RE: BUG: Unintended (?) XFRM bypass

Tue, 22 Feb 2005 11:06:52 -0800 

My setup:

SAs:
        Bj -> A esp
        A  -> Bj        esp
        Bk -> A esp
        A  -> Bk        esp

SPs:
        Bj -> A esp/tunnel
        A  -> Bj        esp/tunnel
        Bk -> A esp/tunnel
        A  -> Bk        esp/tunnel

iproute command:
        ip r a A src Bk dev eth0

Kernel: 2.6.9 vanilla

ipsec-tools: 04.rc1 (Slightly old but the SPs / SAs add correctly)

Traffic when running `ping A` on host 'B'
        Bk -> A ICMP Request !!!This should be an ESP
        A  -> Bk        ESP

With the special route deleted:
        Bj -> A ESP w/ Bj -> A ICMP underneath
        A  -> Bj        ESP w/ A -> Bj ICMP underneath

Summary of important items:
ip policy routing used.
Packet matching policy not getting encrypted
Kernel version 2.6.9
ipsec-tools version 0.4rc1
Using IPsec tunneling

I'm more than happy to try suggestions or provide misc details.

Cheers,
Thomas

P.S.
All firewalls are turned off during these tests.
Traffic is confirmed using a 3rd system to tap.
Proper SAs are being used according to SPI numbers.

> -----Original Message-----
> From: Patrick McHardy [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, February 22, 2005 1:02 PM
> To: DuBuisson, Thomas
> Cc: '[email protected]'
> Subject: Re: BUG: Unintended (?) XFRM bypass
> 
> 
> DuBuisson, Thomas wrote:
> > Please CC me on all responses.
> > The XFRM frame work seems to be bypassed by the use of 
> advanced routing.
> > 
> > I have ran the following test:
> > Network:    A <-------> B <---------> C
> > where the IP of 'B' on network AB is j (eth0)
> > and the IP of 'B' on network BC is k (eth1)
> > 
> > Kernel 2.6.x: Be sure to have: Advanced Routing->Policy 
> Routing compiled in
> > your kernel.
> > 
> > A) Setup IPsec ESP tunnels between computer A and B (both 
> IP addresses k and
> > j)
> > B) Send packets to 'A' from 'B' with IP 'k'.
> >     Do this with: ip route add A src k dev eth0
> > C) Observe that these packets are unencrypted.
> 
> Works correctly here. Which kernel are you using ? Please 
> post your full
> configuration (policies, routes, firewall rules) so we can see whats
> different with your setup.
> 
> Regards
> Patrick
> 
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to