Pantek Library - Expert Linux and Open Source Services

Hosting Provided By
-----BEGIN PGP SIGNED MESSAGE-----

> To: Richard Guy Briggs 
> Subject: Re: linux-ipsec: routing limitations
> Cc: linux-ipsec@clinet.fi
> Date: 02/26/98, 14:24:47
> 
> 
> What exactly is the routing table on one of your gateways ? I suspect
> I know the problem.

The connection to 192.168.2.110 works fine, but the one to 208.146.164.45
does not.  The reverse direction (from 208.146.164.45) is sending out
arp packets on its local ethernet segment looking for 209.151.2.47.

I'm also noticing that all packets that have traversed the ipsec
interface, whether encapsulated or not, have a null ethernet source
address.  I'm checking into this...

============8<============================
magellan# ifconfig
lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Bcast:127.255.255.255  Mask:255.0.0.0
          UP BROADCAST LOOPBACK RUNNING  MTU:3584  Metric:1
          RX packets:465304 errors:0 dropped:0 overruns:0
          TX packets:465304 errors:0 dropped:0 overruns:0

eth0      Link encap:10Mbps Ethernet  HWaddr 00:C0:A8:00:70:DB
          inet addr:192.168.2.100  Bcast:192.168.2.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:988832 errors:0 dropped:0 overruns:0
          TX packets:966900 errors:0 dropped:0 overruns:0
          Interrupt:9 Base address:0x300 

eth1      Link encap:10Mbps Ethernet  HWaddr 00:00:1B:3B:F3:BC
          inet addr:192.168.3.100  Bcast:192.168.3.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:91582 errors:0 dropped:0 overruns:0
          TX packets:91447 errors:0 dropped:0 overruns:0
          Interrupt:5 Base address:0x340 

sl0       Link encap:Serial Line IP  
          inet addr:209.151.2.44  P-t-P:209.151.2.1  Mask:255.255.255.0
Do you need help? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related lists.freeswan.org Links
1998-fall
1998-spring
1998-summer
1998-winter
1999-winter
announce
briefs
bugs
design
freeswan-list
hipsec
ietf-sectest
users
users-admin
Request more information about Pantek
          UP POINTOPOINT RUNNING  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0
          TX packets:1063 errors:0 dropped:0 overruns:0

ppp0      Link encap:Point-Point Protocol  
          inet addr:209.151.2.47  P-t-P:209.151.2.2  Mask:255.255.255.0
          UP POINTOPOINT RUNNING  MTU:1500  Metric:1
          RX packets:26 errors:1 dropped:1 overruns:0
          TX packets:30 errors:0 dropped:0 overruns:0

ipsec0    Link encap:IPIP Tunnel  HWaddr 
          inet addr:192.168.2.100  Bcast:192.168.2.255  Mask:255.255.255.0
          UP RUNNING NOARP  MTU:1404  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0
          TX packets:0 errors:0 dropped:0 overruns:0

ipsec1    Link encap:IPIP Tunnel  HWaddr 
          inet addr:209.151.2.47  Bcast:209.151.2.255  Mask:255.255.255.0
          UP BROADCAST RUNNING NOARP  MTU:1404  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0
          TX packets:0 errors:0 dropped:0 overruns:0

magellan# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
209.151.2.1     0.0.0.0         255.255.255.255 UH    1      0        0 sl0
209.151.2.2     0.0.0.0         255.255.255.255 UH    0      0        0 ppp0
208.146.164.45  0.0.0.0         255.255.255.255 UH    0      0        0 ipsec1
192.168.2.110   0.0.0.0         255.255.255.255 UH    0      0        0 ipsec0
192.168.2.0     0.0.0.0         255.255.255.0   U     0      0      299 eth0
192.168.3.0     0.0.0.0         255.255.255.0   U     0      0      104 eth1
192.168.4.0     192.168.2.110   255.255.255.0   UG    0      0        1 eth0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0      146 lo
Do you need more help? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related lists.freeswan.org Links
1998-fall
1998-spring
1998-summer
1998-winter
1999-winter
announce
briefs
bugs
design
freeswan-list
hipsec
ietf-sectest
users
users-admin
Request more information about Pantek
0.0.0.0         0.0.0.0         0.0.0.0         U     0      0        3 ppp0
0.0.0.0         0.0.0.0         0.0.0.0         U     1      0      159 sl0

