have two machines with hifn 7955 in them, trying
to get IPcomp working across an existing esp tunnel.
local is 4.1 current from mar.7; remote is 4.0 stable.
there are other peers currently in the IPsec ESP bandwagon,
but these two are the only ones i'm trying IPcomp with, because
they're the only ones with hifn(4)s and when i try IPcomp
with 'comp deflate' it still gives that 'XFORM for no TBD received'
stuff from a while ago.
these two peers work fine with i don't try to do IPcomp and just
run them like i normally configure things (without the extra
IPcomp layer in between the "bgp" layer and the ESP layer).
----
ike esp \
from 172.16.7.30 to 172.16.196.1 peer <remote public ip>\
main auth hmac-sha1 enc aes group modp2048 life 7200 \
quick auth hmac-sha1 enc aes group modp2048 life 7200 \
psk blahblahblah
flow ipcomp from 172.18.7.196 to 172.18.196.7 type use
ipcomp from 172.18.7.196 to 172.18.196.7 spi 0x07c4 comp lzs
ipcomp from 172.18.196.7 to 172.18.7.196 spi 0xc407 comp lzs
----
----
enc0: flags=41<UP,RUNNING> mtu 1536
inet 172.16.7.30 netmask 0xffffffff
gre70196: flags=9011<UP,POINTOPOINT,LINK0,MULTICAST> mtu 1476
groups: gre
physical address inet 172.18.7.196 --> 172.18.196.7
inet6 fe80::200:24ff:fec4:3e6c%gre70196 -> prefixlen 64 scopeid 0xe
inet 172.17.7.196 --> 172.17.196.7 netmask 0xffffffff
gre77: flags=9111<UP,POINTOPOINT,PROMISC,LINK0,MULTICAST> mtu 1476
groups: gre
physical address inet 172.16.7.30 --> 172.16.196.1
inet6 fe80::200:24ff:fec4:3e6c%gre77 -> prefixlen 64 scopeid 0x12
inet 172.18.7.196 --> 172.18.196.7 netmask 0xffffffff
----
yielding:
----
FLOWS:
@0 flow esp in from 172.16.196.1 to 172.16.7.30 peer <remote public ip> srcid
<local public ip>/32 dstid <remote public ip>/32 type use
@1 flow esp out from 172.16.7.30 to 172.16.196.1 peer <remote public ip> srcid
<local public ip>/32 dstid <remote public ip>/32 type require
@2 flow esp in <for unrelated other peer>
@3 flow esp out <for unrelated other peer>
@4 flow ipcomp in from 172.18.196.7 to 172.18.7.196 peer 172.18.196.7 type
use
@5 flow ipcomp out from 172.18.7.196 to 172.18.196.7 peer 172.18.196.7 type
use
SAD:
@0 ipcomp tunnel from 172.18.7.196 to 172.18.196.7 spi 0x000007c4 enc lzs
sa: cpi 0x000007c4 comp lzs
state mature replay 0 flags 4
lifetime_cur: alloc 0 bytes 5929222 add 1173583406 first 1173583408
address_src: 172.18.7.196
address_dst: 172.18.196.7
lifetime_lastuse: alloc 0 bytes 0 add 0 first 1173589170
@0 ipcomp tunnel from 172.18.196.7 to 172.18.7.196 spi 0x0000c407 enc lzs
sa: cpi 0x0000c407 comp lzs
state mature replay 0 flags 4
lifetime_cur: alloc 0 bytes 4698191 add 1173583406 first 1173583406
address_src: 172.18.196.7
address_dst: 172.18.7.196
lifetime_lastuse: alloc 0 bytes 0 add 0 first 1173589170
@0 esp tunnel from <local public ip> to <remote public ip> spi 0x13b6897b auth
hmac-sha1 enc aes
sa: spi 0x13b6897b auth hmac-sha1 enc aes
state mature replay 16 flags 4
lifetime_cur: alloc 0 bytes 84584 add 1173589006 first 1173589007
lifetime_hard: alloc 0 bytes 0 add 1200 first 0
lifetime_soft: alloc 0 bytes 0 add 1080 first 0
address_src: <local public ip>
address_dst: <remote public ip>
identity_src: type prefix id 0: <local public ip>/32
identity_dst: type prefix id 0: <remote public ip>/32
lifetime_lastuse: alloc 0 bytes 0 add 0 first 1173589170
@0 esp tunnel from <remote public ip> to <local public ip> spi 0x3fd4f099 auth
hmac-sha1 enc aes
sa: spi 0x3fd4f099 auth hmac-sha1 enc aes
state mature replay 16 flags 4
lifetime_cur: alloc 0 bytes 85568 add 1173589006 first 1173589007
lifetime_hard: alloc 0 bytes 0 add 1200 first 0
lifetime_soft: alloc 0 bytes 0 add 1080 first 0
address_src: <remote public ip>
address_dst: <local public ip>
identity_src: type prefix id 0: <remote public ip>/32
identity_dst: type prefix id 0: <local public ip>/32
lifetime_lastuse: alloc 0 bytes 0 add 0 first 1173589170
@0 esp tunnel from <other peer> to <local> spi 0x687c9718 auth hmac-sha1 enc
aes
@0 esp tunnel from <local> to <other peer> spi 0x80951171 auth hmac-sha1 enc
aes
----
so packets of random sizes work, other packets of random sizes don't.
the ones that don't show up in tcpdump with this 'bad-ip-version 2'
information. here is tcpdump on my local peer for me trying to
ssh from a local LAN host to the remote peer:
the '172.18' stuff is from watching tcpdump on gre77 with -Xs1500, and the
'192.168' stuff is from watching tcpdump on gre70196, they're both
&'d in the same terminal:
---
00:09:22.310124 192.168.7.18.6530 > 192.168.196.1.22: S [tcp sum ok]
3422320407:3422320407(0) win 16384 <mss 1460,nop,nop,sackOK,nop,wscale
0,nop,nop,timestamp 256240599 0> (ttl 63, id 3542, len 64)
00:09:22.310294 172.18.7.196 > 172.18.196.7: gre 172.18.7.196 > 172.18.196.7:
[] 192.168.7.18.6530 > 192.168.196.1.22: S [tcp sum ok]
3422320407:3422320407(0) win 16384 <mss 1460,nop,nop,sackOK,nop,wscale
0,nop,nop,timestamp 256240599 0> (ttl 63, id 3542, len 64) (DF) (ttl 64, id
34890, len 88) (DF) (ttl 64, id 39670, len 108)
0000: 4500 006c 9af6 4000 4004 7ba7 ac12 07c4 [EMAIL PROTECTED]@.{',..D
0010: ac12 c407 4500 0058 884a 4000 402f 8e3c ,[EMAIL PROTECTED]@/.<
0020: ac12 07c4 ac12 c407 0000 0800 4500 0040 ,..D,.D.....E..@
0030: 0dd6 0000 3f06 217e c0a8 0712 c0a8 c401 .V..?.!~@(..@(D.
0040: 1982 0016 cbfc 7717 0000 0000 b002 4000 ....K|[EMAIL PROTECTED]
0050: 51d3 0000 0204 05b4 0101 0402 0103 0300 QS.....4........
0060: 0101 080a 0f45 ebd7 0000 0000 .....EkW....
00:09:22.492072 172.18.196.7 > 172.18.7.196: gre 172.18.196.7 > 172.18.7.196:
[] 192.168.196.1.22 > 192.168.7.18.6530: S [tcp sum ok]
1566851549:1566851549(0) ack 3422320408 win 16384 <mss
1436,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 84613069 256240599> (ttl
64, id 65270, len 64) (DF) (ttl 64, id 43000, len 88) (ttl 64, id 47644, len
108)
0000: 4500 006c ba1c 0000 4004 9c81 ac12 c407 E..l:[EMAIL PROTECTED],.D.
0010: ac12 07c4 4500 0058 a7f8 4000 402f 6e8e ,..DE..X'[EMAIL PROTECTED]@/n.
0020: ac12 c407 ac12 07c4 0000 0800 4500 0040 ,.D.,..D....E..@
0030: fef6 0000 4006 2f5d c0a8 c401 c0a8 0712 [EMAIL PROTECTED]/]@(D.@(..
0040: 0016 1982 5d64 41dd cbfc 7718 b012 4000 ....]dA]K|[EMAIL PROTECTED]
0050: 95c0 0000 0204 059c 0101 0402 0103 0300 [EMAIL PROTECTED]
0060: 0101 080a 050b 17cd 0f45 ebd7 .......M.EkW
00:09:22.493211 172.18.7.196 > 172.18.196.7: gre 172.18.7.196 > 172.18.196.7:
[] 192.168.7.18.6530 > 192.168.196.1.22: . [tcp sum ok] 1:1(0) ack 1 win 16384
<nop,nop,timestamp 256240599 84613069> (ttl 63, id 49564, len 52) (DF) (ttl
64, id 48729, len 76) (DF) (ttl 64, id 62033, len 96)
0000: 4500 0060 f251 4000 4004 2458 ac12 07c4 [EMAIL PROTECTED]@.$X,..D
0010: ac12 c407 4500 004c be59 4000 402f 5839 ,.D.E..L>[EMAIL PROTECTED]@/X9
0020: ac12 07c4 ac12 c407 0000 0800 4500 0034 ,..D,.D.....E..4
0030: c19c 0000 3f06 6dc3 c0a8 0712 c0a8 c401 A...?.mC@(..@(D.
0040: 1982 0016 cbfc 7718 5d64 41de 8010 4000 ....K|[EMAIL PROTECTED]
0050: d673 0000 0101 080a 0f45 ebd7 050b 17cd Vs.......EkW...M
00:09:22.579755 172.18.196.7 > 172.18.7.196: bad-ip-version 2 (ttl 64, id
43028, len 122)
0000: 4500 007a a814 0000 4004 ae7b ac12 c407 E..z([EMAIL PROTECTED],.D.
0010: ac12 07c4 2280 0006 15a0 0c80 0020 0bcc ,..D".... ... .L
0020: 47a5 6049 8807 c200 7626 4c04 0033 0925 G%`I..B.v&L..3.%
0030: dac5 c284 0031 010a c054 3100 3840 0e12 [EMAIL PROTECTED]@..
0040: 0005 8328 22e9 9082 de65 bf0e e184 0060 ...("i..^e?.a..`
0050: 84c0 6b3d 7400 0402 0805 0141 6176 683c [EMAIL PROTECTED]<
0060: 8aeb 6b94 ca64 8168 c45c 391c 8b49 e703 .kk.Jd.hD\9..Ig.
0070: 29bb 1a97 c682 e1a0 2b00 );..F.a +.
00:09:22.492167 192.168.196.1.22 > 192.168.7.18.6530: S [tcp sum ok]
1566851549:1566851549(0) ack 3422320408 win 16384 <mss
1436,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 84613069 256240599> (ttl
64, id 65270, len 64)
00:09:22.493042 192.168.7.18.6530 > 192.168.196.1.22: . [tcp sum ok] 1:1(0)
ack 1 win 16384 <nop,nop,timestamp 256240599 84613069> (ttl 63, id 49564, len
52)
00:09:24.072030 172.18.196.7 > 172.18.7.196: bad-ip-version 2 (ttl 64, id
47366, len 120)
0000: 4500 0078 b906 0000 4004 9d8b ac12 c407 [EMAIL PROTECTED],.D.
0010: ac12 07c4 2280 0006 1673 570a 1005 e875 ,..D"....sW...hu
0020: 42b0 24c4 03e1 003b 131c 0200 1984 92af B0$D.a.;......./
0030: 28e6 1031 f9f2 c054 3100 3840 0e12 0005 ([EMAIL PROTECTED]@....
0040: 8328 22e9 9082 de65 bf0e e184 0060 84c0 .("i..^e?.a..`.@
0050: 6b3c b400 0402 0805 0141 6176 803c 8aeb k<4......Aav.<.k
0060: 6b94 ca64 8168 c45c 391c 8b49 e703 29bb k.Jd.hD\9..Ig.);
0070: 1a97 c682 e1a0 2b00 ..F.a +.
00:09:27.072035 172.18.196.7 > 172.18.7.196: bad-ip-version 2 (ttl 64, id
35975, len 122)
0000: 4500 007a 8c87 0000 4004 ca08 ac12 c407 [EMAIL PROTECTED],.D.
0010: ac12 07c4 2280 0006 14ab 8c80 0020 0bd0 ,..D"....+... .P
0020: 09a5 6049 8807 c200 7626 4c04 0033 0925 .%`I..B.v&L..3.%
0030: f409 c284 0030 d082 c054 3100 3840 0e12 [EMAIL PROTECTED]@..
0040: 0005 8328 22e9 9082 de65 bf0e e184 0060 ...("i..^e?.a..`
0050: 84c0 6b3b 3400 0402 0805 0141 6176 b03c [EMAIL PROTECTED];4......Aav0<
0060: 8aeb 6b94 ca64 8168 c45c 391c 8b49 e703 .kk.Jd.hD\9..Ig.
0070: 29bb 1a97 c682 e1a0 2b00 );..F.a +.
00:09:29.851989 172.18.196.7 > 172.18.7.196: bad-ip-version 2 (ttl 64, id
51046, len 119)
0000: 4500 0077 c766 0000 4004 8f2c ac12 c407 [EMAIL PROTECTED],,.D.
0010: ac12 07c4 2280 0006 1401 e70a 1005 ed60 ,..D".....g...m`
0020: 22b0 24c4 03e1 003b 131c 0200 1984 92cd "0$D.a.;.......M
0030: 0be6 1031 8466 c054 3100 3840 0e12 0005 [EMAIL PROTECTED]@....
0040: 89c3 d1cb d052 cd45 978a e264 0064 84c0 .CQKPRME..bd.d.@
0050: 232a b400 0402 0805 135d 2c15 6628 c605 #*4......],.f(F.
0060: 3299 205a 3117 0e47 22d2 79c0 ca6e c6a5 2. Z1..G"[EMAIL PROTECTED]
0070: f1a0 b868 0ac0 00 q [EMAIL PROTECTED]
00:09:33.302491 172.18.196.7 > 172.18.7.196: bad-ip-version 2 (ttl 64, id
41454, len 121)
0000: 4500 0079 a1ee 0000 4004 b4a2 ac12 c407 [EMAIL PROTECTED]",.D.
0010: ac12 07c4 2280 0006 155b 9080 0020 0bcd ,..D"....[... .M
0020: 4995 6049 8807 c200 7626 4c04 0033 0925 I.`I..B.v&L..3.%
0030: 7ce0 c284 0031 bcd4 c054 3100 3840 0e12 |`B..1<[EMAIL PROTECTED]@..
0040: 0005 8328 22e9 9082 de65 bf0e e184 0060 ...("i..^e?.a..`
0050: 84c0 6b68 1008 0410 0a02 82c2 ee20 7915 [EMAIL PROTECTED] y.
0060: d6d7 2994 c902 d188 b872 3916 93ce 0653 VW).I.Q.8r9..N.S
0070: 7635 2f8d 05c3 4056 00 v5/[EMAIL PROTECTED]
----
from the local lan host, here's as far as ssh got:
----
[/home/jrrs] $ ssh -vvv 192.168.196.1
OpenSSH_4.5, OpenSSL 0.9.7j 04 May 2006
debug1: Reading configuration data /home/jrrs/.ssh/config
debug1: Applying options for *
debug1: Applying options for bdr01
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Connecting to 192.168.196.1 [192.168.196.1] port 22.
debug1: Connection established.
debug1: identity file /home/jrrs/.ssh/id_rsa type -1
debug1: identity file /home/jrrs/.ssh/id_dsa type -1
-----
having done a bunch of ping tests with various packet sizes,
it seems to be all over the place what sizes work and what do
do not.
did a while loop incrementing the -s each time:
16 OK - 37 OK
38 FAIL - 300 FAIL
301 OK - 1094 OK
1095 FAIL
1096 OK - 1376 OK
1377 FAIL
1378 OK - 1493 OK
1494 FAIL - 1740 FAIL
1741 OK - 1774 OK
1775 FAIL
1776 OK - 2041 OK
2042 FAIL
2043 OK - 2253 OK
2254 FAIL
2255 OK - 2341 OK
2342 FAIL
2343 OK - 2381 OK
2382 FAIL
2383 OK - 2426 OK
2427 FAIL
2428 OK - 2439 OK
2440 FAIL
2441 OK - 2444 OK
2445 FAIL
2446 OK - 2640 OK
2641 FAIL
2642 OK - 2757 OK
2758 FAIL
2759 OK - 2949 OK
2950 FAIL - 3164 FAIL <stopped caring>
in 'netstat -nspipcomp', 'output IPCOMP packets' increments
for both successful and unsuccessful (bad-ip-ver) packets.
'less than minimum compression length' increments for ones
that are , well , less than the minimum.
so.
*if* i change the SAs to 'transport' in ipsec.conf,
on both peers, clear the old SAs out, and redo ipsecctl, things
are different, but not better.
and in tcpdump(8), instead of 'bad-ip-version-2' i am seeing these for
the failures:
---
00:44:45.738855 gre-proto-0x100 (gre encap)
00:44:45.762047 172.18.196.7 > 172.18.7.196: icmp: 172.18.196.7 protocol 47
unreachable
00:44:46.740395 gre-proto-0x100 (gre encap)
00:44:46.760962 172.18.196.7 > 172.18.7.196: icmp: 172.18.196.7 protocol 47
unreachable
---
the '-s XX' stuff to ping has a different pattern of success:
16 OK - 57 OK
58 FAIL - 301 FAIL
302 OK - 391 OK
392 FAIL
393 OK - 1362 OK
1363 FAIL
1364 OK - 1513 OK
1514 FAIL - 1529 FAIL <^C>
--
jared
