[Firewall] Fwd: Issues debugging production ESP tunnels (used for prototype in Astlinux distro)

Philip A. Prindeville philipp_subx at redfish-solutions.com
Sat Jan 10 02:08:04 CET 2009


Define "strange"... :-)

I'm seeing the tunnel coming up... and I'm seeing "racoon" logs in 
/var/log/messages telling me that IKE negotiation took place...

But I'm also seeing the counters for UDP dpt:500 on EXT_INPUT_CHAIN 
staying zero!!!!!

-Philip


Arno van Amersfoort wrote:
> Are you seeing strange things going on in your firewall logs?
>
> a.
>
> Philip A. Prindeville wrote:
>> Normally I wouldn't cross post, but I'm thinking this might be more 
>> of a firewall issue, since we've otherwise not changed anything in 
>> terms of the ipsec tools themselves.
>>
>> -Philip
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>> Subject:
>> Issues debugging production ESP tunnels (used for prototype in 
>> Astlinux distro)
>> From:
>> "Philip A. Prindeville" <philipp_subx at redfish-solutions.com>
>> Date:
>> Sun, 04 Jan 2009 17:02:24 -0800
>> To:
>> ipsec-tools-users at lists.sourceforge.net
>>
>> To:
>> ipsec-tools-users at lists.sourceforge.net
>>
>>
>> I have two boxes running Astlinux (2.6.26.8 kernel + ipsec-tools 
>> 0.7.1) in SEA and BOI.
>>
>> I've configured them as below.
>>
>> I'm also running Arno's Iptables firewall 1.9.0-rc5 at one, and 
>> 1.8.8o at another.
>>
>> I have RP_FILTER disabled, and my IPSEC_VPN_NETS and 
>> IPSEC_ALLOWED_HOSTS are taken from the values below 
>> (IPSEC_ALLOWED_HOSTS is set to the SA's remote address, and the 
>> values of IPSEC_VPN_NETS is set to networks being imported). 
>> TRUSTED_IF is unset.
>>
>> If I do a ping from BOI (B.B.B.B as the public address) to SEA 
>> (S.S.S.S), I just get:
>>
>> pbx ~ # ping -c 3 192.168.10.1
>> PING 192.168.10.1 (192.168.10.1): 56 data bytes
>>
>> --- 192.168.10.1 ping statistics ---
>> 3 packets transmitted, 0 packets received, 100% packet loss
>> pbx ~ #
>>
>> If I do a traceroute, I get:
>>
>> pbx ~ # traceroute 192.168.10.3
>> traceroute to 192.168.10.3 (192.168.10.3), 30 hops max, 38 byte packets
>> 1 pbx.redfish-solutions.com (B.B.B.B) 3016.665 ms !H 3020.890 ms !H 
>> 3021.120 ms !H
>> pbx ~ #
>>
>>
>> I don't have tcpdump compiled with crypto because of some issues with 
>> the autoconf script not handling cross-compilation properly.
>>
>> I'm trying to figure out what is going wrong, because we want to 
>> debug the configuration, then automate it as "boilerplate" in the 
>> distro.
>>
>> We did have it working reliably for a while, but it stopped working 
>> following some changes made to the Firewall shim code, and we've not 
>> been able to isolate which change caused the issue.
>>
>> Can someone help me through the troubleshooting steps so we can 
>> figure out what is happening to the traffic?
