Re: bad ip cksum 0! -> in enc interface
Den ons 5 feb. 2020 kl 21:01 skrev Riccardo Giuntoli : > I'm setting up a roadwarrior type ikev2 secure connection from .es to .uk. > root@ganesha:/etc# cat hostname.enc0 > > root@smigol:/etc# cat hostname.enc0 > inet 172.16.44.2/32 > up > Why are you setting up hostname.enc0? What guide is recommending you to do that? > I cannot find solution in Internet and the real think is that in many > others post people copy and paste packets and this error is visible but no > one think that is in effect an error or do not speak about. > Please set a vpn up like the openbsd faq on IPSec VPNs shows, and take it from there. It never mentions adding ip to enc0 (and that is not the purpose of enc0) so I don't see why you should. enc(4) is a debug and filtering tool not a config part of vpns. -- May the most significant bit of your life be positive.
Re: bad ip cksum 0! -> in enc interface
Hi there Janne. Result is the same in both endpoints. With or without ipcomp. Any others suggestions? Nice regards to you all misc@ On Thu, Feb 6, 2020 at 8:10 AM Janne Johansson wrote: > Den ons 5 feb. 2020 kl 21:01 skrev Riccardo Giuntoli : > >> If i sniff traffic over enc0 interface I found a strange error about ip >> chksum: >> >> (DF) (ttl 63, id 43164, len 52) (DF) (ttl 64, id 18753, len 72, bad ip >> cksum 0! -> c48a) >> This is the error as you can review. >> >> I cannot find solution in Internet and the real think is that in many >> others post people copy and paste packets and this error is visible but no >> one think that is in effect an error or do not speak about. >> > > You often see 0 in packet checksum fields if the packet is heading out on > a device > which claims to do ipv4 checksum offloading in hardware. In such cases, > the OS will > not spend time doing software checksums, but the hardware will do it just > before the > packet leaves for the network, so that is why the software sniffer will > see 0 there, but > the remote end (you do look for errors from both ends, right?) will see > something else > there. > > -- > May the most significant bit of your life be positive. > -- Name: Riccardo Giuntoli Email: tag...@gmail.com Location: Canyelles, BCN, España PGP Key: 0x67123739 PGP Fingerprint: CE75 16B5 D855 842FAB54 FB5C DDC6 4640 6712 3739 Key server: hkp://wwwkeys.eu.pgp.net
Re: bad ip cksum 0! -> in enc interface
Den ons 5 feb. 2020 kl 21:01 skrev Riccardo Giuntoli : > If i sniff traffic over enc0 interface I found a strange error about ip > chksum: > > (DF) (ttl 63, id 43164, len 52) (DF) (ttl 64, id 18753, len 72, bad ip > cksum 0! -> c48a) > This is the error as you can review. > > I cannot find solution in Internet and the real think is that in many > others post people copy and paste packets and this error is visible but no > one think that is in effect an error or do not speak about. > You often see 0 in packet checksum fields if the packet is heading out on a device which claims to do ipv4 checksum offloading in hardware. In such cases, the OS will not spend time doing software checksums, but the hardware will do it just before the packet leaves for the network, so that is why the software sniffer will see 0 there, but the remote end (you do look for errors from both ends, right?) will see something else there. -- May the most significant bit of your life be positive.
bad ip cksum 0! -> in enc interface
Hello nice people! Hello there from the Spanish neural control network!
I'm setting up a roadwarrior type ikev2 secure connection from .es to .uk.
All go fine but my head that is full of voice to skull. But I'm a unix
lover so I go up with my personal, but not only, battle.
So I've done some configuration and here you are:
1) RESPONDER:
root@ganesha:/etc# cat hostname.enc0
inet 172.16.44.1/32
up
root@ganesha:/etc# cat iked.conf
set fragmentation
ikev2 'vpnc' passive esp \
from 0.0.0.0/0 to 172.16.44.2 \
from 0.0.0.0/0 to 10.1.11.0/24 \
from 0.0.0.0/0 to 10.2.22.0/24 \
from 0.0.0.0/0 to 10.3.30.0/24 \
from 0.0.0.0/0 to 10.3.33.0/24 \
local 78.141.201.0 \
srcid vpnc.telecomlobby.com.fqdn dstid cat-01.telecomlobby.com.fqdn \
tag "$name-$id"
root@ganesha:/etc# cat pf.conf
#PACKET NORMALIZE
match out on enc scrub (max-mss 1360, no-df)
#NAT
pass out on egress from { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 } \
to { ! 10.0.0.0/8, ! 172.16.0.0/12, ! 192.168.0.0/16 } nat-to (egress)
root@ganesha:/etc#
Next is the client another little OpenBSD guy with a Raspberry Pi3 with
VLAN+PPPOE+IPSEC:
root@smigol:/etc# cat pf.conf
match out on enc scrub (max-mss 1360 , no-df)
match out on pppoe scrub (max-mss 1440 , no-df)
root@smigol:/etc# cat iked.conf
ikev2 'cat-01' active esp \
from 172.16.44.2 to 0.0.0.0/0 \
from 10.3.30.0/24 to 0.0.0.0/0 \
from 10.1.11.10/24 to 0.0.0.0/0 \
from 10.2.22.0/24 to 0.0.0.0/0 \
from 10.3.33.0/24 to 0.0.0.0/0 \
peer 78.141.201.0 \
srcid cat-01.telecomlobby.com.fqdn dstid vpnc.telecomlobby.com.fqdn\
tag "$name-$id"
root@smigol:/etc# cat ipsec.conf
flow from 127.0.0.1/32 to 127.0.0.1/32 type bypass
flow esp in from {10.1.11.0/24 , 10.2.22.0/24 , 10.3.30.0/24 , 10.3.33.0/24}
to {10.1.11.31/32 , 10.2.22.31/32 , 10.3.30.31/32 , 10.3.33.31/32 ,
172.16.44.2/32 , 192.168.144.1/32} type bypass
flow esp out from {10.1.11.31/32 , 10.2.22.31/32 , 10.3.30.31/32 ,
10.3.33.31/32 , 172.16.44.2/32 , 192.168.144.1/32} to {10.1.11.0/24 ,
10.2.22.0/24 , 10.3.30.0/24 , 10.3.33.0/24} type bypass
flow from {10.1.11.0/24 , 10.2.22.0/24 , 10.3.30.0/24 , 10.3.33.0/24} to {
10.1.11.0/24 , 10.2.22.0/24 , 10.3.30.0/24 , 10.3.33.0/24} type bypass
root@smigol:/etc# cat hostname.enc0
inet 172.16.44.2/32
up
If i sniff traffic over enc0 interface I found a strange error about ip
chksum:
(DF) (ttl 63, id 43164, len 52) (DF) (ttl 64, id 18753, len 72, bad ip
cksum 0! -> c48a)
This is the error as you can review.
I cannot find solution in Internet and the real think is that in many
others post people copy and paste packets and this error is visible but no
one think that is in effect an error or do not speak about.
I try some value on sysctl but no results.
Nice regards and thank you,
--
Name: Riccardo Giuntoli
Email: tag...@gmail.com
Location: Canyelles, BCN, España
PGP Key: 0x67123739
PGP Fingerprint: CE75 16B5 D855 842FAB54 FB5C DDC6 4640 6712 3739
Key server: hkp://wwwkeys.eu.pgp.net
