[Bug 840818] New: ipsec tunnel does not forward incoming packets

older
[Bug 817866] New: GRUB2 Boot Menu...

bugzilla_noreply＠novell.com

17 Sep 2013 17 Sep '13

12:18

https://bugzilla.novell.com/show_bug.cgi?id=840818 https://bugzilla.novell.com/show_bug.cgi?id=840818#c0 Summary: ipsec tunnel does not forward incoming packets Classification: openSUSE Product: openSUSE 12.3 Version: Final Platform: x86-64 OS/Version: openSUSE 12.3 Status: NEW Severity: Major Priority: P5 - None Component: Network AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: andreas.mueller@hsr.ch QAContact: qa-bugs@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/536.30.1 (KHTML, like Gecko) Version/6.0.5 Safari/536.30.1 A ipsec tunnel built with the native IPsec stack in OpenSUSE 12.3 does not forward received packets, allthough it did work well in OpenSUSE 12.1. I have seen this problem in a customer installation, but it was easy to reproduce in my lab in the following setup: net1 --- gateway12.1 ---- encrypted-network ---- gateway12.3 --- net2 gateway12.1 runs OpenSUSE 12.1, gateway12.3 runs OpenSUSE 12.3. Configuring setkey.conf, psk.txt, racoon.conf according documentation is straight forward and produces a setup that will negotiate SAs for a tunnel between the two gateways. However, this setup does not work. 1. Packets sent from a host on net2 to a target on net1 are forwarded through the tunnel, arrive on gateway12.1 where the are decrypted and forwarded to the target host. 2. Packets sent from a host on net1 to a target on net2 are forwarded through the tunnel, arrive on gateway12.3, where the are decrypted, but never forwarded. 3. ICMP request packets sent from a host on net1 to the IP address of gateway12.3's interface on net2 go through the tunnel, and gateway12.3 replies to them. 4. ICMP request packets from the net2-interface of gateway12.3 (e.g. generated using ping -I eth0 ...) to a host on net1 go through the tunnel, are delivered to the target, ICMP responses are generated, go through the tunnel and are received on gateway12.3. This shows that in 12.3 forwarding of packets coming into the machine from an ESP tunnel does not work, although local processing of such packets (ping to "internal" interface) is possible. gateway12.1 at the other end of the tunnel shows no such problems. There are no indications what might cause this misbehavior of 12.3: * No log messages from racoon or the kernel * Nothing in dmesg * Firewall is turned of so nothing in /var/log/firewall Reproducible: Always Steps to Reproduce: To reproduce se the detail description Tested with kernels 3.7.10-1.1-desktop, 3.7.10-1.16-desktop and 3.7.10-1.16-debug. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

Show replies by date

bugzilla_noreply＠novell.com

17 Sep 17 Sep

12:20

New subject: [Bug 840818] ipsec tunnel does not forward incoming packets

https://bugzilla.novell.com/show_bug.cgi?id=840818 https://bugzilla.novell.com/show_bug.cgi?id=840818#c Andreas Müller changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P2 - High -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

29 Sep 29 Sep

18:20

New subject: [Bug 840818] ipsec tunnel does not forward incoming packets

https://bugzilla.novell.com/show_bug.cgi?id=840818 https://bugzilla.novell.com/show_bug.cgi?id=840818#c Marcus Meissner changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|bnc-team-screening@forge.pr |mt@suse.com |ovo.novell.com | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

30 Sep 30 Sep

12:05

New subject: [Bug 840818] ipsec tunnel does not forward incoming packets

https://bugzilla.novell.com/show_bug.cgi?id=840818 https://bugzilla.novell.com/show_bug.cgi?id=840818#c1 Marius Tomaschewski changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED --- Comment #1 from Marius Tomaschewski 2013-09-30 12:05:34 UTC --- Enabled rp_filter? Please attach the configuration [without the keys or with dummy keys please!] and "sysctl net.ipv4" and "ip xfrm policy list" outputs. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

18:10

New subject: [Bug 840818] ipsec tunnel does not forward incoming packets

https://bugzilla.novell.com/show_bug.cgi?id=840818 https://bugzilla.novell.com/show_bug.cgi?id=840818#c2 --- Comment #2 from Andreas Müller 2013-09-30 18:09:59 UTC --- Created an attachment (id=560894) --> (http://bugzilla.novell.com/attachment.cgi?id=560894) racoon configuration file -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