magellan# cat /proc/net/ipsec*
(192.168.2.100/255.255.255.255 -> 192.168.2.110/255.255.255.255) => (192.168.2.110, 0x00000103)
(209.151.2.47/255.255.255.255 -> 208.146.164.45/255.255.255.255) => (208.146.164.45, 0x00000203)
(192.168.2.100, 00000116, 2: klen = 16, alen = 16)
(192.168.2.100, 00000115, 4: ivlen = 4, iv = 66 30 66 30)
(192.168.2.110, 00000106, 2: klen = 16, alen = 16)
(192.168.2.110, 00000105, 4: ivlen = 4, iv = 66 30 66 30)
(192.168.2.110, 00000103, 1: [192.168.2.100 -> 192.168.2.110])
(208.146.164.45, 00000206, 2: klen = 16, alen = 16)
(208.146.164.45, 00000205, 4: ivlen = 4, iv = 66 30 66 30)
(208.146.164.45, 00000203, 1: [209.151.2.47 -> 208.146.164.45])
(209.151.2.47, 00000216, 2: klen = 16, alen = 16)
(209.151.2.47, 00000215, 4: ivlen = 4, iv = 66 30 66 30)

============8<============================

> >There may be other possibilities which have not come immediately to
> >mind.  The strong inclination is to find out how it was done in *BSD.
> 
> Different stacks; *BSD has a single "chokepoint", ip_output(), where
> all the processing can take place.

I'll look at it.

> >This means modifying (in the current setup, haven't checked with
> >2.1.8x kernels) ip_forward, ip_out, ip_in at minimum to catch all
> >the directions.
> 
> I don't think there is an ip_out in Linux. That has been the problem
> all along.

There certainly is...whether it is actually being used is another question...
It contains the functions:

int ip_rewrite_addrs (struct sock *sk, struct sk_buff *skb, struct device *dev)

static void ip_loopback(struct device *old_dev, struct sk_buff *skb)
Can we help you? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related lists.freeswan.org Links
1998-fall
1998-spring
1998-summer
1998-winter
1999-winter
announce
briefs
bugs
design
freeswan-list
hipsec
ietf-sectest
users
users-admin
Request more information about Pantek

int ip_send(struct rtable * rt, struct sk_buff *skb, __u32 daddr, int len, struct device *dev, __u32 saddr)

static int ip_send_room(struct rtable * rt, struct sk_buff *skb, __u32 daddr, int len, struct device *dev, __u32 saddr)

int ip_build_header(struct sk_buff *skb, __u32 saddr, __u32 daddr,
                struct device **dev, int type, struct options *opt,
                int len, int tos, int ttl, struct rtable ** rp)

void ip_send_check(struct iphdr *iph)

static inline void add_to_send_queue(struct sock * sk, struct sk_buff * skb)

void ip_queue_xmit(struct sock *sk, struct device *dev,
              struct sk_buff *skb, int free)

int ip_build_xmit(struct sock *sk,
                   void getfrag (const void *,
                                 __u32,
                                 char *,
                                 unsigned int,
                                 unsigned int),
                   const void *frag,
                   unsigned short int length,
                   __u32 daddr,
                   __u32 user_saddr,
                   struct options * opt,
                   int flags,
                   int type,
                   int noblock)

void ip_netlink_msg(unsigned long msg, __u32 daddr, __u32 gw, __u32 mask, short flags, short metric, char *name)

static int ip_rt_event(struct notifier_block *this, unsigned long event, void *ptr)

void ip_init(void)

> -Angelos
> 
> 
	Slainte Mhath, rgb
- -- 
Richard Guy Briggs -- PGP key available                       Auto-Free Ottawa!
rgb at conscoop dot flora dot org                     http://www.flora.org/afo/
http://www.achilles.net/~rgb/                   Ottawa-Rideau Bioregion, Canada
Please send all spam to root@127.0.0.1
Can't find what you're looking for? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related lists.freeswan.org Links
1998-fall
1998-spring
1998-summer
1998-winter
1999-winter
announce
briefs
bugs
design
freeswan-list
hipsec
ietf-sectest
users
users-admin
Request more information about Pantek

"We left our footprints in the Earth
And punched a hole right through the sky" -- S.Hogarth/J.Helmer(Marillion)

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv

iQCVAwUBNPXVVt+sBuIhFagtAQFVjAP+OGi3UOFEaPNuVWR5UUw0bwiiU1BIJb6R
pI5Ep6/rsBlC0WMcgIRNuRU/wEa/ttrQY1ROCV+bQVI5CrjL/pNuc14vvOUe32J0
xeloYC03zOevQZSHkOb7W5PkRXCKKX0AMVKigpem0c6O6GW7J+vGwXtXkUfHIpAF
oBs4aCiv9/k=
=kUE1
-----END PGP SIGNATURE-----