Package: isakmpd
Version: 20041012-5
Severity: important
Tags: patch
IPsec implementation has been changed in linux 2.6.10. All packets
intended to be forwarded needs to go through flow configured configured
in IPSEC_DIR_FWD direction (instead of IPSEC_DIR_INBOUND).
The way isakmpd configures ipsec (IPSEC_DIR_INBOUND for input flows)
causes that incoming packets (intended to be forwarded) are directed
into INPUT chain and are silently discarded.
Attached patch fixes this behavior for me but I'm not sure it is correct
(I don't know isakmpd code at all, don't know much about IPsec and don't
have enough time to dig more). It configures IPSEC_DIR_FWD input flow if
in tunnel mode and IPSEC_DIR_INBOUND otherwise. Cases with host setting
up IPsec in tunnel mode but using this tunnel (instead of just
forwarding packets further) propably need to be handled. I hope this
patch will at least be useful for showing precisely where the problem
is.
-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-6-vserver-amd64
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages isakmpd depends on:
ii libc6 2.3.6.ds1-13etch5 GNU C Library: Shared libraries
ii libgmp3c2 2:4.2.1+dfsg-4Multiprecision arithmetic library
ii libssl0.9.8 0.9.8c-4etch1 SSL shared libraries
isakmpd recommends no packages.
diff -ruN isakmpd-20041012.orig/pf_key_v2.c isakmpd-20041012/pf_key_v2.c
--- isakmpd-20041012.orig/pf_key_v2.c 2008-04-21 10:01:55.0 +0200
+++ isakmpd-20041012/pf_key_v2.c 2008-04-23 09:02:40.0 +0200
@@ -2318,16 +2318,7 @@
policy-sadb_x_policy_len = len / PF_KEY_V2_CHUNK;
policy-sadb_x_policy_type = IPSEC_POLICY_IPSEC;
if (ingress)
-#ifdef LINUX_IPSEC
- {
- if (iproto-encap_mode == IPSEC_ENCAP_TUNNEL)
- policy-sadb_x_policy_dir = IPSEC_DIR_FWD;
- else
policy-sadb_x_policy_dir = IPSEC_DIR_INBOUND;
- }
-#else
- policy-sadb_x_policy_dir = IPSEC_DIR_INBOUND;
-#endif
else
policy-sadb_x_policy_dir = IPSEC_DIR_OUTBOUND;
policy-sadb_x_policy_reserved = 0;