[Bug 840818] New: ipsec tunnel does not forward incoming packets
https://bugzilla.novell.com/show_bug.cgi?id=840818 https://bugzilla.novell.com/show_bug.cgi?id=840818#c0 Summary: ipsec tunnel does not forward incoming packets Classification: openSUSE Product: openSUSE 12.3 Version: Final Platform: x86-64 OS/Version: openSUSE 12.3 Status: NEW Severity: Major Priority: P5 - None Component: Network AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: andreas.mueller@hsr.ch QAContact: qa-bugs@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/536.30.1 (KHTML, like Gecko) Version/6.0.5 Safari/536.30.1 A ipsec tunnel built with the native IPsec stack in OpenSUSE 12.3 does not forward received packets, allthough it did work well in OpenSUSE 12.1. I have seen this problem in a customer installation, but it was easy to reproduce in my lab in the following setup: net1 --- gateway12.1 ---- encrypted-network ---- gateway12.3 --- net2 gateway12.1 runs OpenSUSE 12.1, gateway12.3 runs OpenSUSE 12.3. Configuring setkey.conf, psk.txt, racoon.conf according documentation is straight forward and produces a setup that will negotiate SAs for a tunnel between the two gateways. However, this setup does not work. 1. Packets sent from a host on net2 to a target on net1 are forwarded through the tunnel, arrive on gateway12.1 where the are decrypted and forwarded to the target host. 2. Packets sent from a host on net1 to a target on net2 are forwarded through the tunnel, arrive on gateway12.3, where the are decrypted, but never forwarded. 3. ICMP request packets sent from a host on net1 to the IP address of gateway12.3's interface on net2 go through the tunnel, and gateway12.3 replies to them. 4. ICMP request packets from the net2-interface of gateway12.3 (e.g. generated using ping -I eth0 ...) to a host on net1 go through the tunnel, are delivered to the target, ICMP responses are generated, go through the tunnel and are received on gateway12.3. This shows that in 12.3 forwarding of packets coming into the machine from an ESP tunnel does not work, although local processing of such packets (ping to "internal" interface) is possible. gateway12.1 at the other end of the tunnel shows no such problems. There are no indications what might cause this misbehavior of 12.3: * No log messages from racoon or the kernel * Nothing in dmesg * Firewall is turned of so nothing in /var/log/firewall Reproducible: Always Steps to Reproduce: To reproduce se the detail description Tested with kernels 3.7.10-1.1-desktop, 3.7.10-1.16-desktop and 3.7.10-1.16-debug. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=840818
https://bugzilla.novell.com/show_bug.cgi?id=840818#c
Andreas Müller
https://bugzilla.novell.com/show_bug.cgi?id=840818
https://bugzilla.novell.com/show_bug.cgi?id=840818#c
Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=840818
https://bugzilla.novell.com/show_bug.cgi?id=840818#c1
Marius Tomaschewski
https://bugzilla.novell.com/show_bug.cgi?id=840818
https://bugzilla.novell.com/show_bug.cgi?id=840818#c2
--- Comment #2 from Andreas Müller
https://bugzilla.novell.com/show_bug.cgi?id=840818
https://bugzilla.novell.com/show_bug.cgi?id=840818#c3
--- Comment #3 from Andreas Müller
https://bugzilla.novell.com/show_bug.cgi?id=840818
https://bugzilla.novell.com/show_bug.cgi?id=840818#c4
--- Comment #4 from Andreas Müller
https://bugzilla.novell.com/show_bug.cgi?id=840818
https://bugzilla.novell.com/show_bug.cgi?id=840818#c5
--- Comment #5 from Andreas Müller
https://bugzilla.novell.com/show_bug.cgi?id=840818
https://bugzilla.novell.com/show_bug.cgi?id=840818#c6
--- Comment #6 from Andreas Müller
https://bugzilla.novell.com/show_bug.cgi?id=840818
https://bugzilla.novell.com/show_bug.cgi?id=840818#c7
Marius Tomaschewski
https://bugzilla.novell.com/show_bug.cgi?id=840818
https://bugzilla.novell.com/show_bug.cgi?id=840818#c8
Jiri Bohac
2. Packets sent from a host on net1 to a target on net2 are forwarded through the tunnel, arrive on gateway12.3, where the are decrypted, but never forwarded.
Can you see both the encapsulated/encrypted and the decrypted packets with tcpdump on the "internet" interface? Can you see the decrypted packets on the "net2" interface? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=840818
https://bugzilla.novell.com/show_bug.cgi?id=840818#c9
--- Comment #9 from Andreas Müller
https://bugzilla.novell.com/show_bug.cgi?id=840818
https://bugzilla.novell.com/show_bug.cgi?id=840818#c10
Andreas Müller
https://bugzilla.novell.com/show_bug.cgi?id=840818
https://bugzilla.novell.com/show_bug.cgi?id=840818#c11
--- Comment #11 from Andreas Müller
https://bugzilla.novell.com/show_bug.cgi?id=840818
https://bugzilla.novell.com/show_bug.cgi?id=840818#c12
Andreas Müller
https://bugzilla.novell.com/show_bug.cgi?id=840818
https://bugzilla.novell.com/show_bug.cgi?id=840818#c
Xiyuan Liu
https://bugzilla.novell.com/show_bug.cgi?id=840818
https://bugzilla.novell.com/show_bug.cgi?id=840818#c13
Sergi Coll
https://bugzilla.novell.com/show_bug.cgi?id=840818
https://bugzilla.novell.com/show_bug.cgi?id=840818#c14
Jiri Bohac
participants (1)
-
bugzilla_noreply@novell.com