From: Garry Glendown (garry_at_regio.net)
Date: Wed Jul 31 2002 - 12:02:47 CEST
OK, as one direction to the remote LinkSys vpn router is working, I need
to figure out the reverse direction ... this is what I get in the
messages ...
11:47:03.289414 pD9E2A388.dip0.t-ipconnect.de > vpn.regio.net:
ip-proto-50 156
Jul 31 11:47:03 vpn kernel: klips_debug:ipsec_tunnel_hard_header:
skb->dev=ipsec0 dev=ipsec0.<6>klips_debug:ipsec_tunnel_hard_header:
Revectored 0x00000000->0xc08307e0 len=120 type=2048 dev=ipsec0->eth0
dev_addr=00:40:05:44:6b:4f <6>ip=d4da0201->d4da0301
Jul 31 11:47:03 vpn kernel: klips_debug:ipsec_tunnel_start_xmit: >>>
skb->len=134 hard_header_len:14 00:40:05:44:6b:4f:00:40:05:44:6b:4f:08:00
Jul 31 11:47:03 vpn kernel: klips_debug: IP: ihl:20 ver:4 tos:0
tlen:120 id:793 frag_off:0 ttl:254 proto:4 chk:2738 saddr:192.168.2.1
daddr:192.168.3.1
Jul 31 11:47:03 vpn kernel: klips_debug:ipsec_findroute:
192.168.2.1->192.168.3.1
Jul 31 11:47:03 vpn kernel: klips_debug:rj_match: * See if we match
exactly as a host destination
Jul 31 11:47:03 vpn kernel: klips_debug:rj_match: ** try to match a
leaf, t=0xc1b7a2a0
Jul 31 11:47:03 vpn kernel: klips_debug:ipsec_findroute: found, points
to proto=4, spi=115e, dst=d9e2a388.
Jul 31 11:47:03 vpn kernel: klips_debug:ipsec_tunnel_start_xmit:
Original head,tailroom: 18,8
Jul 31 11:47:03 vpn kernel: klips_debug:gettdb: linked entry in tdb
table for hash=202 of SA:tun0x115e_at_217.226.163.136 requested.
Jul 31 11:47:03 vpn kernel: klips_debug:ipsec_tunnel_start_xmit: found
Tunnel Descriptor Block -- SA:<IPIP> tun0x115e_at_217.226.163.136
Jul 31 11:47:03 vpn kernel: klips_debug:ipsec_tunnel_start_xmit: calling
room for <IPIP>, SA:tun0x115e_at_217.226.163.136
Jul 31 11:47:03 vpn kernel: klips_debug:ipsec_tunnel_start_xmit:
Required head,tailroom: 20,0
Jul 31 11:47:03 vpn kernel: klips_debug:ipsec_tunnel_start_xmit: calling
room for <ESP_3DES_HMAC_MD5>, SA:esp0xac51c6ad_at_217.226.163.136
Jul 31 11:47:03 vpn kernel: klips_debug:ipsec_tunnel_start_xmit:
Required head,tailroom: 16,20
Jul 31 11:47:03 vpn kernel: klips_debug:ipsec_tunnel_start_xmit:
existing head,tailroom: 18,8 before applying xforms with head,tailroom:
36,20 .
Jul 31 11:47:03 vpn kernel: klips_debug:ipsec_tunnel_start_xmit:
mtu:1443 physmtu:1500 tothr:36 tottr:20 mtudiff:-1 ippkttotlen:120
Jul 31 11:47:03 vpn kernel: klips_debug:ipsec_tunnel_start_xmit:
head,tailroom: 32,8 after hard_header stripped.
