Note: This archive passes through spamassassin. Every mail marked with the subject "*****SPAM*****" has exceed a certain threshold of spam-like behaviour.

[Users] Somebody messes with my packets - itpables problem ?

From: Thomas Runte (thomas_at_etnur.net)
Date: Tue Mar 26 2002 - 13:47:58 CET

Next message: George Hadjichristofi: "[Users] help:"lack KLIPs""
Previous message: Arnd Vehling: "[Users] Tunnel doesnt come up after power failure"
Next in thread: George Hadjichristofi: "[Users] help:"lack KLIPs""
Reply: George Hadjichristofi: "[Users] help:"lack KLIPs""
Reply: Henry Spencer: "Re: [Users] Somebody messes with my packets - itpables problem ?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I am trying to setup a v-lan to connect my homeoffice with my company. Both
locations are connected to the network via DSL and do not have static IP
adresses. Both sides use dynamic DNS providers. Both sides also use
firewalls based on iptables.
Everything seems to work fine until I try to send a packet from my home
office to the company (the other direction works). I have activated
klips_debug (you can see the results below) and found out that the outgoing
packet is processed by ipsec and I can see it leave my system (castor). But
all I can see on the other side (sevenof9) is that klips complains that it
receives a non IP packet. The number of non IP packets corresponds to the
number of packets I send.
My first thought was, that my firewall spoils the packet by masquerading it
- but I have allready adapted my firewall to leave these packets allone.
Does anyone know this problem ? Are there other possible explanations ?
Does PPPoE touch my packets ?

Thanks in advance

Thomas

Mar 25 22:55:19 sevenof9 kernel: klips_debug:ipsec_rcv: <<< Info --
skb->dev=ppp0 dev=ppp0
Mar 25 22:55:19 sevenof9 kernel: klips_debug:ipsec_rcv: Why the hell is
someone passing me a non-ipsec packet? -- dropped.

