Thread (12 messages) 12 messages, 4 authors, 2006-09-24

Re: Is TCP over IPsec broken in 2.6.18?

From: Evgeniy Polyakov <hidden>
Date: 2006-09-22 14:03:32 

On Fri, Sep 22, 2006 at 02:23:17PM +0200, Patrick McHardy (kaber@trash.net) wrote:
Evgeniy Polyakov wrote:
quoted
I started process but if there will be no results in about an hour I
will continue after weekend only if there will be no interesting results
from other developers.
FWIW: I've tried myself and it appears to works fine here. Policy
similar to yours, no netfilter.
It exists even in 2.6.16, I was wrong about 2.6.17 status.
Here is tcpdump of the session for 2.6.16 tree:

17:44:52.868383 arp who-has 192.168.4.79 tell 192.168.4.78
17:44:52.868508 arp reply 192.168.4.79 is-at 00:0c:6e:ad:bb:8b
17:44:52.868460 IP 192.168.4.78.isakmp > 192.168.4.79.isakmp: isakmp: phase 1 I agg
17:44:52.877751 IP 192.168.4.79.isakmp > 192.168.4.78.isakmp: isakmp: phase 2/others ? oakley-quick[E]
17:44:52.877988 IP 192.168.4.78.isakmp > 192.168.4.79.isakmp: isakmp: phase 2/others ? inf
17:44:57.877187 arp who-has 192.168.4.78 tell 192.168.4.79
17:44:57.877256 arp reply 192.168.4.78 is-at 00:08:c7:2a:d2:63
17:45:02.876093 IP 192.168.4.78.isakmp > 192.168.4.79.isakmp: isakmp: phase 1 I agg
17:45:02.894360 IP 192.168.4.79.isakmp > 192.168.4.78.isakmp: isakmp: phase 1 R agg
17:45:02.894465 IP 192.168.4.79.isakmp > 192.168.4.78.isakmp: isakmp: phase 2/others ? oakley-quick[E]
17:45:02.937995 IP 192.168.4.78.isakmp > 192.168.4.79.isakmp: isakmp: phase 1 I agg
17:45:02.938296 IP 192.168.4.78.isakmp > 192.168.4.79.isakmp: isakmp: phase 2/others I inf[E]
17:45:02.938487 IP 192.168.4.78.isakmp > 192.168.4.79.isakmp: isakmp: phase 2/others ? inf
17:45:03.948772 IP 192.168.4.78.isakmp > 192.168.4.79.isakmp: isakmp: phase 2/others I oakley-quick[E]
17:45:03.958172 IP 192.168.4.79.isakmp > 192.168.4.78.isakmp: isakmp: phase 2/others R oakley-quick[E]
17:45:03.958629 IP 192.168.4.78.isakmp > 192.168.4.79.isakmp: isakmp: phase 2/others I oakley-quick[E]
17:45:04.770111 IP 192.168.4.78 > 192.168.4.79: ESP(spi=0x01f452be,seq=0x1), length 84
17:45:04.770225 IP 192.168.4.79 > 192.168.4.78: ESP(spi=0x070635c0,seq=0x1), length 84
17:45:04.770344 IP 192.168.4.78 > 192.168.4.79: ESP(spi=0x01f452be,seq=0x2), length 84
17:45:04.777560 IP 192.168.4.79.ssh > 192.168.4.78.56527: P 3412388275:3412388295(20) ack 1965868757 win 91 <nop,nop,timestamp 1531076218 4294904370>
17:45:04.981642 IP 192.168.4.79.ssh > 192.168.4.78.56527: P 0:20(20) ack 1 win 91 <nop,nop,timestamp 1531076269 4294904370>
17:45:05.389666 IP 192.168.4.79.ssh > 192.168.4.78.56527: P 0:20(20) ack 1 win 91 <nop,nop,timestamp 1531076371 4294904370>
17:45:06.205721 IP 192.168.4.79.ssh > 192.168.4.78.56527: P 0:20(20) ack 1 win 91 <nop,nop,timestamp 1531076575 4294904370>
17:45:07.837827 IP 192.168.4.79.ssh > 192.168.4.78.56527: P 0:20(20) ack 1 win 91 <nop,nop,timestamp 1531076983 4294904370>

The same packet.