Jul 31 11:47:03 vpn kernel: klips_debug: IP: ihl:20 ver:4 tos:0
tlen:120 id:793 frag_off:0 ttl:254 proto:4 chk:2738 saddr:192.168.2.1
daddr:192.168.3.1
Jul 31 11:47:03 vpn kernel: klips_debug:skb_copy_expand: head=c18a4000
data=c18a4020 tail=c18a4098 end=c18a40a0 end-head=160 tail-data=120
Jul 31 11:47:03 vpn kernel: klips_debug:ipsec_tunnel_start_xmit:
head,tailroom: 100,36 after allocation
Jul 31 11:47:03 vpn kernel: klips_debug:ipsec_tunnel_start_xmit: calling
output for <IPIP>, SA:tun0x115e_at_217.226.163.136
Jul 31 11:47:03 vpn kernel: klips_debug:ipsec_tunnel_start_xmit: pushing
20 bytes, putting 0, proto 4.
Jul 31 11:47:03 vpn kernel: klips_debug:ipsec_tunnel_start_xmit:
head,tailroom: 80,36 before xform.
Jul 31 11:47:03 vpn kernel: klips_debug:ipsec_tunnel_start_xmit: after
<IPIP>, SA:tun0x115e_at_217.226.163.136:
Jul 31 11:47:03 vpn kernel: klips_debug: IP: ihl:20 ver:4 tos:0
tlen:140 id:26449 frag_off:0 ttl:64 proto:4 chk:32948 saddr:10.0.0.1
daddr:217.226.163.136
Jul 31 11:47:03 vpn kernel: klips_debug:ipsec_tunnel_start_xmit: calling
output for <ESP_3DES_HMAC_MD5>, SA:esp0xac51c6ad_at_217.226.163.136
Jul 31 11:47:03 vpn kernel: klips_debug:ipsec_tunnel_start_xmit: calling
output for <ESP_3DES_HMAC_MD5>, SA:esp0xac51c6ad_at_217.226.163.136
Jul 31 11:47:03 vpn kernel: klips_debug:ipsec_tunnel_start_xmit: pushing
16 bytes, putting 20, proto 50.
Jul 31 11:47:03 vpn kernel: klips_debug:ipsec_tunnel_start_xmit:
head,tailroom: 64,16 before xform.
Jul 31 11:47:03 vpn kernel: klips_debug:ipsec_tunnel_start_xmit: after
<ESP_3DES_HMAC_MD5>, SA:esp0xac51c6ad_at_217.226.163.136:
Jul 31 11:47:03 vpn kernel: klips_debug: IP: ihl:20 ver:4 tos:0
tlen:176 id:26449 frag_off:0 ttl:64 proto:50 chk:32866 saddr:10.0.0.1
daddr:217.226.163.136
Jul 31 11:47:03 vpn kernel: klips_debug:ipsec_findroute:
10.0.0.1->217.226.163.136
Jul 31 11:47:03 vpn kernel: klips_debug:rj_match: * See if we match
exactly as a host destination
Jul 31 11:47:03 vpn kernel: klips_debug:rj_match: ** try to match a
leaf, t=0xc1b7a2a0
Jul 31 11:47:03 vpn kernel: klips_debug:rj_match: *** start searching up
the tree, t=0xc1b7a2a0
Jul 31 11:47:03 vpn kernel: klips_debug:rj_match: **** t=0xc1b7a2b8
Jul 31 11:47:03 vpn kernel: klips_debug:rj_match: **** t=0xc143ea40
Jul 31 11:47:03 vpn kernel: klips_debug:rj_match: ***** cp2=0xc1ec8c38
cp3=0xc0482810
Jul 31 11:47:03 vpn kernel: klips_debug:rj_match: ***** not found.
Jul 31 11:47:03 vpn kernel: klips_debug:ipsec_tunnel_start_xmit: After
recursive xforms -- head,tailroom: 64,16
Jul 31 11:47:03 vpn kernel: klips_debug:ipsec_tunnel_start_xmit: With
hard_header, final head,tailroom: 50,16
Jul 31 11:47:03 vpn kernel: klips_debug:ipsec_tunnel_start_xmit:
...done, calling ip_send() on device:eth0
Jul 31 11:47:03 vpn kernel: klips_debug: IP: ihl:20 ver:4 tos:0
tlen:176 id:26449 frag_off:0 ttl:64 proto:50 chk:32866 saddr:10.0.0.1
daddr:217.226.163.136
Jul 31 11:47:03 vpn kernel: klips_debug:ipsec_rcv: <<< Info --
skb->dev=eth0 dev=eth0
Jul 31 11:47:03 vpn kernel: klips_debug:ipsec_rcv: assigning packet
ownership to virtual device ipsec0 from physical device eth0.
Jul 31 11:47:03 vpn kernel: klips_debug: IP: ihl:20 ver:4 tos:0
tlen:176 id:96 frag_off:0 ttl:26 proto:50 chk:3412 saddr:217.226.163.136
daddr:10.0.0.1
The last couple lines seem to be the explaination why the tunnel isn't
working ...
Jul 31 11:47:03 vpn kernel: klips_debug:gettdb: linked entry in tdb
table for hash=237 of SA:esp0x5a22089d_at_10.0.0.1 requested.
Jul 31 11:47:03 vpn kernel: klips_debug:gettdb: no entries in tdb table
for hash=237 of SA:esp0x5a22089d_at_10.0.0.1.
Jul 31 11:47:03 vpn kernel: klips_debug:ipsec_rcv: no Tunnel Descriptor
Block for SA:esp0x5a22089d_at_10.0.0.1: incoming packet with no SA dropped
What's wrong here? (please note, the 10.0.0 address is the modified
local network at the central site, 192.168.* are offcial addresses also,
...)
Any idea what's wrong, and how I can fix it???
Here's the barf output, though slightly reduced ...
vpn
Wed Jul 31 11:51:21 CEST 2002
+ _________________________
+ ipsec --version
Linux FreeS/WAN 1.91
See `ipsec --copyright' for copyright information.
+ _________________________
+ cat /proc/version
Linux version 2.2.19-SMP (root_at_SMP_X86.suse.de) (gcc version 2.95.3
20010315 (Su
SE)) #1 SMP Tue Sep 25 01:10:50 GMT 2001
+ _________________________
+ cat /proc/net/ipsec_eroute
30 192.168.2.0/24 -> 192.168.3.0/24 =>
tun0x115e_at_217.226.163.136
+ _________________________
+ cat /proc/net/ipsec_spi
esp0xac51c6ad_at_217.226.163.136 ESP_3DES_HMAC_MD5: dir=out src=10.0.0.1
iv_bits=64
bits iv=0xc0aa201e5eaa6044 ooowin=64 seq=30 alen=128 aklen=128 eklen=192
life(c,
s,h)=bytes(4336,0,0)add(1957,0,0)use(1775,0,0)packets(30,0,0) idle=201
tun0x115e_at_217.226.163.136 IPIP: dir=out src=10.0.0.1
life(c,s,h)=bytes(3311,0,0)
add(1957,0,0)use(1775,0,0)packets(30,0,0) idle=201
+ _________________________
+ cat /proc/net/ipsec_spigrp
tun0x115e_at_217.226.163.136 esp0xac51c6ad_at_217.226.163.136
+ _________________________
+ netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt
Iface
192.168.2.0 10.0.0.1 255.255.255.0 UG 0 0 0
eth0
10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0
eth0
10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0
eth0
