[Full-Disclosure] IPSEC on arm-linux board

From: Pritesh Harivadan Shah (priteshshah_at_tataelxsi.co.in)
Date: 05/04/04

  • Next message: Aditya, ALD [Aditya Lalit Deshmukh]: "RE: [Full-Disclosure] Required SMTP Engine in VBS"
    To: <full-disclosure@lists.netsys.com>
    Date: Tue, 4 May 2004 12:14:13 +0530
    
    

    Dear All,

    We have tested IPSEC on regular linux gateways.

    Now we are testing it on arm-linux board.

    We are able to establish IPSEC SA. But on arm-linux, ping from one end to
    other end does not work.

    By tracing, it looks that, ipsec interface takes the packet but does not
    through out.

    The moment we stop IPSEC, it starts pinging through interface, which is
    attached to IPSEC. Basically packets are dropped by IPSEC interface, as per
    log enclsoed and our observation.

    Enclosed below log file with KLIPSDEbug on. Any help is appreciated.. I
    suspect some problem either kernel level, or with
    freeswan version. We are using freeswan 1.99 cross compiled one for arm
    board.

    ******************************** LOG FILE START

    klips_debug:ipsec_tunnel_hard_header: skb->dev=ipsec0 dev=ipsec0.
    klips_debug:ipsec_tunnel_hard_header: Revectored 0x00000000->0xc0b201c8
    len=60 t
    ype=2048 dev=ipsec0->wan dev_addr=00:01:03:13:96:ef ip=1e1e1e01->28282801
    klips_debug:ipsec_tunnel_start_xmit: >>> skb->len=74
    hard_header_len:14<6>klips_
    debug: IP: ihl:20 ver:4 tos:0 tlen:60 id:35719 frag_off:0 ttl:127 proto:1
    (ICM
    P) chk:9202 saddr:30.30.30.1 daddr:40.40.40.1 type:code=8:0
    klips_debug:ipsec_findroute: 30.30.30.1->40.40.40.1
    klips_debug:rj_match: * See if we match exactly as a host destination
    klips_debug:rj_match: ** try to match a leaf, t=0xc09a4580
    klips_debug:ipsec_findroute: found, points to proto=4, spi=1004,
    dst=c0a80a3c.
    klips_debug:ipsec_tunnel_start_xmit: checking for local udp/500 IKE packet
    saddr
    =1e1e1e01, er=c09a4580, daddr=28282801, er_dst=c0a80a3c, proto=1 sport=0
    dport=0

    klips_debug:ipsec_tunnel_start_xmit: Original head,tailroom: 18,1988
    klips_debug:gettdb: linked entry in tdb table for hash=18 of
    SA:tun0x1004@192.16
    8.10.60 requested.
    klips_debug:ipsec_tunnel_start_xmit: found Tunnel Descriptor Block --
    SA:<IPIP>
    tun0x1004@192.168.10.60
    klips_debug:ipsec_tunnel_start_xmit: calling room for <IPIP>,
    SA:tun0x1004@192.1
    68.10.60
    klips_debug:ipsec_tunnel_start_xmit: Required head,tailroom: 20,0
    klips_debug:ipsec_tunnel_start_xmit: TDB in dead state for
    SA:<ESP_3DES_HMAC_MD5
    esp0xe42b83e@192.168.10.60, can no longer be used, dropping packet.

    ************************************* LOG FILE END

    Regards

    Pritesh

    "As a well spent day brings happy sleep, so life well used brings happy
    death." - Leonardo da Vinci

     TATA ELXSI DISCLAIMER:
    The information contained in this message may be CONFIDENTIAL and is for the intended addressee only. Any unauthorized use, dissemination of the information, or copying of this message is prohibited. If you are not the intended addressed, please notify the sender immediately and delete this message.

    --------------------------------
    Tata Elxsi Ltd, Bangalore, India

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Aditya, ALD [Aditya Lalit Deshmukh]: "RE: [Full-Disclosure] Required SMTP Engine in VBS"

    Relevant Pages

    • Re: openswan vpn
      ... I think they said that it just needs to be IPSec compliant. ... > Watchguard box in my companies office will accept connection from clients ... > You propably best of by byting the bullet and start out with freeswan. ... give it a shot with freeswan, openswan, or strongswan and see where it ...
      (comp.os.linux.networking)
    • Re: Establishing a VPN between Cisco Router with IPSec and Check Point NG VPN-1
      ... secrets, no problemo. ... My experience with the IPSEC capabilities of the NG-FP1 install and PIX ... Freeswan every couple of hours), but I think that is more of a Freeswan ...
      (comp.security.firewalls)
    • Re: Establishing a site-to-site ipsec connection
      ... We currently have over 50 freeswan ipsec tunnels going to Cisco, Raptor, ... third parties that IPTABles NATing is a life saver for obuscating ... John Maher wrote: ...
      (comp.os.linux.security)
    • Re: [Full-Disclosure] IPSEC on arm-linux board
      ... Speaking of arm anyone have jblend's arm-API's handy? ... > We have tested IPSEC on regular linux gateways. ... Basically packets are dropped by IPSEC interface, ... > the intended addressee only. ...
      (Full-Disclosure)
    • Re: LINUX VPN
      ... generally you have a few ways for linux to run ipsec ... freeswan which is will be substituted by ... Tobias Walkowiak ...
      (comp.os.linux.security)