Note: This archive passes through spamassassin. Every mail marked with the subject "*****SPAM*****" has exceed a certain threshold of spam-like behaviour.

Re: [Users] kernel 2.2.19, freeswan 1.97, X.509 0.9.12: problem with IKE udp packets

From: Andreas Steffen (andreas.steffen_at_strongsec.net)
Date: Thu Jul 04 2002 - 21:06:10 CEST

Next message: Sam Sgro: "Re: [Users] Problems with wireless"
Previous message: Ken Bantoft: "[Users] Opportunistic/Wavesec Keys in non-ISC BIND DNS"
In reply to: Andrea Dell'Amico: "[Users] kernel 2.2.19, freeswan 1.97, X.509 0.9.12: problem with IKE udp packets"
Next in thread: Andrea Dell'Amico: "Re: [Users] kernel 2.2.19, freeswan 1.97, X.509 0.9.12: problem with IKE udp packets"
Reply: Andrea Dell'Amico: "Re: [Users] kernel 2.2.19, freeswan 1.97, X.509 0.9.12: problem with IKE udp packets"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

How large is your UDP datagram containing the certificate?
Larger than 1500 bytes so that you experience IP fragmenting?
The only difference between working with raw RSA keys and
X.509 certificates is to my knowledge the fact that the
certificate is transmitted during IKE Main Mode, resulting
in large packets.

Can you send me a complete tcpdump of the IKE negotiation
with X.509 certificates?

Regards

Andreas

Andrea Dell'Amico wrote:
> Hello all,
>
> I'm using freeswan 1.97 with the X.509 0.9.12 and a 2.2.19 kernel. All
> is well when I don't filter any traffic. But if I use ipchains to only
> enable the udp port 500 (and dns queries, of course), the connection
> between two linux hosts, or a ssh sentinel and one linux host, cannot be
> established.
>
> The ipchains log is very strange: it seems that some packets are going
> from the client to the server and viceversa on udp port 65535, but if I
> capture them with tcpdump they look like standard IKE packets from/to
> port 500/udp:
>
> Jul 2 12:51:58 gollum kernel: Packet log: input - eth0 PROTO=17
> 192.168.1.2:65535 192.168.1.1:65535 L=96 S=0x00 I=49048 F=0x00B9 T=64
> (#157)
> Jul 2 12:52:18 gollum kernel: Packet log: input - eth0 PROTO=17
> 192.168.1.2:65535 192.168.1.1:65535 L=96 S=0x00 I=49053 F=0x00B9 T=64
> (#157)
>
> If I open all the udp traffic from/to 192.168.1.1 and 192.168.1.2 the
> connection is immediately established.
> Last, I'm seeing the problem only with X.509 certificates. When I use
> the freeswan with the X.509 patches but with RSA keys and without
> certificates, all goes well with filters enabled.
>
> Any clues?
>
> TYA,
> andrea

======================================================================
Andreas Steffen e-mail: andreas.steffen_at_strongsec.com
strongSec GmbH phone: +41 76 340 25 56
Alter Zürichweg 20 home: http://www.strongsec.com
CH-8952 Schlieren (Switzerland)
==========================================[strong internet security]==

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

Next message: Sam Sgro: "Re: [Users] Problems with wireless"
Previous message: Ken Bantoft: "[Users] Opportunistic/Wavesec Keys in non-ISC BIND DNS"
In reply to: Andrea Dell'Amico: "[Users] kernel 2.2.19, freeswan 1.97, X.509 0.9.12: problem with IKE udp packets"
Next in thread: Andrea Dell'Amico: "Re: [Users] kernel 2.2.19, freeswan 1.97, X.509 0.9.12: problem with IKE udp packets"
Reply: Andrea Dell'Amico: "Re: [Users] kernel 2.2.19, freeswan 1.97, X.509 0.9.12: problem with IKE udp packets"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:20:18 CEST