lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Wed, 17 Sep 2014 07:28:11 +0200
From:	Steffen Klassert <steffen.klassert@...unet.com>
To:	Joe M <joe9mail@...il.com>
CC:	<netdev@...r.kernel.org>
Subject: Re: Figuring out how vti works

On Mon, Sep 15, 2014 at 09:20:43AM -0500, Joe M wrote:
> Hello Steffen Klassert,
> 
> Very sorry for this bother.
> 
> I could not figure out how vti works with ipsec and your patch was the
> latest to ip_vti.c. If you cannot help, please excuse me.
> 
> I cannot get the vpn traffic to get on the vti tunnel. tcpdump on vti
> does not show anything. I think the tunnel lookup code, for some
> reason, is not able to use the "vtil" tunnel.

Do you know where the packets are getting dropped?
netstat -i or /proc/net/xfrm_stat could give a hint.

> 
> The pings worked fine if I remove the ip_vti and ip_tunnel modules,
> the "mark=1" from /etc/ipsec.conf and the iptables mangle rules to
> set-mark.

You don't need to set the mark with iptables.
You just have to ensure that the policy and state marks
match the tunnel keys. I.e. direction in and forward must
match the ikey, direction out must match the okey.

> 
> sudo ip tunnel list
> vtil: ip/ip  remote 192.168.1.232  local 192.168.0.11  ttl inherit ikey 0  okey 1

Your ikey does not match the policy and the state mark.

> 
> sudo ip xfrm policy
> src 192.168.1.0/24 dst 192.168.0.0/24
>         dir fwd priority 2883
>         mark 1/0xffffffff
>         tmpl src <bnglr public ip> dst 192.168.0.11
>                 proto esp reqid 2 mode tunnel
> src 192.168.1.0/24 dst 192.168.0.0/24
>         dir in priority 2883
>         mark 1/0xffffffff

If you set mark 1 here, the tunnel should set ikey 1.

> 
> I tried setting the mangle rules to set-mark but that did not help. I
> could not find any more documentation.
> 

Please try without setting a mark with netfilter.

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists