[Bug 346211] New: racoon (novell-ipsec-tools pkg) can build tunnels but no traffic gets through

newer
[Bug 328632] New: syslog-ng.conf...

bugzilla_noreply＠novell.com

5 Dec 2007 5 Dec '07

15:58

https://bugzilla.novell.com/show_bug.cgi?id=346211 Summary: racoon (novell-ipsec-tools pkg) can build tunnels but no traffic gets through Product: SUSE Linux 10.1 Version: Final Platform: x86-64 OS/Version: SLED 10 Status: NEW Severity: Major Priority: P5 - None Component: Security AssignedTo: security-team@suse.de ReportedBy: david.mattes@boeing.com QAContact: qa@suse.de CC: stingleff@novell.com, bili@novell.com Found By: Customer I am using novell-ipsec-tools, along with turnpike, to build VPN tunnels. VPN tunnels have been and are still successfully established but VPN traffic stopped flowing with novell-ipsec-tools-0.6.3-26.14 (SLED10SP1) as a regression from novell-ipsec-tools-0.6.3-26.4 (SLED10). When I connect with 26.4 (when it works) the relevant entries in syslog are: racoon: INFO: IPsec-SA established: ESP/Tunnel 10.0.0.1[0]->192.168.1.150[0] racoon: INFO: IPsec-SA established: ESP/Tunnel 192.168.1.150[0]->10.0.0.1[0] And the tunnel works fine. But when I connect with 26.14 these change to: racoon: INFO: IPsec-SA established: ESP/Tunnel 10.0.0.1[500]->192.168.1.150[500] racoon: INFO: IPsec-SA established: ESP/Tunnel 192.168.1.150[500]->10.0.0.1[500] And then when I try to send data through the tunnel I get a constant (~1/sec) stream of the following: racoon: DEBUG: KA: 192.168.1.150[500]->10.0.0.1[500] racoon: DEBUG: sockname 192.168.1.150[500] racoon: DEBUG: send packet from 192.168.1.150[500] racoon: DEBUG: send packet to 10.0.0.1[500] racoon: DEBUG: src4 192.168.1.150[500] racoon: DEBUG: dst4 10.0.0.1[500] racoon: DEBUG: 1 times of 1 bytes message will be sent to 10.0.0.1[500] racoon: DEBUG: ff The only difference I can see is the change from ipaddr[0] to ipaddr[500], going from version 26.4 to version 26.14. What is the [500], and why did that change between the two versions? Is this a config option? Thanks! -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

Show replies by date

bugzilla_noreply＠novell.com

6 Dec 6 Dec

02:21

New subject: [Bug 346211] racoon (novell-ipsec-tools pkg) can build tunnels but no traffic gets through

https://bugzilla.novell.com/show_bug.cgi?id=346211 User bili@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=346211#c1 --- Comment #1 from Li Bin 2007-12-05 19:21:05 MST --- Created an attachment (id=186102) --> (https://bugzilla.novell.com/attachment.cgi?id=186102) vpn_TroubleShooting script Hi, David. :), nice to meet you again. First, We add the KeepAlive's support in the new version, but I'm not sure when these version were released? So I need you run the troubleshooting script in different version for more information. Second, the port 500 used for ISAKMP. Also the KeepAlive packets use this port.

...

racoon: DEBUG: KA: 192.168.1.150[500]->10.0.0.1[500] racoon: DEBUG: sockname 192.168.1.150[500] racoon: DEBUG: send packet from 192.168.1.150[500] racoon: DEBUG: send packet to 10.0.0.1[500] racoon: DEBUG: src4 192.168.1.150[500] racoon: DEBUG: dst4 10.0.0.1[500] racoon: DEBUG: 1 times of 1 bytes message will be sent to 10.0.0.1[500] racoon: DEBUG: ff These packets just were the KeepAlive package.

-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.