10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0
ipsec0
192.168.3.0 192.168.64.1 255.255.255.0 UG 0 0 0
ipsec0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 10.0.0.1 0.0.0.0 UG 0 0 0
eth0
+ _________________________
+ cat /proc/net/ipsec_tncfg
ipsec0 -> eth0 mtu=16260(1443) -> 1500
ipsec1 -> NULL mtu=0(0) -> 0
ipsec2 -> NULL mtu=0(0) -> 0
ipsec3 -> NULL mtu=0(0) -> 0
+ _________________________
+ cat /proc/net/pf_key
sock pid socket next prev e n p sndbf Flags Type St
c13ba360 2445 c1ade548 0 0 0 0 2 65535 00000000 3 1
+ _________________________
+ cd /proc/net
+ egrep '^' pf_key_registered pf_key_supported
pf_key_registered:satype socket pid sk
pf_key_registered: 2 c1ade548 2445 c13ba360
pf_key_registered: 3 c1ade548 2445 c13ba360
pf_key_registered: 9 c1ade548 2445 c13ba360
pf_key_registered: 10 c1ade548 2445 c13ba360
pf_key_supported:satype exttype alg_id ivlen minbits maxbits
pf_key_supported: 2 14 3 0 160 160
pf_key_supported: 2 14 2 0 128 128
pf_key_supported: 3 15 3 128 168 168
pf_key_supported: 3 14 3 0 160 160
pf_key_supported: 3 14 2 0 128 128
pf_key_supported: 9 15 4 0 128 128
pf_key_supported: 9 15 3 0 32 128
pf_key_supported: 9 15 2 0 128 32
pf_key_supported: 9 15 1 0 32 32
pf_key_supported: 10 15 2 0 1 1
+ _________________________
+ cd /proc/sys/net/ipsec
+ egrep '^' debug_ah debug_eroute debug_esp debug_ipcomp debug_netlink
debug_pfk
ey debug_radij debug_rcv debug_spi debug_tunnel debug_verbose
debug_xform icmp i
nbound_policy_check tos
debug_ah:-1
debug_eroute:-1
debug_esp:-1
debug_ipcomp:-1
debug_netlink:2147483647
debug_pfkey:-1
debug_radij:-1
debug_rcv:-1
debug_spi:-1
debug_tunnel:-1
debug_verbose:0
debug_xform:-1
icmp:0
inbound_policy_check:1
tos:1
+ _________________________
+ ipsec auto --status
000 interface ipsec0/eth0 fe80::40:544:6b4f
000 interface ipsec0/eth0 fe80::240:5ff:fe44:6b4f
000 interface ipsec0/eth0 10.0.0.20
000
000 "ebe-fd" instance: 192.168.2.0/24===10.0.0.20---10.0.0.1...
000 "ebe-fd" instance: ...217.226.163.136===192.168.3.0/24
000 "ebe-fd" instance: ike_life: 3600s; ipsec_life: 28800s;
rekey_margin: 540s
; rekey_fuzz: 100%; keyingtries: 1
000 "ebe-fd" instance: policy: PSK+ENCRYPT+TUNNEL; interface: eth0;
erouted
000 "ebe-fd" instance: newest ISAKMP SA: #432; newest IPsec SA: #433;
eroute o
wner: #433
000 "ebe-fd": 192.168.2.0/24===10.0.0.20---10.0.0.1...%any===192.168.3.0/24
000 "ebe-fd": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
rekey_f
uzz: 100%; keyingtries: 1
000 "ebe-fd": policy: PSK+ENCRYPT+TUNNEL; interface: eth0; unrouted
000 "ebe-fd": newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner: #0
000
000 #433: "ebe-fd":217.226.163.136 STATE_QUICK_I2 (sent QI2, IPsec SA
establishe
d); EVENT_SA_REPLACE in 26139s; newest IPSEC; eroute owner
000 #433: "ebe-fd":217.226.163.136 esp.ac51c6ad_at_217.226.163.136
esp.5a22089d_at_10.
