Re: Is TCP over IPsec broken in 2.6.18?

Fri, 22 Sep 2006 21:29:49 -0700 

On Fri, Sep 22, 2006 at 11:15:35AM -0400, James Morris ([EMAIL PROTECTED]) 
wrote:
> On Fri, 22 Sep 2006, Evgeniy Polyakov wrote:
> 
> > 17:45:04.770225 IP 192.168.4.79 > 192.168.4.78: 
> > ESP(spi=0x070635c0,seq=0x1), length 84
> > 17:45:04.770344 IP 192.168.4.78 > 192.168.4.79: 
> > ESP(spi=0x01f452be,seq=0x2), length 84
> > 17:45:04.777560 IP 192.168.4.79.ssh > 192.168.4.78.56527: P 
> > 3412388275:3412388295(20) ack 1965868757 win 91 <nop,nop,timestamp 
> > 1531076218 4294904370>
> 
> Where are you running tcpdump?  It is normal to see both the encrypted and 
> unencrypted packets if you run it on one of the machines doing ipsec, 
> because of the way xfrm stacking works.

It runs on receiving machine (2.6.17 kernel).
I never saw unencrypted packets before.
For example when I do ping receiving side never saw unencrypted ICMP
echo requests/reply, only ESP packets, the same applies to the case when
above fluent state is completed and ssh starts it's normal traffic -
there are only ESP packets seen by tcpdump.

> > 17:45:04.981642 IP 192.168.4.79.ssh > 192.168.4.78.56527: P 0:20(20) ack 1 
> > win 91 <nop,nop,timestamp 1531076269 4294904370>
> > 17:45:05.389666 IP 192.168.4.79.ssh > 192.168.4.78.56527: P 0:20(20) ack 1 
> > win 91 <nop,nop,timestamp 1531076371 4294904370>
> > 17:45:06.205721 IP 192.168.4.79.ssh > 192.168.4.78.56527: P 0:20(20) ack 1 
> > win 91 <nop,nop,timestamp 1531076575 4294904370>
> > 17:45:07.837827 IP 192.168.4.79.ssh > 192.168.4.78.56527: P 0:20(20) ack 1 
> > win 91 <nop,nop,timestamp 1531076983 4294904370>
> 
> Not sure what's going on here.
> 
> > The same packet.
> > 
> > 17:45:11.102066 IP 192.168.4.79 > 192.168.4.78: 
> > ESP(spi=0x070635c0,seq=0x2), length 100
> > 17:45:11.102212 IP 192.168.4.78 > 192.168.4.79: 
> > ESP(spi=0x01f452be,seq=0x3), length 84
> > 17:45:12.098146 IP 192.168.4.79.isakmp > 192.168.4.78.isakmp: isakmp: phase 
> > 2/others ? oakley-quick[E]
> > 17:45:12.098427 IP 192.168.4.78.isakmp > 192.168.4.79.isakmp: isakmp: phase 
> > 2/others ? inf
> 
> And why racoon packets are here at this stage.
> 
> Can you try this with either a fully manual config (setkey only) or 
> openswan?

I use racoon, may be there are some problems with it's version, I will
try new one after weekend.
 
> - James
> -- 
> James Morris
> <[EMAIL PROTECTED]>

-- 
        Evgeniy Polyakov
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to