tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: IPsec vs ssh



On 14/11/2013 12:23 AM, Greg Troxel wrote:
...
> Agreed; this looks like the spot.  Use 'setkey -x' to dump the message.
> It's possible racoon is not consistently handling the NAT part.
> 

Interesting output...

The error is in an UPDATE message that follows a GETSPI message,
both with the same SPI. That agrees with the earlier logs.

Now that I notice it, the GETSPI message prints port 500 but everywhere
else is 4500.

Also, setkey -x needs to learn about SADB_X_EXT_NAT_T_FRAG.

Darren

06:22:40.895815
sadb_msg{ version=2 type=11 errno=0 satype=1 len=2 reserved=0 seq=0 pid=19186

06:22:40.895908
06:22:42.533802
sadb_msg{ version=2 type=7 errno=0 satype=2 len=21 reserved=0 seq=0 pid=13808
sadb_ext{ len=11 type=14 }
sadb_sup{
  { id=2 ivlen=0 min=128 max=128 }
  { id=3 ivlen=0 min=160 max=160 }
  { id=5 ivlen=0 min=256 max=256 }
  { id=6 ivlen=0 min=384 max=384 }
  { id=7 ivlen=0 min=512 max=512 }
  { id=8 ivlen=0 min=160 max=160 }
  { id=9 ivlen=0 min=128 max=128 }
  { id=249 ivlen=0 min=128 max=128 }
  { id=250 ivlen=0 min=160 max=160 }
  { id=251 ivlen=0 min=0 max=2048 }
}
sadb_ext{ len=8 type=15 }
sadb_sup{
  { id=2 ivlen=8 min=64 max=64 }
  { id=3 ivlen=8 min=192 max=192 }
  { id=6 ivlen=8 min=40 max=128 }
  { id=7 ivlen=8 min=40 max=448 }
  { id=11 ivlen=0 min=0 max=2048 }
  { id=12 ivlen=16 min=128 max=256 }
  { id=13 ivlen=8 min=160 max=288 }
}

06:22:42.534497
sadb_msg{ version=2 type=7 errno=0 satype=3 len=21 reserved=0 seq=0 pid=13808
sadb_ext{ len=11 type=14 }
sadb_sup{
  { id=2 ivlen=0 min=128 max=128 }
  { id=3 ivlen=0 min=160 max=160 }
  { id=5 ivlen=0 min=256 max=256 }
  { id=6 ivlen=0 min=384 max=384 }
  { id=7 ivlen=0 min=512 max=512 }
  { id=8 ivlen=0 min=160 max=160 }
  { id=9 ivlen=0 min=128 max=128 }
  { id=249 ivlen=0 min=128 max=128 }
  { id=250 ivlen=0 min=160 max=160 }
  { id=251 ivlen=0 min=0 max=2048 }
}
sadb_ext{ len=8 type=15 }
sadb_sup{
  { id=2 ivlen=8 min=64 max=64 }
  { id=3 ivlen=8 min=192 max=192 }
  { id=6 ivlen=8 min=40 max=128 }
  { id=7 ivlen=8 min=40 max=448 }
  { id=11 ivlen=0 min=0 max=2048 }
  { id=12 ivlen=16 min=128 max=256 }
  { id=13 ivlen=8 min=160 max=288 }
}

06:22:42.535123
sadb_msg{ version=2 type=7 errno=0 satype=9 len=21 reserved=0 seq=0 pid=13808
sadb_ext{ len=11 type=14 }
sadb_sup{
  { id=2 ivlen=0 min=128 max=128 }
  { id=3 ivlen=0 min=160 max=160 }
  { id=5 ivlen=0 min=256 max=256 }
  { id=6 ivlen=0 min=384 max=384 }
  { id=7 ivlen=0 min=512 max=512 }
  { id=8 ivlen=0 min=160 max=160 }
  { id=9 ivlen=0 min=128 max=128 }
  { id=249 ivlen=0 min=128 max=128 }
  { id=250 ivlen=0 min=160 max=160 }
  { id=251 ivlen=0 min=0 max=2048 }
}
sadb_ext{ len=8 type=15 }
sadb_sup{
  { id=2 ivlen=8 min=64 max=64 }
  { id=3 ivlen=8 min=192 max=192 }
  { id=6 ivlen=8 min=40 max=128 }
  { id=7 ivlen=8 min=40 max=448 }
  { id=11 ivlen=0 min=0 max=2048 }
  { id=12 ivlen=16 min=128 max=256 }
  { id=13 ivlen=8 min=160 max=288 }
}

06:22:42.535791
sadb_msg{ version=2 type=18 errno=0 satype=0 len=23 reserved=1 seq=5 pid=13808
sadb_ext{ len=3 type=5 }
sadb_address{ proto=1 prefixlen=24 reserved=0x0000 }
sockaddr{ len=16 family=2 port=0 0a010200  }
sadb_ext{ len=3 type=6 }
sadb_address{ proto=1 prefixlen=32 reserved=0x0000 }
sockaddr{ len=16 family=2 port=0 0a0103fe  }
sadb_ext{ len=7 type=18 }
sadb_x_policy{ type=2 dir=1 id=4016 }
 { len=40 proto=50 mode=2 level=2 reqid=0
sockaddr{ len=16 family=2 port=0 8da1044d  }
sockaddr{ len=16 family=2 port=0 0a0103fe  }
 }
sadb_ext{ len=4 type=2 }
sadb_lifetime{ alloc=0, bytes=0 addtime=1384370551, usetime=1384370551 }
sadb_ext{ len=4 type=3 }
sadb_lifetime{ alloc=0, bytes=0 addtime=0, usetime=0 }

06:22:42.535839
sadb_msg{ version=2 type=18 errno=0 satype=0 len=23 reserved=1 seq=4 pid=13808
sadb_ext{ len=3 type=5 }
sadb_address{ proto=1 prefixlen=32 reserved=0x0000 }
sockaddr{ len=16 family=2 port=0 8da1044d  }
sadb_ext{ len=3 type=6 }
sadb_address{ proto=1 prefixlen=24 reserved=0x0000 }
sockaddr{ len=16 family=2 port=0 0a010100  }
sadb_ext{ len=7 type=18 }
sadb_x_policy{ type=2 dir=1 id=4017 }
 { len=40 proto=50 mode=2 level=2 reqid=0
sockaddr{ len=16 family=2 port=0 8da1044d  }
sockaddr{ len=16 family=2 port=0 0a0103fe  }
 }
sadb_ext{ len=4 type=2 }
sadb_lifetime{ alloc=0, bytes=0 addtime=1384370551, usetime=1384370551 }
sadb_ext{ len=4 type=3 }
sadb_lifetime{ alloc=0, bytes=0 addtime=0, usetime=0 }

06:22:42.535864
sadb_msg{ version=2 type=18 errno=0 satype=0 len=23 reserved=1 seq=3 pid=13808
sadb_ext{ len=3 type=5 }
sadb_address{ proto=1 prefixlen=24 reserved=0x0000 }
sockaddr{ len=16 family=2 port=0 0a010200  }
sadb_ext{ len=3 type=6 }
sadb_address{ proto=1 prefixlen=24 reserved=0x0000 }
sockaddr{ len=16 family=2 port=0 0a010100  }
sadb_ext{ len=7 type=18 }
sadb_x_policy{ type=2 dir=1 id=4019 }
 { len=40 proto=50 mode=2 level=2 reqid=0
sockaddr{ len=16 family=2 port=4500 8da1044d  }
sockaddr{ len=16 family=2 port=4500 0a0103fe  }
 }
sadb_ext{ len=4 type=2 }
sadb_lifetime{ alloc=0, bytes=0 addtime=1384370551, usetime=1384370551 }
sadb_ext{ len=4 type=3 }
sadb_lifetime{ alloc=0, bytes=0 addtime=0, usetime=0 }

06:22:42.535889
sadb_msg{ version=2 type=18 errno=0 satype=0 len=23 reserved=1 seq=2 pid=13808
sadb_ext{ len=3 type=5 }
sadb_address{ proto=1 prefixlen=32 reserved=0x0000 }
sockaddr{ len=16 family=2 port=0 0a0103fe  }
sadb_ext{ len=3 type=6 }
sadb_address{ proto=1 prefixlen=24 reserved=0x0000 }
sockaddr{ len=16 family=2 port=0 0a010200  }
sadb_ext{ len=7 type=18 }
sadb_x_policy{ type=2 dir=2 id=4015 }
 { len=40 proto=50 mode=2 level=2 reqid=0
sockaddr{ len=16 family=2 port=0 0a0103fe  }
sockaddr{ len=16 family=2 port=0 8da1044d  }
 }
sadb_ext{ len=4 type=2 }
sadb_lifetime{ alloc=0, bytes=0 addtime=1384370551, usetime=1384370551 }
sadb_ext{ len=4 type=3 }
sadb_lifetime{ alloc=0, bytes=0 addtime=0, usetime=0 }

