[Bug 422918] New: No traffic when connecting to Novell VPN on ppc
https://bugzilla.novell.com/show_bug.cgi?id=422918 Summary: No traffic when connecting to Novell VPN on ppc Product: openSUSE 11.1 Version: Factory Platform: Macintosh OS/Version: openSUSE 11.0 Status: NEW Severity: Normal Priority: P5 - None Component: Network AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: lchiquitto@novell.com QAContact: qa@suse.de Found By: Beta-Customer When connecting to Novell VPN using OpenSUSE (Factory and 11.0) on PPC I am unable to establish connections to any host inside the VPN. While I see ESP packets going through the network interface, it seems that no answer comes back. I'm discarding network setup/topology problems because using a x86/x86_64 machine works fine. More information and output from VPN troubleshooting script to follow. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=422918 User lchiquitto@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=422918#c1 --- Comment #1 from Leonardo Chiquitto <lchiquitto@novell.com> 2008-09-05 06:47:34 MDT --- First debugging session points to endianness problems. When connecting to the VPN from a x86_64 machine, the following traffic is observed: IP 192.168.1.56.4500 > 130.57.1.243.2002: UDP-encap: ESP(spi=0x02013a90,seq=0xd), length 92 IP 130.57.1.243.2002 > 192.168.1.56.4500: UDP-encap: ESP(spi=0x0e1e7a2a,seq=0xa), length 92 IP 192.168.1.56.4500 > 130.57.1.243.2002: UDP-encap: ESP(spi=0x02013a90,seq=0xe), length 84 IP 130.57.1.243.2002 > 192.168.1.56.4500: UDP-encap: ESP(spi=0x0e1e7a2a,seq=0xb), length 140 When connecting from a ppc machine, there's just the outcoming traffic: IP 10.1.1.4.4500 > 130.57.7.242.53767: UDP-encap: ESP(spi=0xd5dd3b43,seq=0x3), length 92 IP 10.1.1.4.4500 > 130.57.7.242.53767: UDP-encap: ESP(spi=0xd5dd3b43,seq=0x4), length 92 We can observe that the destination port is different (53767) and should be the same as above (2002). On little endian architectures, htons(2002) == 53767. We can also observe that IPsec's NAT-Traversal feature is being used. The endpoints (client:4500 - server:2002) are probably negotiated on Phase 1. I still have to figure out if the problem lies in the server, transmitting the port number with the incorrect byte order, or in the client, forgetting to convert the received port number to the correct byte order. I'll try to discover whether our VPN servers are big or little endian. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=422918 Christoph Thiel <cthiel@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|bnc-team-screening@forge.provo.novell.com |bili@novell.com -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=422918 Li Bin <bili@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=422918 User bili@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=422918#c2 --- Comment #2 from Li Bin <bili@novell.com> 2008-09-26 21:04:57 MDT --- Leonardo, I'll try to check if the client convert the port. And next week is the National Holiday, so maybe the replay would be late. Thanks! -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=422918 User lchiquitto@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=422918#c3 --- Comment #3 from Leonardo Chiquitto <lchiquitto@novell.com> 2008-09-29 17:34:19 MDT --- Bin, I'm almost sure that the culprit is our VPN Appliance. On PPC, the byte order conversion functions expand to nothing, as the network byte order equals the host byte order (big endian). Receiving the "wrong" port number means that the other side of the VPN (probably a x86, little endian) is sending it without proper conversion to network byte order. To connect to the Novell VPN, I'm using the following awful patch. Hope it doesn't hurt your eyes much :) Index: linux/net/key/af_key.c =================================================================== --- linux.orig/net/key/af_key.c +++ linux/net/key/af_key.c @@ -1238,11 +1238,17 @@ static struct xfrm_state * pfkey_msg2xfr struct sadb_x_nat_t_port* n_port = ext_hdrs[SADB_X_EXT_NAT_T_SPORT-1]; natt->encap_sport = n_port->sadb_x_nat_t_port_port; + + if (natt->encap_sport == 53767) + natt->encap_sport = 2002; } if (ext_hdrs[SADB_X_EXT_NAT_T_DPORT-1]) { struct sadb_x_nat_t_port* n_port = ext_hdrs[SADB_X_EXT_NAT_T_DPORT-1]; natt->encap_dport = n_port->sadb_x_nat_t_port_port; + + if (natt->encap_dport == 53767) + natt->encap_dport = 2002; } } Thanks, Leonardo -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=422918 User bili@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=422918#c4 Li Bin <bili@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEEDINFO Info Provider| |lchiquitto@novell.com --- Comment #4 from Li Bin <bili@novell.com> 2008-10-05 20:55:01 MDT --- Leonardo, So do you try this code in the kernel? It just make sure if the port is the reason, if it's true, we need change our client for this issue. And I'll check the code to found if it use network byte order. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=422918 User lchiquitto@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=422918#c5 Leonardo Chiquitto <lchiquitto@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |ASSIGNED Info Provider|lchiquitto@novell.com | --- Comment #5 from Leonardo Chiquitto <lchiquitto@novell.com> 2008-10-06 05:20:00 MDT --- Bin, Yes, I'm running a kernel with the patch applied. If the problem is really in the server sending the port in host byte order, changing the client will make it stop working when connecting to servers that send the port in the correct [network] byte order, no? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=422918 User bili@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=422918#c6 --- Comment #6 from Li Bin <bili@novell.com> 2008-10-07 10:06:24 MDT --- Leonardo, Maybe, I thought all packets which transform between server and client should use the network byte order. And you know the listen port don't transform anymore, so either server or client should change this for the normal communicating, I think if we change the client, maybe it still working. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=422918 User bili@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=422918#c7 Li Bin <bili@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEEDINFO Info Provider| |allau@novell.com --- Comment #7 from Li Bin <bili@novell.com> 2009-02-06 00:46:31 MST --- Alex, It's a long time, currently there are no environment for debugging this issue. Could you provide some environment for development? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=422918 User lchiquitto@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=422918#c9 --- Comment #9 from Leonardo Chiquitto <lchiquitto@novell.com> 2009-03-10 14:04:38 MST --- Thanks for the feedback, Alex. I'm almost sure the problem is in our VPN server and there is no easy way to fix it. I can live with my ugly workaround for now. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com