Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game. |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
12-07-2005, 06:11 PM
|
#1
|
|
LQ Guru
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 11,200
|
2.6: ping on established(!) VPN tunnel doesn't! [SOLVED]
Here's a wierd-one for ya...
I am using IPSec-Tools .. actually a modified version which supports the XAUTH protocol. I am using that version right now, successfully on a 2.4 machine.
But, on a 2.6 machine on the same network, behind the same router, with the same configuration, I get something "vewy skwewy..." (to quote Elmer Fudd).
I start Racoon, issue the SetKey commands, ping 192.168.30.1 (this being a port within the range of addresses exposed on the other network through the tunnel. - In a few moments, the VPN tunnel is established, successfully.
- Knowing that the first exchange is simply going to get Racoon to do its thing, I stop pinging, wait a few seconds, and try again.
- Using ethereal I can see UCMP Echo Reply packets being sent back .. from 192.168.30.1 -> the address of my ethernet adapter, yes, on the 2.6 machine! The remote host is trying to respond properly! Yes, the received packet appears to Ethereal to be valid in every way!
- But nothing comes out on the terminal. ping will say that so-many packets were transmitted and that there was "100% packet loss."
- The output from setkey -DP on both machines is virtually the same. They both show an established tunnel, both show policies in place.
- The 2.6 machine isn't even running a firewall.
When I, now very curious, do the same thing on the 2.4 machine, and using a somewhat older version of ethereal, I do not see exactly the same output (it is an older version...), but I do promptly see ping delivering output to the terminal.
So... what  dumb thing am I overlooking?
Last edited by sundialsvcs; 12-09-2005 at 05:01 PM.
|
|
|
|
|
12-09-2005, 05:09 PM
|
#2
|
|
LQ Guru
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 11,200
Original Poster
|
The Solution ...
The problem turned out to be a difference between the 2.4 implementation of IPSEC and the 2.6. The new kernel applies the spdadd rules (setkey command) rules more stringently than 2.4 did.
Previously, I had only a rule which specified -P out. I did not have, nor did I need on 2.4, a second, reverse rule which specified -P in.
Apparently, kernel 2.6 does perform this check more stringently, as indeed it should. (And my 2.4 is quite old, so maybe they fixed it there, too.)
Without the rule, what happens is that (as I saw in ethereal or tcpdump...), the IPSec packet comes in, it gets decrypted, the payload gets re-injected into the stream, and ... because there is no matching rule, the packet is silently dropped.
|
|
|
|
All times are GMT -5. The time now is 11:46 AM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