Mar 25 22:54:01 castor kernel: klips_debug:ipsec_tunnel_neigh_setup:
Mar 25 22:54:01 castor kernel: leaving to pluto..IN=eth0 OUT=ipsec0
SRC=192.168.253.9 DST=192.168.150.1 LEN=60 TOS=0x00 PREC=0x00 TTL=127
ID=6213 PROTO=ICMP TYPE=8 CODE=0 ID=5
Mar 25 22:54:01 castor kernel: leaving via ipsec0..IN= OUT=ipsec0
SRC=192.168.253.9 DST=192.168.150.1 LEN=60 TOS=0x00 PREC=0x00 TTL=127
ID=6213 PROTO=ICMP TYPE=8 CODE=0 ID=512
Mar 25 22:54:01 castor kernel: klips_debug:ipsec_tunnel_start_xmit: >>>
skb->len=60 hard_header_len:0
Mar 25 22:54:01 castor kernel: klips_debug: IP: ihl:20 ver:4 tos:0
tlen:60 id:6213 frag_off:0 ttl:127 proto:1 chk:3872 saddr:192.168.253.9
daddr:192.168.150.1
Mar 25 22:54:01 castor kernel: klips_debug:ipsec_findroute:
192.168.253.9->192.168.150.1
Mar 25 22:54:01 castor kernel: klips_debug:rj_match: * See if we match
exactly as a host destination
Mar 25 22:54:01 castor kernel: klips_debug:rj_match: ** try to match a
leaf, t=0xc3b69ec0
Mar 25 22:54:01 castor kernel: klips_debug:ipsec_findroute: found, points
to proto=4, spi=1002, dst=d5bf51a7.
Mar 25 22:54:01 castor kernel: klips_debug:ipsec_tunnel_start_xmit:
Original head,tailroom: 32,4
Mar 25 22:54:01 castor kernel: klips_debug:gettdb: linked entry in tdb
table for hash=211 of SA:tun0x1002_at_213.191.81.167 requested.
Mar 25 22:54:01 castor kernel: klips_debug:ipsec_tunnel_start_xmit: found
Tunnel Descriptor Block -- SA:<IPIP> tun0x1002_at_213.191.81.167
Mar 25 22:54:01 castor kernel: klips_debug:ipsec_tunnel_start_xmit: calling
room for <IPIP>, SA:tun0x1002_at_213.191.81.167
Mar 25 22:54:01 castor kernel: klips_debug:ipsec_tunnel_start_xmit:
Required head,tailroom: 20,0
Mar 25 22:54:01 castor kernel: klips_debug:ipsec_tunnel_start_xmit: calling
room for <ESP_3DES_HMAC_MD5>, SA:esp0x96d038ac_at_213.191.81.167
Mar 25 22:54:01 castor kernel: klips_debug:ipsec_tunnel_start_xmit:
Required head,tailroom: 16,16
Mar 25 22:54:01 castor kernel: klips_debug:ipsec_tunnel_start_xmit:
existing head,tailroom: 32,4 before applying xforms with head,tailroom: 36,16 .
Mar 25 22:54:01 castor kernel: klips_debug:ipsec_tunnel_start_xmit:
mtu:1492 physmtu:1492 tothr:36 tottr:16 mtudiff:52 ippkttotlen:60
Mar 25 22:54:01 castor kernel: klips_info:ipsec_tunnel_start_xmit: dev
ipsec0 mtu of 1492 decreased by 57 to 1435
Mar 25 22:54:01 castor kernel: klips_debug:ipsec_tunnel_start_xmit: hard
header already stripped.
Mar 25 22:54:01 castor kernel: klips_debug:ipsec_tunnel_start_xmit:
head,tailroom: 36,32 after allocation
Mar 25 22:54:01 castor kernel: klips_debug:ipsec_tunnel_start_xmit: calling
output for <IPIP>, SA:tun0x1002_at_213.191.81.167
Mar 25 22:54:01 castor kernel: klips_debug:ipsec_tunnel_start_xmit: pushing
20 bytes, putting 0, proto 4.
Mar 25 22:54:01 castor kernel: klips_debug:ipsec_tunnel_start_xmit:
head,tailroom: 16,32 before xform.
Mar 25 22:54:01 castor kernel: klips_debug:ipsec_tunnel_start_xmit: after
<IPIP>, SA:tun0x1002_at_213.191.81.167:
Mar 25 22:54:01 castor kernel: klips_debug: IP: ihl:20 ver:4 tos:0
tlen:80 id:41514 frag_off:0 ttl:64 proto:4 chk:47733 saddr:213.23.33.140
daddr:213.191.81.167
Mar 25 22:54:01 castor kernel: klips_debug:ipsec_tunnel_start_xmit: calling
output for <ESP_3DES_HMAC_MD5>, SA:esp0x96d038ac_at_213.191.81.167
Mar 25 22:54:01 castor kernel: klips_debug:ipsec_tunnel_start_xmit: pushing
16 bytes, putting 16, proto 50.
Mar 25 22:54:01 castor kernel: klips_debug:ipsec_tunnel_start_xmit:
head,tailroom: 0,16 before xform.
Mar 25 22:54:01 castor kernel: klips_debug:ipsec_tunnel_start_xmit: after
<ESP_3DES_HMAC_MD5>, SA:esp0x96d038ac_at_213.191.81.167:
Mar 25 22:54:01 castor kernel: klips_debug: IP: ihl:20 ver:4 tos:0
tlen:112 id:41514 frag_off:0 ttl:64 proto:50 chk:47655 saddr:213.23.33.140
daddr:213.191.81.167
Mar 25 22:54:01 castor kernel: klips_debug:ipsec_findroute:
213.23.33.140->213.191.81.167
Mar 25 22:54:01 castor kernel: klips_debug:rj_match: * See if we match
exactly as a host destination
Mar 25 22:54:01 castor kernel: klips_debug:rj_match: ** try to match a
leaf, t=0xc3b69ec0
Mar 25 22:54:01 castor kernel: klips_debug:rj_match: *** start searching up
the tree, t=0xc3b69ec0
Mar 25 22:54:01 castor kernel: klips_debug:rj_match: **** t=0xc3b69ed8
Mar 25 22:54:01 castor kernel: klips_debug:rj_match: **** t=0xc31a9360
Mar 25 22:54:01 castor kernel: klips_debug:rj_match: ***** cp2=0xc69dfab8
cp3=0xc69df2d0
Mar 25 22:54:01 castor kernel: klips_debug:rj_match: ***** not found.
Mar 25 22:54:01 castor kernel: klips_debug:ipsec_tunnel_start_xmit: After
recursive xforms -- head,tailroom: 0,16
Mar 25 22:54:01 castor kernel: klips_debug:ipsec_tunnel_start_xmit: With
hard_header, final head,tailroom: 0,16
Mar 25 22:54:01 castor kernel: klips_debug:ipsec_tunnel_start_xmit:
...done, calling ip_send() on device:ppp0
Mar 25 22:54:01 castor kernel: klips_debug: IP: ihl:20 ver:4 tos:0
tlen:112 id:41514 frag_off:0 ttl:64 proto:50 chk:47655 saddr:213.23.33.140
daddr:213.191.81.167

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
time flies like an arrow - fruit flies like a banana
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

Next message: George Hadjichristofi: "[Users] help:"lack KLIPs""
Previous message: Arnd Vehling: "[Users] Tunnel doesnt come up after power failure"
Next in thread: George Hadjichristofi: "[Users] help:"lack KLIPs""
Reply: George Hadjichristofi: "[Users] help:"lack KLIPs""
Reply: Henry Spencer: "Re: [Users] Somebody messes with my packets - itpables problem ?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:19:46 CEST