>>
>> Thanks,
>>
>> -Philip
>>
>> ========
>> SEA
>>
>> pbx / # setkey -D
>> B.B.B.B S.S.S.S esp mode=tunnel spi=128695538(0x07abbcf2) 
>> reqid=0(0x00000000)
>> E: 3des-cbc a4f91f54 2b2720e4 3fbc1c7c 5c9fa83d c2be21f9 41bf3554
>> A: hmac-md5 6aa5548c ced96b86 ef944341 947eb9bb
>> seq=0x00000000 replay=4 flags=0x00000000 state=mature created: Jan 4 
>> 16:04:54 2009 current: Jan 4 16:44:12 2009
>> diff: 2358(s) hard: 3600(s) soft: 2880(s)
>> last: hard: 0(s) soft: 0(s)
>> current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
>> allocated: 0 hard: 0 soft: 0
>> sadb_seq=1 pid=3560 refcnt=0
>> S.S.S.S B.B.B.B esp mode=tunnel spi=129039947(0x07b0fe4b) 
>> reqid=0(0x00000000)
>> E: 3des-cbc 1721a852 16f878a8 961a46a8 7340b573 f3023228 323c7b84
>> A: hmac-md5 5d004e83 102fcdd4 48342691 77048ae4
>> seq=0x00000000 replay=4 flags=0x00000000 state=mature created: Jan 4 
>> 16:04:54 2009 current: Jan 4 16:44:12 2009
>> diff: 2358(s) hard: 3600(s) soft: 2880(s)
>> last: hard: 0(s) soft: 0(s)
>> current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
>> allocated: 0 hard: 0 soft: 0
>> sadb_seq=0 pid=3560 refcnt=0
>> pbx / # setkey -D -P
>> 192.168.10.0/24[any] 192.168.1.0/24[any] any
>> out ipsec
>> esp/tunnel/S.S.S.S-B.B.B.B/require
>> created: Jan 4 00:52:42 2009 lastused: Jan 4 16:44:10 2009
>> lifetime: 0(s) validtime: 0(s)
>> spid=97 seq=1 pid=3561
>> refcnt=4
>> 192.168.1.0/24[any] 192.168.10.0/24[any] any
>> in ipsec
>> esp/tunnel/B.B.B.B-S.S.S.S/require
>> created: Jan 4 00:52:42 2009 lastused: lifetime: 0(s) validtime: 0(s)
>> spid=104 seq=2 pid=3561
>> refcnt=1
>> 192.168.1.0/24[any] 192.168.10.0/24[any] any
>> fwd ipsec
>> esp/tunnel/B.B.B.B-S.S.S.S/require
>> created: Jan 4 00:52:42 2009 lastused: lifetime: 0(s) validtime: 0(s)
>> spid=114 seq=3 pid=3561
>> refcnt=1
>> 192.168.10.0/24[any] 192.168.3.0/24[any] any
>> out ipsec
>> esp/tunnel/S.S.S.S-B.B.B.B/require
>> created: Jan 4 00:52:42 2009 lastused: lifetime: 0(s) validtime: 0(s)
>> spid=121 seq=4 pid=3561
>> refcnt=1
>> 192.168.3.0/24[any] 192.168.10.0/24[any] any
>> in ipsec
>> esp/tunnel/B.B.B.B-S.S.S.S/require
>> created: Jan 4 00:52:42 2009 lastused: lifetime: 0(s) validtime: 0(s)
>> spid=128 seq=5 pid=3561
>> refcnt=1
>> 192.168.3.0/24[any] 192.168.10.0/24[any] any
>> fwd ipsec
>> esp/tunnel/B.B.B.B-S.S.S.S/require
>> created: Jan 4 00:52:42 2009 lastused: lifetime: 0(s) validtime: 0(s)
>> spid=138 seq=0 pid=3561
>> refcnt=1
>> pbx / # pbx / # ifconfig
>> br1 Link encap:Ethernet HWaddr 00:00:24:C9:30:01 inet 
>> addr:192.168.10.1 Bcast:192.168.10.255 Mask:255.255.255.0
>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
>> RX packets:1020592 errors:0 dropped:0 overruns:0 frame:0
>> TX packets:1305930 errors:0 dropped:0 overruns:0 carrier:0
>> collisions:0 txqueuelen:0 RX bytes:185270345 (176.6 MiB) TX 
>> bytes:1462210420 (1.3 GiB)
>>
>> eth1 Link encap:Ethernet HWaddr 00:00:24:C9:30:01 UP BROADCAST 
>> MULTICAST MTU:1500 Metric:1
>> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>> collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
>> Interrupt:5 Base address:0x4100
>> eth2 Link encap:Ethernet HWaddr 00:00:24:C9:30:02 UP BROADCAST 
>> MULTICAST MTU:1500 Metric:1
>> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>> collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
>> Interrupt:9 Base address:0x6200
>> eth3 Link encap:Ethernet HWaddr 00:00:24:C9:30:03 UP BROADCAST 
>> RUNNING MULTICAST MTU:1500 Metric:1
>> RX packets:1020597 errors:0 dropped:0 overruns:0 frame:0
>> TX packets:1305930 errors:0 dropped:0 overruns:0 carrier:0
>> collisions:0 txqueuelen:1000 RX bytes:202156549 (192.7 MiB) TX 
>> bytes:1462210420 (1.3 GiB)
>> Interrupt:12 Base address:0x8300
>> lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0
>> UP LOOPBACK RUNNING MTU:16436 Metric:1
>> RX packets:43 errors:0 dropped:0 overruns:0 frame:0
>> TX packets:43 errors:0 dropped:0 overruns:0 carrier:0
>> collisions:0 txqueuelen:0 RX bytes:5287 (5.1 KiB) TX bytes:5287 (5.1 
>> KiB)
>>
>> ppp0 Link encap:Point-to-Point Protocol inet addr:S.S.S.S 
>> P-t-P:Q.Q.Q.Q Mask:255.255.255.255
>> UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1
>> RX packets:1241545 errors:0 dropped:0 overruns:0 frame:0
>> TX packets:888948 errors:0 dropped:0 overruns:0 carrier:0
>> collisions:0 txqueuelen:3 RX bytes:1431360739 (1.3 GiB) TX 
>> bytes:128776438 (122.8 MiB)
>>
>> w1ad Link encap:Ethernet HWaddr 00:77:77:77:82:7B UP BROADCAST 
>> RUNNING MULTICAST MTU:1500 Metric:1
>> RX packets:1268344 errors:0 dropped:0 overruns:0 frame:0
>> TX packets:933447 errors:0 dropped:0 overruns:0 carrier:0
>> collisions:0 txqueuelen:1000 RX bytes:1460282807 (1.3 GiB) TX 
>> bytes:149208820 (142.2 MiB)
>> Interrupt:10 Memory:d08e0000-d08e1fff
>> pbx / # brctl show
>> bridge name bridge id STP enabled interfaces
>> br1 8000.000024c93001 no eth1
>> eth2
>> eth3
>> pbx / # netstat -n -r
>> Kernel IP routing table
>> Destination Gateway Genmask Flags MSS Window irtt Iface
>> Q.Q.Q.Q 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
>> 192.168.3.0 0.0.0.0 255.255.255.0 U 0 0 0 br1
>> 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br1
>> 192.168.10.0 0.0.0.0 255.255.255.0 U 0 0 0 br1
>> 224.0.0.0 0.0.0.0 240.0.0.0 U 0 0 0 br1
>> 0.0.0.0 0.0.0.0 0.0.0.0 U 0 0 0 ppp0
>> pbx / #
>>
>> ========
>>
>> BOI
>>
>>
>> pbx ~ # setkey -D
>> S.S.S.S B.B.B.B esp mode=tunnel spi=129039947(0x07b0fe4b) 
>> reqid=0(0x00000000)
>> E: 3des-cbc 1721a852 16f878a8 961a46a8 7340b573 f3023228 323c7b84
>> A: hmac-md5 5d004e83 102fcdd4 48342691 77048ae4
>> seq=0x00000000 replay=4 flags=0x00000000 state=mature created: Jan 4 
>> 17:04:54 2009 current: Jan 4 17:46:26 2009
>> diff: 2492(s) hard: 3600(s) soft: 2880(s)
>> last: hard: 0(s) soft: 0(s)
>> current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
>> allocated: 0 hard: 0 soft: 0
>> sadb_seq=1 pid=14998 refcnt=0
>> B.B.B.B S.S.S.S esp mode=tunnel spi=128695538(0x07abbcf2) 
>> reqid=0(0x00000000)
>> E: 3des-cbc a4f91f54 2b2720e4 3fbc1c7c 5c9fa83d c2be21f9 41bf3554
>> A: hmac-md5 6aa5548c ced96b86 ef944341 947eb9bb
>> seq=0x00000000 replay=4 flags=0x00000000 state=mature created: Jan 4 
>> 17:04:54 2009 current: Jan 4 17:46:26 2009
>> diff: 2492(s) hard: 3600(s) soft: 2880(s)
