| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <4D519A7D.5010405@earthlink.net> Date: Tue, 08 Feb 2011 14:33:17 -0500 From: Stephen Clark <sclark46@...thlink.net> To: Neil Horman <nhorman@...driver.com> CC: Linux Kernel Network Developers <netdev@...r.kernel.org> Subject: Re: Trouble Shooting ipsec On 02/08/2011 01:35 PM, Neil Horman wrote: > On Mon, Feb 07, 2011 at 02:17:55PM -0500, Stephen Clark wrote: > >> Hello, >> >> How do I find out what is happening to my packets thru my ipsec tunnel. >> They just seem to disappear on the remote side. >> >> I have successfully got the pings thru >> when everything has an ipv6 address, but am not successful when trying >> to connect two ipv4 lans across an ipv6 ipsec tunnel. All fw chains >> both 4 and 6 >> are set to ACCEPT. NAT is turned off. >> >> eth0 eth1 >> eth1 eth0 >> 10.1.254.254/17 2001:xxxx:1628::254<----ipv6 internet -----> >> 2001:xxxx:e334::254 10.0.254.254/17 >> >> 12:00:02.296972 IP6 2001:xxxx:1628::254> 2001:xxxx:e334::254: >> ESP(spi=0x07454bc3,seq=0x28b), length 132 >> 12:00:03.308751 IP6 2001:xxxx:1628::254> 2001:xxxx:e334::254: >> ESP(spi=0x07454bc3,seq=0x28c), length 132 >> 12:00:04.296857 IP6 2001:xxxx:1628::254> 2001:xxxx:e334::254: >> ESP(spi=0x07454bc3,seq=0x28d), length 132 >> 12:00:05.293748 IP6 2001:xxxx:1628::254> 2001:xxxx:e334::254: >> ESP(spi=0x07454bc3,seq=0x28e), length 132 >> 12:00:06.296623 IP6 2001:xxxx:1628::254> 2001:xxxx:e334::254: >> ESP(spi=0x07454bc3,seq=0x28f), length 132 >> >> I have posted to the ipsec-devel list and haven't gotten any >> responses. Also I have spent 2 days googling with >> no results about the above setup. Is it even possible to tunnel ipv4 >> packet thru an ipv6 ipsec tunnel? >> >> Thanks, >> Steve >> >> > I'd start by looking at your stats counters to see if you're dropping anything > significat. It appears from what you have above that you're receiving end is > getting encapsulated packets, so at least your tunnel is functional. Take a > look at proc/net/snmp and see if any counters get bumped as you send data. I > expect you're loosing them somewhere during decode (which would show up in > /proc/net/xfrm_stat), or you're loosing them after you decode them and try to > receive/forward them (which would likely show up in /proc/net/snmp). That > should give you a clue as to where to look next > > Neil > > >> > Thanks for the tip. I wasn't aware of /proc/net/xfrm_stat I was able to work around by creating an ipv6 to ipv6 ipsec tunnel and then creating an ipip6 tunnel inside of ipv6-ipv6 ipsec tunnel. I'll continue investigating. It just so frustrating when the ipsec packets just get dropped and you have no idea why. I wish there were some hooks in the kernel so you could at least get some debug information about what is happening. -- "They that give up essential liberty to obtain temporary safety, deserve neither liberty nor safety." (Ben Franklin) "The course of history shows that as a government grows, liberty decreases." (Thomas Jefferson) -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists