Bug#477426: Incorrect SP (flow) setup when in tunnel mode.

2011-02-16 Thread Christian Cier-Zniewski 
I can confirm this as a serious bug. Rafals patch shows exaclty where 
the problem is.


In tunnel mode the FWD policy has to be added in addition to the IN 
policy as suggested here:

http://www.ipsec-howto.org/x304.html

And here(patch for racoon):
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=292850

So the patch from Rafal should be modified in a way that a third policy 
- the FWD policy
should be added instead of only replacing the IN policy in case of the 
tunnel mode.


As a workaround you can manually duplicate the in policy 
configuration, replace the word in
by fwd for the direction and add the new third fwd policy by using the 
command line tool setkey.

(see e.g. http://www.ipsec-howto.org/x304.html how to do that)






--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#477426: Incorrect SP (flow) setup when in tunnel mode.

2008-04-23 Thread Rafal Lewczuk 
Package: isakmpd
Version: 20041012-5
Severity: important
Tags: patch

IPsec implementation has been changed in linux 2.6.10. All packets
intended to be forwarded needs to go through flow configured configured
in IPSEC_DIR_FWD direction (instead of IPSEC_DIR_INBOUND). 

The way isakmpd configures ipsec (IPSEC_DIR_INBOUND for input flows)
causes that incoming packets (intended to be forwarded) are directed
into INPUT chain and are silently discarded.

Attached patch fixes this behavior for me but I'm not sure it is correct
(I don't know isakmpd code at all, don't know much about IPsec and don't
have enough time to dig more). It configures IPSEC_DIR_FWD input flow if
in tunnel mode and IPSEC_DIR_INBOUND otherwise. Cases with host setting
up IPsec in tunnel mode but using this tunnel (instead of just
forwarding packets further) propably need to be handled. I hope this
patch will at least be useful for showing precisely where the problem
is.


-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-6-vserver-amd64
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages isakmpd depends on:
ii  libc6   2.3.6.ds1-13etch5 GNU C Library: Shared libraries
ii  libgmp3c2   2:4.2.1+dfsg-4Multiprecision arithmetic library
ii  libssl0.9.8 0.9.8c-4etch1 SSL shared libraries

isakmpd recommends no packages.


diff -ruN isakmpd-20041012.orig/pf_key_v2.c isakmpd-20041012/pf_key_v2.c
--- isakmpd-20041012.orig/pf_key_v2.c	2008-04-21 10:01:55.0 +0200
+++ isakmpd-20041012/pf_key_v2.c	2008-04-23 09:02:40.0 +0200
@@ -2318,16 +2318,7 @@
 	policy-sadb_x_policy_len = len / PF_KEY_V2_CHUNK;
 	policy-sadb_x_policy_type = IPSEC_POLICY_IPSEC;
 	if (ingress)
-#ifdef LINUX_IPSEC
-	{
-	if (iproto-encap_mode == IPSEC_ENCAP_TUNNEL)
-		policy-sadb_x_policy_dir = IPSEC_DIR_FWD;
-	else
 		policy-sadb_x_policy_dir = IPSEC_DIR_INBOUND;
-	}
-#else
-		policy-sadb_x_policy_dir = IPSEC_DIR_INBOUND;
-#endif
 	else
 		policy-sadb_x_policy_dir = IPSEC_DIR_OUTBOUND;
 	policy-sadb_x_policy_reserved = 0;