18:10

New subject: [Bug 840818] ipsec tunnel does not forward incoming packets

https://bugzilla.novell.com/show_bug.cgi?id=840818 https://bugzilla.novell.com/show_bug.cgi?id=840818#c3 --- Comment #3 from Andreas Müller 2013-09-30 18:10:47 UTC --- Created an attachment (id=560895) --> (http://bugzilla.novell.com/attachment.cgi?id=560895) tunnel configuration setkey.conf -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

18:12

New subject: [Bug 840818] ipsec tunnel does not forward incoming packets

https://bugzilla.novell.com/show_bug.cgi?id=840818 https://bugzilla.novell.com/show_bug.cgi?id=840818#c4 --- Comment #4 from Andreas Müller 2013-09-30 18:12:40 UTC --- Created an attachment (id=560896) --> (http://bugzilla.novell.com/attachment.cgi?id=560896) sysctl net.ipv4 output -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

18:13

New subject: [Bug 840818] ipsec tunnel does not forward incoming packets

https://bugzilla.novell.com/show_bug.cgi?id=840818 https://bugzilla.novell.com/show_bug.cgi?id=840818#c5 --- Comment #5 from Andreas Müller 2013-09-30 18:13:53 UTC --- Created an attachment (id=560897) --> (http://bugzilla.novell.com/attachment.cgi?id=560897) ip xfrm policy list output -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

18:14

New subject: [Bug 840818] ipsec tunnel does not forward incoming packets

https://bugzilla.novell.com/show_bug.cgi?id=840818 https://bugzilla.novell.com/show_bug.cgi?id=840818#c6 --- Comment #6 from Andreas Müller 2013-09-30 18:14:35 UTC --- rp_filter is not enabled. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

1 Oct 1 Oct

08:53

New subject: [Bug 840818] ipsec tunnel does not forward incoming packets

https://bugzilla.novell.com/show_bug.cgi?id=840818 https://bugzilla.novell.com/show_bug.cgi?id=840818#c7 Marius Tomaschewski changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEW AssignedTo|mt@suse.com |jbohac@suse.com --- Comment #7 from Marius Tomaschewski 2013-10-01 08:53:25 UTC --- I've overlooked that it is about racoon -- reassigning to maintainer of ipsec-tools. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

4 Oct 4 Oct

11:47

New subject: [Bug 840818] ipsec tunnel does not forward incoming packets

https://bugzilla.novell.com/show_bug.cgi?id=840818 https://bugzilla.novell.com/show_bug.cgi?id=840818#c8 Jiri Bohac changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO InfoProvider| |andreas.mueller@hsr.ch --- Comment #8 from Jiri Bohac 2013-10-04 13:46:59 CEST --- This does not look like a racoon problem, the policies are correctly inserted in the kernel - I suspect some kind of a trivial networking misconfiguration. Firewall? Can you please also post the output of: ip address list ip route list iptables -t nat -L iptables -L You say:

...

2. Packets sent from a host on net1 to a target on net2 are forwarded through the tunnel, arrive on gateway12.3, where the are decrypted, but never forwarded.

Can you see both the encapsulated/encrypted and the decrypted packets with tcpdump on the "internet" interface? Can you see the decrypted packets on the "net2" interface? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

12:04

New subject: [Bug 840818] ipsec tunnel does not forward incoming packets

https://bugzilla.novell.com/show_bug.cgi?id=840818 https://bugzilla.novell.com/show_bug.cgi?id=840818#c9 --- Comment #9 from Andreas Müller 2013-10-04 12:04:53 UTC --- No firewall is active on any machine. Encrypted and clear packets are visible. One can ping the target host from the gateway, the gateway has forwarding enabled, but packets seen on the "Internet" interface are not forwarded to the other interface. Same configuration with 12.1 works, 12.3 does not. Will attach requested command output later. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