>> last: hard: 0(s) soft: 0(s)
>> current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
>> allocated: 0 hard: 0 soft: 0
>> sadb_seq=0 pid=14998 refcnt=0
>> pbx ~ # setkey -D -P
>> 192.168.1.0/24[any] 192.168.10.0/24[any] any
>> out ipsec
>> esp/tunnel/B.B.B.B-S.S.S.S/require
>> created: Jan 4 01:52:35 2009 lastused: lifetime: 0(s) validtime: 0(s)
>> spid=129 seq=1 pid=14999
>> refcnt=1
>> 192.168.10.0/24[any] 192.168.1.0/24[any] any
>> in ipsec
>> esp/tunnel/S.S.S.S-B.B.B.B/require
>> created: Jan 4 01:52:35 2009 lastused: lifetime: 0(s) validtime: 0(s)
>> spid=136 seq=2 pid=14999
>> refcnt=1
>> 192.168.10.0/24[any] 192.168.1.0/24[any] any
>> fwd ipsec
>> esp/tunnel/S.S.S.S-B.B.B.B/require
>> created: Jan 4 01:52:35 2009 lastused: lifetime: 0(s) validtime: 0(s)
>> spid=146 seq=3 pid=14999
>> refcnt=1
>> 192.168.3.0/24[any] 192.168.10.0/24[any] any
>> out ipsec
>> esp/tunnel/B.B.B.B-S.S.S.S/require
>> created: Jan 4 01:52:35 2009 lastused: lifetime: 0(s) validtime: 0(s)
>> spid=153 seq=4 pid=14999
>> refcnt=1
>> 192.168.10.0/24[any] 192.168.3.0/24[any] any
>> in ipsec
>> esp/tunnel/S.S.S.S-B.B.B.B/require
>> created: Jan 4 01:52:35 2009 lastused: lifetime: 0(s) validtime: 0(s)
>> spid=160 seq=5 pid=14999
>> refcnt=1
>> 192.168.10.0/24[any] 192.168.3.0/24[any] any
>> fwd ipsec
>> esp/tunnel/S.S.S.S-B.B.B.B/require
>> created: Jan 4 01:52:35 2009 lastused: lifetime: 0(s) validtime: 0(s)
>> spid=170 seq=0 pid=14999
>> refcnt=1
>> pbx ~ # pbx ~ # ifconfig
>> ap0 Link encap:Ethernet HWaddr 06:02:6F:4B:C7:04 UP BROADCAST RUNNING 
>> MULTICAST MTU:2290 Metric:1
>> RX packets:895434 errors:0 dropped:0 overruns:0 frame:0
>> TX packets:2042596 errors:0 dropped:392 overruns:0 carrier:0
>> collisions:0 txqueuelen:0 RX bytes:197271804 (188.1 MiB) TX 
>> bytes:672388859 (641.2 MiB)
>>
>> br0 Link encap:Ethernet HWaddr 00:00:24:C9:28:A4 inet addr:B.B.B.B 
>> Bcast:66.232.79.255 Mask:255.255.255.0
>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
>> RX packets:664688 errors:0 dropped:0 overruns:0 frame:0
>> TX packets:654946 errors:0 dropped:0 overruns:0 carrier:0
>> collisions:0 txqueuelen:0 RX bytes:366342993 (349.3 MiB) TX 
>> bytes:178574940 (170.3 MiB)
>>
>> br1 Link encap:Ethernet HWaddr 00:00:24:C9:28:A6 inet 
>> addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
>> RX packets:2874901 errors:0 dropped:0 overruns:0 frame:0
>> TX packets:1172387 errors:0 dropped:0 overruns:0 carrier:0
>> collisions:0 txqueuelen:0 RX bytes:690602050 (658.6 MiB) TX 
>> bytes:527443783 (503.0 MiB)
>>
>> eth0 Link encap:Ethernet HWaddr 00:00:24:C9:28:A4 UP BROADCAST 
>> RUNNING MULTICAST MTU:1500 Metric:1
>> RX packets:664694 errors:0 dropped:0 overruns:0 frame:0
>> TX packets:654946 errors:0 dropped:0 overruns:0 carrier:0
>> collisions:0 txqueuelen:1000 RX bytes:375894394 (358.4 MiB) TX 
>> bytes:178574940 (170.3 MiB)
>> Interrupt:11 Base address:0x8000
>> eth1 Link encap:Ethernet HWaddr 00:00:24:C9:28:A5 UP BROADCAST 
>> MULTICAST MTU:1500 Metric:1
>> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>> collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
