Re: [Users] no eroute

From: Sam Sgro (sam_at_freeswan.org)
Date: Sun Nov 10 2002 - 10:20:53 CET

• Next message: Jason McCormick: "Re: [Users] IPSec via PPPoA?"
• Previous message: Sam Sgro: "Re: [Users] IPSec via PPPoA?"
• In reply to: info_at_radiomensajes.com.co: "[Users] no eroute"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

-----BEGIN PGP SIGNED MESSAGE-----

On Fri, 8 Nov 2002 info_at_radiomensajes.com.co wrote:

- From looking through your barf, I do see successful KLIPS processing from
packets coming going from 10.144.16.119 to 192.168.228.51:

Nov 8 10:19:56 ns kernel: klips_debug:ipsec_findroute:
10.144.16.119->192.168.228.51
Nov 8 10:19:56 ns kernel: klips_debug:rj_match: * See if we match exactly as
a host destination
Nov 8 10:19:56 ns kernel: klips_debug:rj_match: ** try to match a leaf,
t=0xcdc27280
Nov 8 10:19:56 ns kernel: klips_debug:ipsec_findroute: found, points to
proto=4, spi=1002, dst=c82050e2.

However, I immediately see a subsequent packet processed by KLIPS...

Nov 8 10:19:57 ns kernel: klips_debug:ipsec_findroute:
200.68.135.62->200.32.80.226
Nov 8 10:19:57 ns kernel: klips_debug:rj_match: * See if we match exactly as
a host destination
Nov 8 10:19:57 ns kernel: klips_debug:rj_match: ** try to match a leaf,
t=0xcdc27280
Nov 8 10:19:57 ns kernel: klips_debug:rj_match: *** start searching up the
tree, t=0xcdc27280
Nov 8 10:19:57 ns kernel: klips_debug:rj_match: **** t=0xcdc27298
Nov 8 10:19:57 ns kernel: klips_debug:rj_match: **** t=0xce04fba0
Nov 8 10:19:57 ns kernel: klips_debug:rj_match: ***** cp2=0xc9d80278
cp3=0xc443c450
Nov 8 10:19:57 ns kernel: klips_debug:rj_match: ***** not found.

That's confusing, as I don't see a reason in your barf as to why we should
see this packet. Could this be a NAT thing?

This rule should change:

Chain POSTROUTING (policy ACCEPT 7600 packets, 578K bytes)
 pkts bytes target prot opt in out source
destination
 6837 316K SNAT all -- * eth0 10.144.0.0/19 0.0.0.0/0 to:200.68.135.62

You don't want packets rewritten that are destined for the 192.168.228.0/24
network to be subjugated to NAT; I'm wondering if this is how those packets
are getting erroneously injected into the IPSec machinery.
KLIPS rewrites those packets to the proper source and destination,
anyhow.

Here's a link to paul wouters' FAQ on the subject:

http://lists.freeswan.org/pipermail/users/2002-August/012918.html

- --
Sam Sgro
sam_at_freeswan.org

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
Comment: For the matching public key, finger the Reply-To: address.

iQCVAwUBPc4k9kOSC4btEQUtAQEWrAQAi1T+5eU/UtOEDjKzegJ4fHU7vASF9GK9
14M3ZVif6rhc7MzCLjOjPRtoLZ/LilcpEg51SkQsIlhDai0dYBxnp73nGZ/5ZJ/m
G5OXetKJjeSMEk8ah3vIwJQKMH/hvljTEGS2ONMrWD87mM5ZveIs0XMHBn5L1w3I
wjq23CxKLu0=
=brAg
-----END PGP SIGNATURE-----

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Next message: Jason McCormick: "Re: [Users] IPSec via PPPoA?"
• Previous message: Sam Sgro: "Re: [Users] IPSec via PPPoA?"
• In reply to: info_at_radiomensajes.com.co: "[Users] no eroute"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.5 : Mon Nov 11 2002 - 05:20:38 CET