17:45:11.102066 IP 192.168.4.79 > 192.168.4.78: ESP(spi=0x070635c0,seq=0x2), length 100
17:45:11.102212 IP 192.168.4.78 > 192.168.4.79: ESP(spi=0x01f452be,seq=0x3), length 84
17:45:12.098146 IP 192.168.4.79.isakmp > 192.168.4.78.isakmp: isakmp: phase 2/others ? oakley-quick[E]
17:45:12.098427 IP 192.168.4.78.isakmp > 192.168.4.79.isakmp: isakmp: phase 2/others ? inf
17:45:22.163283 IP 192.168.4.78 > 192.168.4.79: ESP(spi=0x01f452be,seq=0x4), length 84
17:45:22.163472 IP 192.168.4.79 > 192.168.4.78: ESP(spi=0x070635c0,seq=0x3), length 84
17:45:22.163658 IP 192.168.4.79 > 192.168.4.78: ESP(spi=0x070635c0,seq=0x4), length 100
17:45:22.163717 IP 192.168.4.79 > 192.168.4.78: ESP(spi=0x070635c0,seq=0x5), length 84
17:45:22.163756 IP 192.168.4.78 > 192.168.4.79: ESP(spi=0x01f452be,seq=0x5), length 84
17:45:22.163894 IP 192.168.4.78 > 192.168.4.79: ESP(spi=0x01f452be,seq=0x6), length 84
17:45:22.163937 IP 192.168.4.79.ssh > 192.168.4.78.56527: . ack 4 win 91 <nop,nop,timestamp 1531080564 4294908719>
17:45:22.371295 IP 192.168.4.78 > 192.168.4.79: ESP(spi=0x01f452be,seq=0x7), length 84

Here I closed telnet session, but stack continues to retransmit the same
skb.

17:45:22.371364 IP 192.168.4.79.ssh > 192.168.4.78.56527: . ack 4 win 91 <nop,nop,timestamp 1531080616 4294908719>
17:45:22.779256 IP 192.168.4.78 > 192.168.4.79: ESP(spi=0x01f452be,seq=0x8), length 84
17:45:22.779288 IP 192.168.4.79.ssh > 192.168.4.78.56527: . ack 4 win 91 <nop,nop,timestamp 1531080718 4294908719>
17:45:23.595235 IP 192.168.4.78 > 192.168.4.79: ESP(spi=0x01f452be,seq=0x9), length 84
17:45:23.595277 IP 192.168.4.79.ssh > 192.168.4.78.56527: . ack 4 win 91 <nop,nop,timestamp 1531080922 4294908719>
17:45:25.227183 IP 192.168.4.78 > 192.168.4.79: ESP(spi=0x01f452be,seq=0xa), length 84
17:45:25.227227 IP 192.168.4.79.ssh > 192.168.4.78.56527: . ack 4 win 91 <nop,nop,timestamp 1531081330 4294908719>

Eventually it starts not to send unencrypted packets, but initial tcp
connect is always the same. System does not have netfilter compiled in
(config attached). racoon's log after boot:

Sep 22 18:14:02 pcix racoon: INFO: IPsec-SA request for 192.168.4.79 queued due to no phase1 found.
Sep 22 18:14:02 pcix racoon: INFO: initiate new phase 1 negotiation: 192.168.4.78[500]<=>192.168.4.79[500]
Sep 22 18:14:02 pcix racoon: INFO: begin Aggressive mode. 
Sep 22 18:14:03 pcix racoon: ERROR: can't start the quick mode, there is no ISAKMP-SA, 9e2c9ac8e899c995:8569d21941d4656a:0000c723
Sep 22 18:14:13 pcix racoon: INFO: received Vendor ID: DPD
Sep 22 18:14:13 pcix racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
Sep 22 18:14:13 pcix racoon: INFO: ISAKMP-SA established 192.168.4.78[500]-192.168.4.79[500] spi:ca904286f10e8d1c:b58cecc365818c0a
Sep 22 18:14:13 pcix racoon: ERROR: can't start the quick mode, there is no ISAKMP-SA, 9e2c9ac8e899c995:8569d21941d4656a:0000c723
Sep 22 18:14:14 pcix racoon: INFO: initiate new phase 2 negotiation: 192.168.4.78[0]<=>192.168.4.79[0]
Sep 22 18:14:14 pcix racoon: INFO: IPsec-SA established: ESP/Transport 192.168.4.79->192.168.4.78 spi=117847488(0x70635c0)
Sep 22 18:14:14 pcix racoon: INFO: IPsec-SA established: ESP/Transport 192.168.4.78->192.168.4.79 spi=32789182(0x1f452be)
Sep 22 18:14:22 pcix racoon: ERROR: can't start the quick mode, there is no ISAKMP-SA, 9e2c9ac8e899c995:8569d21941d4656a:0000c723

machine has e100 nic, smp, on tainting modules.

racoon config:
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";

sainfo anonymous
{
        pfs_group 2;
        lifetime time 1 hour ;
        encryption_algorithm  rijndael, blowfish 448 ;
        authentication_algorithm hmac_sha1, hmac_md5 ;
        compression_algorithm deflate ;
}

remote anonymous
{
        exchange_mode aggressive, main;
        my_identifier address;
        passive off;
        proposal {
                encryption_algorithm rijndael;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group 2 ;
        }
}

certificate file is empty.

psk file:
192.168.4.79 somenumbers

setkey:
#!/sbin/setkey -f
flush;
spdflush;

spdadd 192.168.4.78 192.168.4.79 any -P out ipsec
        esp/transport//require;

spdadd 192.168.4.79 192.168.4.78 any -P in ipsec
	esp/transport//require;
		

-- 
	Evgeniy Polyakov

Attachments

Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help