6 Oct 6 Oct

19:36

New subject: [Bug 840818] ipsec tunnel does not forward incoming packets

https://bugzilla.novell.com/show_bug.cgi?id=840818 https://bugzilla.novell.com/show_bug.cgi?id=840818#c10 Andreas Müller changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|andreas.mueller@hsr.ch | --- Comment #10 from Andreas Müller 2013-10-06 19:36:24 UTC --- Here is the data requested, eth1 is the "Internet" interface: chiron:/home/afm # ip addr list 1: lo: mtu 65536 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 brd 127.255.255.255 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: mtu 1500 qdisc mq state UP qlen 1000 link/ether 00:1b:fc:91:75:1d brd ff:ff:ff:ff:ff:ff inet 192.168.49.1/24 brd 192.168.49.255 scope global eth0 inet6 fe80::21b:fcff:fe91:751d/64 scope link valid_lft forever preferred_lft forever 3: eth1: mtu 1500 qdisc mq state UP qlen 1000 link/ether 00:1b:fc:91:76:35 brd ff:ff:ff:ff:ff:ff inet 193.5.25.230/25 brd 193.5.25.255 scope global eth1 inet6 fe80::21b:fcff:fe91:7635/64 scope link valid_lft forever preferred_lft forever chiron:/home/afm # ip route list default via 193.5.25.130 dev eth1 127.0.0.0/8 dev lo scope link 169.254.0.0/16 dev eth0 scope link 192.168.49.0/24 dev eth0 proto kernel scope link src 192.168.49.1 193.5.25.0/25 via 193.5.25.129 dev eth1 193.5.25.128/25 dev eth1 proto kernel scope link src 193.5.25.230 chiron:/home/afm # iptables -t nat -L Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination chiron:/home/afm # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

10 Nov 10 Nov

21:41

New subject: [Bug 840818] ipsec tunnel does not forward incoming packets

https://bugzilla.novell.com/show_bug.cgi?id=840818 https://bugzilla.novell.com/show_bug.cgi?id=840818#c11 --- Comment #11 from Andreas Müller 2013-11-10 21:41:15 UTC --- Any news on this problem? I have tested with the most recent updates today, still no luck. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

21 Nov 21 Nov

21:52

New subject: [Bug 840818] ipsec tunnel does not forward incoming packets

https://bugzilla.novell.com/show_bug.cgi?id=840818 https://bugzilla.novell.com/show_bug.cgi?id=840818#c12 Andreas Müller changed: What |Removed |Added ---------------------------------------------------------------------------- Component|Network |Network AssignedTo|jbohac@suse.com |bnc-team-screening@forge.pr | |ovo.novell.com Product|openSUSE 12.3 |openSUSE 13.1 OS/Version|openSUSE 12.3 |openSUSE 13.1 --- Comment #12 from Andreas Müller 2013-11-21 21:52:20 UTC --- Just checked the same problem with 13.1: does not work either. To verify that my configuration is correct, I built a test server using ubuntu, using the exact same configuration files, where it worked flawlessly. This proves beyond any doubt that the kernels in openSuSE 12.3 and 13.1 are both broken. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

22 Nov 22 Nov

03:23

New subject: [Bug 840818] ipsec tunnel does not forward incoming packets

https://bugzilla.novell.com/show_bug.cgi?id=840818 https://bugzilla.novell.com/show_bug.cgi?id=840818#c Xiyuan Liu changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |xyliu@suse.com AssignedTo|bnc-team-screening@forge.pr |kernel-maintainers@forge.pr |ovo.novell.com |ovo.novell.com -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

11 Dec 11 Dec

11:59

New subject: [Bug 840818] ipsec tunnel does not forward incoming packets

https://bugzilla.novell.com/show_bug.cgi?id=840818 https://bugzilla.novell.com/show_bug.cgi?id=840818#c13 Sergi Coll changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |sergi.coll@idgrup.com --- Comment #13 from Sergi Coll 2013-12-11 11:59:50 UTC --- I have the same problem. Not only with ipsec also with simple routing between two interfaces. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

6 Mar 6 Mar

21:44

New subject: [Bug 840818] ipsec tunnel does not forward incoming packets

https://bugzilla.novell.com/show_bug.cgi?id=840818 https://bugzilla.novell.com/show_bug.cgi?id=840818#c14 Jiri Bohac changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED CC| |jbohac@suse.com Resolution| |DUPLICATE --- Comment #14 from Jiri Bohac 2014-03-06 22:44:09 CET --- most likely a duplicate of bnc#867055. Please try the fix from Comment #1 in that bug. *** This bug has been marked as a duplicate of bug 867055 *** http://bugzilla.novell.com/show_bug.cgi?id=867055 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

3706

Age (days ago)

3876

Last active (days ago)

List overview

Download

17 comments

1 participants

participants (1)

bugzilla_noreply＠novell.com

[Bug 840818] New: ipsec tunnel does not forward incoming packets

tags

participants (1)