5 again helped. IMO tunnel mode in v0.6 is totally borked... ---------------------------------------------------------------------- Comment By: Aidas Kasparas (monas) Date: 2005-07-16 14:24 Message: Logged In: YES user_id=39627 Thomas, I'm afraid, you should run racoon in debug mode (single -d option) and attach (not paste) file with results to this bug. ---------------------------------------------------------------------- Comment By: Thomas Eschenbacher (the) Date: 2005-07-16 12:55 Message: Logged In: YES user_id=37622 I cannot find anything like "complex_bundle" in any of my config files. I tried your patch, applied to v0.6b3, but it didn't change anything. Here the syslog output on the client: ----------------------------------------------------- Jul 16 12:48:20 bart racoon: INFO: initiate new phase 2 negotiation: 192.168.2.99[4500]<=>192.168.2.131[4500] Jul 16 12:48:20 bart racoon: INFO: NAT detected -> UDP encapsulation (ENC_MODE 1->3). Jul 16 12:48:20 bart racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel Jul 16 12:48:20 bart racoon: INFO: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1) Jul 16 12:48:20 bart racoon: INFO: IPsec-SA established: ESP/Transport 192.168.2.131[4500]->192.168.2.99[4500] spi=6015067(0x5bc85b) Jul 16 12:48:20 bart racoon: INFO: IPsec-SA established: ESP/Transport 192.168.2.99[4500]->192.168.2.131[4500] spi=92821795(0x5885923) ----------------------------------------------------- ---------------------------------------------------------------------- Comment By: Aidas Kasparas (monas) Date: 2005-07-16 11:21 Message: Logged In: YES user_id=39627 Thomas, it really sounds crazy. Any chance you have "complex_bundle on" in your config? If so, then could you please check the following patch (has to be applied in src/racoon directory). While working on not related matter I found some code which looks like copy-paste bug. And you may have suffered from it. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541482&aid=1227395&group_id=74601 |