[Bug 840818] New: ipsec tunnel does not forward incoming packets
https://bugzilla.novell.com/show_bug.cgi?id=840818 https://bugzilla.novell.com/show_bug.cgi?id=840818#c0 Summary: ipsec tunnel does not forward incoming packets Classification: openSUSE Product: openSUSE 12.3 Version: Final Platform: x86-64 OS/Version: openSUSE 12.3 Status: NEW Severity: Major Priority: P5 - None Component: Network AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: andreas.mueller@hsr.ch QAContact: qa-bugs@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/536.30.1 (KHTML, like Gecko) Version/6.0.5 Safari/536.30.1 A ipsec tunnel built with the native IPsec stack in OpenSUSE 12.3 does not forward received packets, allthough it did work well in OpenSUSE 12.1. I have seen this problem in a customer installation, but it was easy to reproduce in my lab in the following setup: net1 --- gateway12.1 ---- encrypted-network ---- gateway12.3 --- net2 gateway12.1 runs OpenSUSE 12.1, gateway12.3 runs OpenSUSE 12.3. Configuring setkey.conf, psk.txt, racoon.conf according documentation is straight forward and produces a setup that will negotiate SAs for a tunnel between the two gateways. However, this setup does not work. 1. Packets sent from a host on net2 to a target on net1 are forwarded through the tunnel, arrive on gateway12.1 where the are decrypted and forwarded to the target host. 2. Packets sent from a host on net1 to a target on net2 are forwarded through the tunnel, arrive on gateway12.3, where the are decrypted, but never forwarded. 3. ICMP request packets sent from a host on net1 to the IP address of gateway12.3's interface on net2 go through the tunnel, and gateway12.3 replies to them. 4. ICMP request packets from the net2-interface of gateway12.3 (e.g. generated using ping -I eth0 ...) to a host on net1 go through the tunnel, are delivered to the target, ICMP responses are generated, go through the tunnel and are received on gateway12.3. This shows that in 12.3 forwarding of packets coming into the machine from an ESP tunnel does not work, although local processing of such packets (ping to "internal" interface) is possible. gateway12.1 at the other end of the tunnel shows no such problems. There are no indications what might cause this misbehavior of 12.3: * No log messages from racoon or the kernel * Nothing in dmesg * Firewall is turned of so nothing in /var/log/firewall Reproducible: Always Steps to Reproduce: To reproduce se the detail description Tested with kernels 3.7.10-1.1-desktop, 3.7.10-1.16-desktop and 3.7.10-1.16-debug. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=840818 https://bugzilla.novell.com/show_bug.cgi?id=840818#c Andreas Müller <andreas.mueller@hsr.ch> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P2 - High -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=840818 https://bugzilla.novell.com/show_bug.cgi?id=840818#c Marcus Meissner <meissner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|bnc-team-screening@forge.pr |mt@suse.com |ovo.novell.com | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=840818 https://bugzilla.novell.com/show_bug.cgi?id=840818#c1 Marius Tomaschewski <mt@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED --- Comment #1 from Marius Tomaschewski <mt@suse.com> 2013-09-30 12:05:34 UTC --- Enabled rp_filter? Please attach the configuration [without the keys or with dummy keys please!] and "sysctl net.ipv4" and "ip xfrm policy list" outputs. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=840818 https://bugzilla.novell.com/show_bug.cgi?id=840818#c2 --- Comment #2 from Andreas Müller <andreas.mueller@hsr.ch> 2013-09-30 18:09:59 UTC --- Created an attachment (id=560894) --> (http://bugzilla.novell.com/attachment.cgi?id=560894) racoon configuration file -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=840818 https://bugzilla.novell.com/show_bug.cgi?id=840818#c3 --- Comment #3 from Andreas Müller <andreas.mueller@hsr.ch> 2013-09-30 18:10:47 UTC --- Created an attachment (id=560895) --> (http://bugzilla.novell.com/attachment.cgi?id=560895) tunnel configuration setkey.conf -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=840818 https://bugzilla.novell.com/show_bug.cgi?id=840818#c4 --- Comment #4 from Andreas Müller <andreas.mueller@hsr.ch> 2013-09-30 18:12:40 UTC --- Created an attachment (id=560896) --> (http://bugzilla.novell.com/attachment.cgi?id=560896) sysctl net.ipv4 output -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=840818 https://bugzilla.novell.com/show_bug.cgi?id=840818#c5 --- Comment #5 from Andreas Müller <andreas.mueller@hsr.ch> 2013-09-30 18:13:53 UTC --- Created an attachment (id=560897) --> (http://bugzilla.novell.com/attachment.cgi?id=560897) ip xfrm policy list output -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=840818 https://bugzilla.novell.com/show_bug.cgi?id=840818#c6 --- Comment #6 from Andreas Müller <andreas.mueller@hsr.ch> 2013-09-30 18:14:35 UTC --- rp_filter is not enabled. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=840818 https://bugzilla.novell.com/show_bug.cgi?id=840818#c7 Marius Tomaschewski <mt@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEW AssignedTo|mt@suse.com |jbohac@suse.com --- Comment #7 from Marius Tomaschewski <mt@suse.com> 2013-10-01 08:53:25 UTC --- I've overlooked that it is about racoon -- reassigning to maintainer of ipsec-tools. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=840818 https://bugzilla.novell.com/show_bug.cgi?id=840818#c8 Jiri Bohac <jbohac@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO InfoProvider| |andreas.mueller@hsr.ch --- Comment #8 from Jiri Bohac <jbohac@suse.com> 2013-10-04 13:46:59 CEST --- This does not look like a racoon problem, the policies are correctly inserted in the kernel - I suspect some kind of a trivial networking misconfiguration. Firewall? Can you please also post the output of: ip address list ip route list iptables -t nat -L iptables -L You say:
Can you see both the encapsulated/encrypted and the decrypted packets with tcpdump on the "internet" interface? Can you see the decrypted packets on the "net2" interface? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=840818 https://bugzilla.novell.com/show_bug.cgi?id=840818#c9 --- Comment #9 from Andreas Müller <andreas.mueller@hsr.ch> 2013-10-04 12:04:53 UTC --- No firewall is active on any machine. Encrypted and clear packets are visible. One can ping the target host from the gateway, the gateway has forwarding enabled, but packets seen on the "Internet" interface are not forwarded to the other interface. Same configuration with 12.1 works, 12.3 does not. Will attach requested command output later. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=840818 https://bugzilla.novell.com/show_bug.cgi?id=840818#c10 Andreas Müller <andreas.mueller@hsr.ch> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|andreas.mueller@hsr.ch | --- Comment #10 from Andreas Müller <andreas.mueller@hsr.ch> 2013-10-06 19:36:24 UTC --- Here is the data requested, eth1 is the "Internet" interface: chiron:/home/afm # ip addr list 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 brd 127.255.255.255 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000 link/ether 00:1b:fc:91:75:1d brd ff:ff:ff:ff:ff:ff inet 192.168.49.1/24 brd 192.168.49.255 scope global eth0 inet6 fe80::21b:fcff:fe91:751d/64 scope link valid_lft forever preferred_lft forever 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000 link/ether 00:1b:fc:91:76:35 brd ff:ff:ff:ff:ff:ff inet 193.5.25.230/25 brd 193.5.25.255 scope global eth1 inet6 fe80::21b:fcff:fe91:7635/64 scope link valid_lft forever preferred_lft forever chiron:/home/afm # ip route list default via 193.5.25.130 dev eth1 127.0.0.0/8 dev lo scope link 169.254.0.0/16 dev eth0 scope link 192.168.49.0/24 dev eth0 proto kernel scope link src 192.168.49.1 193.5.25.0/25 via 193.5.25.129 dev eth1 193.5.25.128/25 dev eth1 proto kernel scope link src 193.5.25.230 chiron:/home/afm # iptables -t nat -L Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination chiron:/home/afm # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=840818 https://bugzilla.novell.com/show_bug.cgi?id=840818#c11 --- Comment #11 from Andreas Müller <andreas.mueller@hsr.ch> 2013-11-10 21:41:15 UTC --- Any news on this problem? I have tested with the most recent updates today, still no luck. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=840818 https://bugzilla.novell.com/show_bug.cgi?id=840818#c12 Andreas Müller <andreas.mueller@hsr.ch> changed: What |Removed |Added ---------------------------------------------------------------------------- Component|Network |Network AssignedTo|jbohac@suse.com |bnc-team-screening@forge.pr | |ovo.novell.com Product|openSUSE 12.3 |openSUSE 13.1 OS/Version|openSUSE 12.3 |openSUSE 13.1 --- Comment #12 from Andreas Müller <andreas.mueller@hsr.ch> 2013-11-21 21:52:20 UTC --- Just checked the same problem with 13.1: does not work either. To verify that my configuration is correct, I built a test server using ubuntu, using the exact same configuration files, where it worked flawlessly. This proves beyond any doubt that the kernels in openSuSE 12.3 and 13.1 are both broken. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=840818 https://bugzilla.novell.com/show_bug.cgi?id=840818#c Xiyuan Liu <xyliu@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |xyliu@suse.com AssignedTo|bnc-team-screening@forge.pr |kernel-maintainers@forge.pr |ovo.novell.com |ovo.novell.com -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=840818 https://bugzilla.novell.com/show_bug.cgi?id=840818#c13 Sergi Coll <sergi.coll@idgrup.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |sergi.coll@idgrup.com --- Comment #13 from Sergi Coll <sergi.coll@idgrup.com> 2013-12-11 11:59:50 UTC --- I have the same problem. Not only with ipsec also with simple routing between two interfaces. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=840818 https://bugzilla.novell.com/show_bug.cgi?id=840818#c14 Jiri Bohac <jbohac@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED CC| |jbohac@suse.com Resolution| |DUPLICATE --- Comment #14 from Jiri Bohac <jbohac@suse.com> 2014-03-06 22:44:09 CET --- most likely a duplicate of bnc#867055. Please try the fix from Comment #1 in that bug. *** This bug has been marked as a duplicate of bug 867055 *** http://bugzilla.novell.com/show_bug.cgi?id=867055 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=840818 https://bugzilla.novell.com/show_bug.cgi?id=840818#c Andreas Müller <andreas.mueller@hsr.ch> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P2 - High -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=840818 https://bugzilla.novell.com/show_bug.cgi?id=840818#c Marcus Meissner <meissner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|bnc-team-screening@forge.pr |mt@suse.com |ovo.novell.com | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=840818 https://bugzilla.novell.com/show_bug.cgi?id=840818#c1 Marius Tomaschewski <mt@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED --- Comment #1 from Marius Tomaschewski <mt@suse.com> 2013-09-30 12:05:34 UTC --- Enabled rp_filter? Please attach the configuration [without the keys or with dummy keys please!] and "sysctl net.ipv4" and "ip xfrm policy list" outputs. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=840818 https://bugzilla.novell.com/show_bug.cgi?id=840818#c2 --- Comment #2 from Andreas Müller <andreas.mueller@hsr.ch> 2013-09-30 18:09:59 UTC --- Created an attachment (id=560894) --> (http://bugzilla.novell.com/attachment.cgi?id=560894) racoon configuration file -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=840818 https://bugzilla.novell.com/show_bug.cgi?id=840818#c3 --- Comment #3 from Andreas Müller <andreas.mueller@hsr.ch> 2013-09-30 18:10:47 UTC --- Created an attachment (id=560895) --> (http://bugzilla.novell.com/attachment.cgi?id=560895) tunnel configuration setkey.conf -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=840818 https://bugzilla.novell.com/show_bug.cgi?id=840818#c4 --- Comment #4 from Andreas Müller <andreas.mueller@hsr.ch> 2013-09-30 18:12:40 UTC --- Created an attachment (id=560896) --> (http://bugzilla.novell.com/attachment.cgi?id=560896) sysctl net.ipv4 output -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com