0.0.20 tun.115e_at_217.226.163.136 tun.115d_at_10.0.0.20
000 #432: "ebe-fd":217.226.163.136 STATE_MAIN_I4 (ISAKMP SA
established); EVENT_
SA_REPLACE in 840s; newest ISAKMP
000 #432: "ebe-fd":217.226.163.136 STATE_MAIN_I4 (ISAKMP SA
established); EVENT_
SA_REPLACE in 840s; newest ISAKMP
+ _________________________
+ ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:40:05:44:6B:4F
inet addr:10.0.0.20 Bcast:10.0.0.255 Mask:255.255.255.0
inet6 addr: fe80::40:544:6b4f/10 Scope:Link
inet6 addr: fe80::240:5ff:fe44:6b4f/10 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:5046884 errors:0 dropped:3 overruns:0 frame:1
TX packets:217290 errors:0 dropped:0 overruns:0 carrier:0
collisions:6296 txqueuelen:100
RX bytes:118956704 (113.4 Mb) TX bytes:17344048 (16.5 Mb)
Interrupt:5 Base address:0x300
ipsec0 Link encap:Ethernet HWaddr 00:40:05:44:6B:4F
inet addr:10.0.0.20 Mask:255.255.255.0
inet6 addr: fe80::40:544:6b4f/10 Scope:Link
inet6 addr: fe80::240:5ff:fe44:6b4f/10 Scope:Link
UP RUNNING NOARP MTU:16260 Metric:1
RX packets:190 errors:0 dropped:190 overruns:0 frame:0
RX packets:190 errors:0 dropped:190 overruns:0 frame:0
TX packets:800 errors:0 dropped:61919 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:135976 (132.7 Kb)
+ ipsec showdefaults
routephys=eth0
routephys=eth0
routevirt=ipsec0
routevirt=ipsec0
routeaddr=10.0.0.20
routeaddr=10.0.0.20
routenexthop=10.0.0.1
routenexthop=10.0.0.1
defaultroutephys=eth0
defaultroutevirt=ipsec0
defaultrouteaddr=10.0.0.20
defaultroutenexthop=10.0.0.1
+ _________________________
+ ipsec _include /etc/ipsec.conf
+ ipsec _keycensor
#< /etc/ipsec.conf 1
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
# More elaborate and more varied sample configurations can be found
# in FreeS/WAN's doc/examples file, and in the HTML documentation.
# basic configuration
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
interfaces=%defaultroute
# Debug-logging controls: "none" for (almost) none, "all" for
lots.
klipsdebug=all
plutodebug=all
# Use auto= parameters in conn descriptions to control startup
actions.
plutoload=ebe-fd
#plutostart=%search
# Close down old connection when new one using same ID shows up.
uniqueids=yes
# defaults for subsequent connection descriptions
conn %default
# How persistent to be in (re)keying negotiations (0 means very).
keyingtries=0
# RSA authentication with keys from DNS.
#authby=rsasig
#leftrsasigkey=%dns
#rightrsasigkey=%dns
pfs=no
# connection description for (experimental!) opportunistic encryption
# (requires KEY record in your DNS reverse map; see doc/opportunism.howto)
conn me-to-anyone
left=%defaultroute
right=%opportunistic
# uncomment to enable incoming; change to auto=route for outgoing
#auto=add
# sample VPN connection
conn ebe-fd
# Left security gateway, subnet behind it, next hop toward right.
left=10.0.0.20
leftsubnet=192.168.2.0/24
leftnexthop=10.0.0.1
# Right security gateway, subnet behind it, next hop toward left.
right=%any
rightsubnet=192.168.3.0/24
# To authorize this connection, but not actually start it, at
startup,
# uncomment this.
authby=secret
auto=add
keyingtries=1
keyexchange=ike
esp=3des-md5-96
#auto=add
+ _________________________
+ ipsec _include /etc/ipsec.secrets
+ ipsec _secretcensor
#< /etc/ipsec.secrets 1
# This file holds shared secrets or RSA private keys for inter-Pluto
# authentication. See ipsec_pluto(8) manpage, and HTML documentation.
# RSA private key for this host, authenticating it to any other host
# which knows the public part. Suitable public keys, for ipsec.conf, DNS,
# or configuration of other implementations, can be extracted conveniently
# with "[sums to ef67...]".
10.0.0.20 %any : PSK "[sums to dcae...]"
Thanks a lot!
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.4 : Mon Aug 05 2002 - 21:01:34 CEST