06:22:42.535913
sadb_msg{ version=2 type=18 errno=0 satype=0 len=23 reserved=1 seq=1 pid=13808
sadb_ext{ len=3 type=5 }
sadb_address{ proto=1 prefixlen=24 reserved=0x0000 }
sockaddr{ len=16 family=2 port=0 0a010100  }
sadb_ext{ len=3 type=6 }
sadb_address{ proto=1 prefixlen=32 reserved=0x0000 }
sockaddr{ len=16 family=2 port=0 8da1044d  }
sadb_ext{ len=7 type=18 }
sadb_x_policy{ type=2 dir=2 id=4018 }
 { len=40 proto=50 mode=2 level=2 reqid=0
sockaddr{ len=16 family=2 port=0 0a0103fe  }
sockaddr{ len=16 family=2 port=0 8da1044d  }
 }
sadb_ext{ len=4 type=2 }
sadb_lifetime{ alloc=0, bytes=0 addtime=1384370551, usetime=1384370551 }
sadb_ext{ len=4 type=3 }
sadb_lifetime{ alloc=0, bytes=0 addtime=0, usetime=0 }

06:22:42.535937
sadb_msg{ version=2 type=18 errno=0 satype=0 len=23 reserved=1 seq=0 pid=13808
sadb_ext{ len=3 type=5 }
sadb_address{ proto=1 prefixlen=24 reserved=0x0000 }
sockaddr{ len=16 family=2 port=0 0a010100  }
sadb_ext{ len=3 type=6 }
sadb_address{ proto=1 prefixlen=24 reserved=0x0000 }
sockaddr{ len=16 family=2 port=0 0a010200  }
sadb_ext{ len=7 type=18 }
sadb_x_policy{ type=2 dir=2 id=401a }
 { len=40 proto=50 mode=2 level=2 reqid=0
sockaddr{ len=16 family=2 port=4500 0a0103fe  }
sockaddr{ len=16 family=2 port=4500 8da1044d  }
 }
sadb_ext{ len=4 type=2 }
sadb_lifetime{ alloc=0, bytes=0 addtime=1384370551, usetime=1384370551 }
sadb_ext{ len=4 type=3 }
sadb_lifetime{ alloc=0, bytes=0 addtime=0, usetime=0 }

06:22:45.453075
sadb_msg{ version=2 type=6 errno=0 satype=3 len=47 reserved=0 seq=3 pid=0
sadb_ext{ len=3 type=5 }
sadb_address{ proto=255 prefixlen=32 reserved=0x0000 }
sockaddr{ len=16 family=2 port=4500 0a0103fe  }
sadb_ext{ len=3 type=6 }
sadb_address{ proto=255 prefixlen=32 reserved=0x0000 }
sockaddr{ len=16 family=2 port=4500 8da1044d  }
sadb_ext{ len=2 type=18 }
sadb_x_policy{ type=2 dir=2 id=401a }
sadb_ext{ len=37 type=13 }
sadb_prop{ replay=32
sadb_comb{ auth=0 encrypt=7 flags=0x0000 reserved=0x00000000
  auth_minbits=0 auth_maxbits=0 encrypt_minbits=256 encrypt_maxbits=448
  soft_alloc=1 hard_alloc=1 soft_bytes=0 hard_bytes=0
  soft_alloc=69120 hard_alloc=86400 soft_bytes=23040 hard_bytes=28800 }
sadb_comb{ auth=0 encrypt=11 flags=0x0000 reserved=0x00000000
  auth_minbits=0 auth_maxbits=0 encrypt_minbits=256 encrypt_maxbits=2048
  soft_alloc=1 hard_alloc=1 soft_bytes=0 hard_bytes=0
  soft_alloc=69120 hard_alloc=86400 soft_bytes=23040 hard_bytes=28800 }
sadb_comb{ auth=0 encrypt=12 flags=0x0000 reserved=0x00000000
  auth_minbits=0 auth_maxbits=0 encrypt_minbits=256 encrypt_maxbits=256
  soft_alloc=1 hard_alloc=1 soft_bytes=0 hard_bytes=0
  soft_alloc=69120 hard_alloc=86400 soft_bytes=23040 hard_bytes=28800 }
sadb_comb{ auth=0 encrypt=13 flags=0x0000 reserved=0x00000000
  auth_minbits=0 auth_maxbits=0 encrypt_minbits=256 encrypt_maxbits=288
  soft_alloc=1 hard_alloc=1 soft_bytes=0 hard_bytes=0
  soft_alloc=69120 hard_alloc=86400 soft_bytes=23040 hard_bytes=28800 }
}

06:22:46.025902
sadb_msg{ version=2 type=10 errno=2 satype=0 len=2 reserved=0 seq=0 pid=13808

