Bug#477426: Incorrect SP (flow) setup when in tunnel mode.

Wed, 23 Apr 2008 00:49:16 -0700 

Package: isakmpd
Version: 20041012-5
Severity: important
Tags: patch

IPsec implementation has been changed in linux 2.6.10. All packets
intended to be forwarded needs to go through flow configured configured
in IPSEC_DIR_FWD direction (instead of IPSEC_DIR_INBOUND). 

The way isakmpd configures ipsec (IPSEC_DIR_INBOUND for input flows)
causes that incoming packets (intended to be forwarded) are directed
into INPUT chain and are silently discarded.

Attached patch fixes this behavior for me but I'm not sure it is correct
(I don't know isakmpd code at all, don't know much about IPsec and don't
have enough time to dig more). It configures IPSEC_DIR_FWD input flow if
in tunnel mode and IPSEC_DIR_INBOUND otherwise. Cases with host setting
up IPsec in tunnel mode but using this tunnel (instead of just
forwarding packets further) propably need to be handled. I hope this
patch will at least be useful for showing precisely where the problem
is.


-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-6-vserver-amd64
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages isakmpd depends on:
ii  libc6           2.3.6.ds1-13etch5 GNU C Library: Shared libraries
ii  libgmp3c2       2:4.2.1+dfsg-4    Multiprecision arithmetic library
ii  libssl0.9.8     0.9.8c-4etch1     SSL shared libraries

isakmpd recommends no packages.



diff -ruN isakmpd-20041012.orig/pf_key_v2.c isakmpd-20041012/pf_key_v2.c
--- isakmpd-20041012.orig/pf_key_v2.c	2008-04-21 10:01:55.000000000 +0200
+++ isakmpd-20041012/pf_key_v2.c	2008-04-23 09:02:40.000000000 +0200
@@ -2318,16 +2318,7 @@
 	policy->sadb_x_policy_len = len / PF_KEY_V2_CHUNK;
 	policy->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
 	if (ingress)
-#ifdef LINUX_IPSEC
-	{
-	    if (iproto->encap_mode == IPSEC_ENCAP_TUNNEL)
-		policy->sadb_x_policy_dir = IPSEC_DIR_FWD;
-	    else
 		policy->sadb_x_policy_dir = IPSEC_DIR_INBOUND;
-	}
-#else
-		policy->sadb_x_policy_dir = IPSEC_DIR_INBOUND;
-#endif
 	else
 		policy->sadb_x_policy_dir = IPSEC_DIR_OUTBOUND;
 	policy->sadb_x_policy_reserved = 0;

Reply via email to