Note: This archive passes through spamassassin. Every mail marked with the subject "*****SPAM*****" has exceed a certain threshold of spam-like behaviour.

[Users] Re: Help needed with vpn over wireless.

From: Jean-Sebastien Morisset (jsmoriss_at_mvlan.net)
Date: Sun Jul 28 2002 - 17:40:43 CEST

Next message: Jean-Sebastien Morisset: "[Users] More problems..."
Previous message: Philip Burrow: "Re: [Users] Where to place VPN gateway?"
In reply to: Jean-Sebastien Morisset: "[Users] Help needed with vpn over wireless."
Next in thread: Sam Sgro: "Re: [Users] Re: Help needed with vpn over wireless."
Reply: Sam Sgro: "Re: [Users] Re: Help needed with vpn over wireless."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On Sat, Jul 27, 2002 at 10:39:55PM -0400, Jean-Sebastien Morisset wrote:
>
[snip!]
>
> root_at_zaphod:/etc$ telnet 10.1.2.1 80
> Trying 10.1.2.1...
>
> Sniffing the encrypted traffic, I get:
>
> root_at_zaphod:~$ tcpdump -n -i wlan0
> tcpdump: listening on wlan0
> 22:31:16.243965 10.1.3.201 > 10.1.2.1: ESP(spi=0xdaa95543,seq=0xc)
> 22:31:19.243030 10.1.3.201 > 10.1.2.1: ESP(spi=0xdaa95543,seq=0xd)
>
> root_at_marvin:/tmp$ tcpdump -n -i eth3
> tcpdump: listening on eth3
> 22:30:47.988549 10.1.2.80 > 10.1.2.1: ESP(spi=3668530499,seq=0xc)
> 22:30:50.987400 10.1.2.80 > 10.1.2.1: ESP(spi=3668530499,seq=0xd)
>
> Which looks alright, except we can see that "marvin" isn't replying to
> the TCP connection request. If we look on the encrypted interfaces, I
> get:
>
> root_at_zaphod:~$ tcpdump -n -i ipsec0
> tcpdump: listening on ipsec0
> 22:32:28.701486 10.1.3.201.33214 > 10.1.2.1.80: S 4031209358:4031209358(0) win 32440 <mss 16220,sackOK,timestamp 1528766 0,nop,wscale 0> (DF) [tos 0x10]
> 22:32:31.692977 10.1.3.201.33214 > 10.1.2.1.80: S 4031209358:4031209358(0) win 32440 <mss 16220,sackOK,timestamp 1529066 0,nop,wscale 0> (DF) [tos 0x10]
>
> root_at_marvin:/tmp$ tcpdump -n -i ipsec0
> tcpdump: listening on ipsec0
>
> As you can see, the encrypted traffic doesn't seem to get decrypted on
> marvin.
>
> So, what do you think?

I *think* I've found the problem, but the freeswan FAQ etc. don't seem
to mention this problem.

When I put pluto and klips in debug mode, I can see the encrypted packet
come in, it gets decrypted ok, and then I get this:

Jul 28 11:31:35 marvin kernel: klips_debug:ipsec_rcv: SA:tun0x1001_at_10.1.2.1, inner tunnel policy [10.1.2.80/32 -> 10.1.2.1/32]
does not agree with pkt contents [10.1.3.201 -> 10.1.2.1].

I'm not sure where I can adjust this 'inner tunnel policy'. Like I've
mentioned, there *is* some masquerading being done on incoming packets.
i.e.:

10.1.3.201 -> 10.1.3.1 -> NAT -> 10.1.2.80 -> 10.1.2.1

Anyone have any ideas how to fix this? Meanwhile, I'll keep on searching
google, etc.

Thanks,
js.

-- 
Jean-Sebastien Morisset, Sr. UNIX Administrator <jsmoriss_at_mvlan.net>
Personal Home Page <http://jsmoriss.mvlan.net:8080/>
"With sufficient thrust, pigs fly just fine." -- RFC 1925
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

Next message: Jean-Sebastien Morisset: "[Users] More problems..."
Previous message: Philip Burrow: "Re: [Users] Where to place VPN gateway?"
In reply to: Jean-Sebastien Morisset: "[Users] Help needed with vpn over wireless."
Next in thread: Sam Sgro: "Re: [Users] Re: Help needed with vpn over wireless."
Reply: Sam Sgro: "Re: [Users] Re: Help needed with vpn over wireless."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:20:28 CEST