DEBUG: pfkey GETSPI succeeded: ESP/Tunnel 141.161.4.77[500]->10.1.3.254[500] 
spi=192737835(0xb7cf22b)
06:22:46.477581
sadb_msg{ version=2 type=1(GETSPI) errno=0 satype=3 len=10 reserved=0 seq=3 
pid=13808
sadb_ext{ len=2 type=1 }
sadb_sa{ spi=192737835 replay=64 state=6 auth=76 encrypt=125 flags=0xfe01a8c0 }
sadb_ext{ len=3 type=5 }
sadb_address{ proto=255 prefixlen=32 reserved=0x0000 }
sockaddr{ len=16 family=2 port=4500 8da1044d  }
sadb_ext{ len=3 type=6 }
sadb_address{ proto=255 prefixlen=32 reserved=0x0000 }
sockaddr{ len=16 family=2 port=4500 0a0103fe  }

ERROR: pfkey UPDATE failed: No such file or directory
06:22:46.736242
sadb_msg{ version=2 type=2(UPDATE) errno=2 satype=3 len=31 reserved=0 seq=3 
pid=13808
sadb_ext{ len=2 type=1 }
sadb_sa{ spi=192737835 replay=4 state=0 auth=3 encrypt=12 flags=0x00000000 }
sadb_ext{ len=2 type=19 }
sadb_x_sa2{ mode=2 reqid=0 reserved1=0 reserved2=0 sequence=0 }
sadb_ext{ len=3 type=5 }
sadb_address{ proto=255 prefixlen=32 reserved=0x0000 }
sockaddr{ len=16 family=2 port=4500 8da1044d  }
sadb_ext{ len=3 type=6 }
sadb_address{ proto=255 prefixlen=32 reserved=0x0000 }
sockaddr{ len=16 family=2 port=4500 0a0103fe  }
sadb_ext{ len=3 type=9 }
sadb_key{ bits=128 reserved=0 key= 00000000 00000000 80700000 00000000 }
sadb_ext{ len=4 type=8 }
sadb_key{ bits=160 reserved=0 key= 04000400 00000000 00000000 00000000 005a0000 
}
sadb_ext{ len=4 type=3 }
sadb_lifetime{ alloc=0, bytes=0 addtime=28800, usetime=0 }
sadb_ext{ len=4 type=4 }
sadb_lifetime{ alloc=0, bytes=0 addtime=23040, usetime=0 }
sadb_ext{ len=1 type=20 }
sadb_x_nat_t_type{ type=2 }
sadb_ext{ len=1 type=21 }
sadb_x_nat_t_port{ port=4500 }
sadb_ext{ len=1 type=22 }
sadb_x_nat_t_port{ port=4500 }
sadb_ext{ len=1 type=25 }
kdebug_sadb: invalid ext_type 25 was passed.

06:22:46.738022
sadb_msg{ version=2 type=3(ADD) errno=0 satype=3 len=20 reserved=0 seq=3 
pid=13808
sadb_ext{ len=2 type=1 }
sadb_sa{ spi=143351065 replay=4 state=0 auth=3 encrypt=12 flags=0x00000000 }
sadb_ext{ len=2 type=19 }
sadb_x_sa2{ mode=2 reqid=0 reserved1=0 reserved2=0 sequence=0 }
sadb_ext{ len=3 type=5 }
sadb_address{ proto=255 prefixlen=32 reserved=0x0000 }
sockaddr{ len=16 family=2 port=4500 0a0103fe  }
sadb_ext{ len=3 type=6 }
sadb_address{ proto=255 prefixlen=32 reserved=0x0000 }
sockaddr{ len=16 family=2 port=4500 8da1044d  }
sadb_ext{ len=4 type=3 }
sadb_lifetime{ alloc=0, bytes=0 addtime=28800, usetime=0 }
sadb_ext{ len=4 type=4 }
sadb_lifetime{ alloc=0, bytes=0 addtime=23040, usetime=0 }

06:22:46.738322
sadb_msg{ version=2 type=3(ADD) errno=0 satype=3 len=20 reserved=0 seq=3 
pid=13808
sadb_ext{ len=2 type=1 }
sadb_sa{ spi=143351065 replay=4 state=0 auth=3 encrypt=12 flags=0x00000000 }
sadb_ext{ len=2 type=19 }
sadb_x_sa2{ mode=2 reqid=0 reserved1=0 reserved2=0 sequence=0 }
sadb_ext{ len=3 type=5 }
sadb_address{ proto=255 prefixlen=32 reserved=0x0000 }
sockaddr{ len=16 family=2 port=4500 0a0103fe  }
sadb_ext{ len=3 type=6 }
sadb_address{ proto=255 prefixlen=32 reserved=0x0000 }
sockaddr{ len=16 family=2 port=4500 8da1044d  }
sadb_ext{ len=4 type=3 }
sadb_lifetime{ alloc=0, bytes=0 addtime=28800, usetime=0 }
sadb_ext{ len=4 type=4 }
sadb_lifetime{ alloc=0, bytes=0 addtime=23040, usetime=0 }



Home | Main Index | Thread Index | Old Index