Re: bin/47894: racoon w/NAT-T - pfkey update: wrong ports

To: gnats-bugs%NetBSD.org@localhost, gnats-admin%netbsd.org@localhost, netbsd-bugs%netbsd.org@localhost, gergely%egervary.hu@localhost
Subject: Re: bin/47894: racoon w/NAT-T - pfkey update: wrong ports
From: SUENAGA Hiroki <hsuenaga%iij.ad.jp@localhost>
Date: Mon, 16 Jun 2014 11:36:19 +0900

Hi Gergely, thank you for your test.

(2014/06/13 23:45), Egerváry Gergely wrote:

>  193.225.174.14[4500] 193.225.174.1[21230]
>          esp-udp mode=transport spi=17298023(0x0107f267) reqid=0(0x00000000)
>  ...
>  193.225.174.1[21230] 193.225.174.14[4500]
>          esp-udp mode=transport spi=214723282(0x0ccc6ad2) reqid=0(0x00000000)
>  
>  and on the client side:
>  10.0.0.20[4500] 193.225.174.14[4500]
>          esp-udp mode=transport spi=214723282(0x0ccc6ad2) reqid=0(0x00000000)
>  193.225.174.14[4500] 10.0.0.20[4500]
>          esp-udp mode=transport spi=17298023(0x0107f267) reqid=0(0x00000000)

OK, the SA is correct.

I found a BUG that there was no ESP header in UDP encapsulated ESP packet
on my local environment.

setkey says:

  # setkey -D

  192.168.187.11[4500] 192.168.187.1[4500]
        esp-udp mode=transport spi=262330893(0x0fa2da0d) reqid=0(0x00000000)
        E: null  01020304 05060708
        seq=0x00000000 replay=4 flags=0x00000000 state=mature
        created: Jun 16 11:23:29 2014   current: Jun 16 11:24:27 2014
        diff: 58(s)     hard: 1402885409(s)     soft: 5616830(s)
        last: Jun 13 17:12:07 2014      hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        sadb_seq=0 pid=10078 refcnt=1

=> SPI is 0x0fa2da0d.

but tcpdump says:

  # tcpdump -n -i wm0 -s 1500 -x -vvvv udp port 4500

  tcpdump: listening on wm0, link-type EN10MB (Ethernet), capture size 1500 
bytes
  11:23:29.569166 IP (tos 0x0, ttl 64, id 0, offset 0, flags [none], proto UDP 
(17), length 60)
      192.168.187.11.4500 > 192.168.187.1.4500: [udp sum ok] UDP-encap: 
ESP(spi=0x01020304,seq=0x5060708), length 32

=> SPI and SEQ seem head of payload. It's wrong.

I'm analyzing the problem now.

How about your application?

For your interest, I put my test code on ftp.netbsd.org.

  ftp://ftp.netbsd.org/pub/NetBSD/misc/hsuenaga/pfkey_test.tar.gz

The program creates dummy NAT-T SA and send UDP packet. Your application and
SP settings may cause other problems.

>  IP reference:
>    Client internal (NAT) address: 10.0.0.20
>    NAT box external address: 193.225.174.1
>    Server external address: 193.115.174.14
>  
>  btw, I do not see endianness issues here.

Oops, my test code itself had a endianness issue... thank you.

-- 
Internet Initiative Japan Inc.

Device Engineering Section,
Core Product Development Department,
Product Division,
Technology Unit

SUENAGA Hiroki <hsuenaga%iij.ad.jp@localhost>

PGP: 66B3 8939 6758 20BA F243  89EC 557A 8CFB ABA9 5E92

Follow-Ups:
- Re: bin/47894: racoon w/NAT-T - pfkey update: wrong ports
  - From: SUENAGA Hiroki

References:
- Re: bin/47894: racoon w/NAT-T - pfkey update: wrong ports
  - From: Egerváry Gergely

Prev by Date: NetBSD Nightly Trouble Ticket Report
Next by Date: Re: bin/47894: racoon w/NAT-T - pfkey update: wrong ports
Previous by Thread: Re: bin/47894: racoon w/NAT-T - pfkey update: wrong ports
Next by Thread: Re: bin/47894: racoon w/NAT-T - pfkey update: wrong ports
Indexes:

Home | Main Index | Thread Index | Old Index