IPsec tunnel mode bug - malformed, misaddressed packets

To:	netdev@xxxxxxxxxxx
Subject:	IPsec tunnel mode bug - malformed, misaddressed packets
From:	"Christopher K. Johnson" <ckjohnson@xxxxxxx>
Date:	Sun, 17 Oct 2004 07:52:21 -0400
Sender:	netdev-bounce@xxxxxxxxxxx
User-agent:	Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.3) Gecko/20040922

There is an ipsec bug in FC2 kernel 2.6.8-1.521 for ipsec tunnel mode.
I have proven with a packet trace that some packets are
misaddressed.  Specifically it constructs a packet of the form:
IP header1 | AH header | IP header2 | ESP
The IP header1 has an incorrect destination address of the host in the
remote tunneled subnet instead of the remote vpn partner, whereas IP
header2 has the correct destination address of the remote vpn partner.

For an host in local ipsec subnet contacting a web server in remote
ipsec subnet the initial syn and response of syn,ack are tunnelled
successfuly, but the encrypted ack goes out malformed as indicated above,
thus is never delivered.

Packet trace and setkey config are attached to bugzilla entry athttp://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=132832


Your help in resolving this bug so ipsec is usable would be appreciated greatly.

Chris

<Prev in Thread]	Current Thread	[Next in Thread>
IPsec tunnel mode bug - malformed, misaddressed packets, Christopher K. Johnson <= Re: IPsec tunnel mode bug - malformed, misaddressed packets, Herbert Xu Re: IPsec tunnel mode bug - malformed, misaddressed packets, Christopher K. Johnson Re: IPsec tunnel mode bug - malformed, misaddressed packets, Herbert Xu

Previous by Date:	Re: [RFC] Yield in netlink_broadcast when congested, Thomas Graf
Next by Date:	Re: [RFC] Yield in netlink_broadcast when congested, Herbert Xu
Previous by Thread:	[PATCH 2.4.28-pre4-bk3] forcedeth: Gigabit ethernet support and media detection changes, Manfred Spraul
Next by Thread:	Re: IPsec tunnel mode bug - malformed, misaddressed packets, Herbert Xu
Indexes:	[Date] [Thread] [Top] [All Lists]