>> Interrupt:5 Base address:0x100
>> eth2 Link encap:Ethernet HWaddr 00:00:24:C9:28:A6 UP BROADCAST 
>> RUNNING MULTICAST MTU:1500 Metric:1
>> RX packets:2708107 errors:0 dropped:0 overruns:0 frame:0
>> TX packets:833087 errors:0 dropped:0 overruns:0 carrier:0
>> collisions:0 txqueuelen:1000 RX bytes:660263684 (629.6 MiB) TX 
>> bytes:289840990 (276.4 MiB)
>> Interrupt:9 Base address:0x2200
>> eth2.1 Link encap:Ethernet HWaddr 00:00:24:C9:28:A6 UP BROADCAST 
>> RUNNING MULTICAST MTU:1500 Metric:1
>> RX packets:2429226 errors:0 dropped:0 overruns:0 frame:0
>> TX packets:833087 errors:0 dropped:0 overruns:0 carrier:0
>> collisions:0 txqueuelen:0 RX bytes:606022550 (577.9 MiB) TX 
>> bytes:289840990 (276.4 MiB)
>>
>> eth2.3 Link encap:Ethernet HWaddr 00:00:24:C9:28:A6 inet 
>> addr:192.168.3.1 Bcast:192.168.3.255 Mask:255.255.255.0
>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
>> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>> collisions:0 txqueuelen:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
>>
>> eth2.4 Link encap:Ethernet HWaddr 00:00:24:C9:28:A6 inet 
>> addr:192.168.4.1 Bcast:192.168.4.255 Mask:255.255.255.0
>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
>> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>> collisions:0 txqueuelen:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
>>
>> eth3 Link encap:Ethernet HWaddr 00:00:24:C9:28:A7 UP BROADCAST 
>> MULTICAST MTU:1500 Metric:1
>> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>> collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
>> Interrupt:12 Base address:0x4300
>> lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0
>> UP LOOPBACK RUNNING MTU:16436 Metric:1
>> RX packets:2560 errors:0 dropped:0 overruns:0 frame:0
>> TX packets:2560 errors:0 dropped:0 overruns:0 carrier:0
>> collisions:0 txqueuelen:0 RX bytes:286696 (279.9 KiB) TX bytes:286696 
>> (279.9 KiB)
>>
>> wifi0 Link encap:UNSPEC HWaddr 
>> 00-02-6F-4B-C7-04-00-00-00-00-00-00-00-00-00-00 UP BROADCAST RUNNING 
>> MULTICAST MTU:1500 Metric:1
>> RX packets:1365326 errors:0 dropped:0 overruns:0 frame:145607
>> TX packets:2085706 errors:5061 dropped:0 overruns:0 carrier:0
>> collisions:0 txqueuelen:280 RX bytes:199630566 (190.3 MiB) TX 
>> bytes:756727827 (721.6 MiB)
>> Interrupt:15
>> pbx ~ # brctl show
>> bridge name bridge id STP enabled interfaces
>> br0 8000.000024c928a4 no eth0
>> eth1
>> br1 8000.000024c928a6 no ap0
>> eth2.1
>> eth3
>> pbx ~ # netstat -n -r
>> Kernel IP routing table
>> Destination Gateway Genmask Flags MSS Window irtt Iface
>> 192.168.4.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2.4
>> 192.168.3.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2.3
>> B.B.B.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
>> 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br1
>> 192.168.10.0 0.0.0.0 255.255.255.0 U 0 0 0 br1
>> 224.0.0.0 0.0.0.0 240.0.0.0 U 0 0 0 eth2.4
>> 224.0.0.0 0.0.0.0 240.0.0.0 U 0 0 0 eth2.3
>> 224.0.0.0 0.0.0.0 240.0.0.0 U 0 0 0 br1
>> 0.0.0.0 B.B.B.1 0.0.0.0 UG 0 0 0 br0
>> pbx ~ #
>>
>>
>>
>>



More information about the Firewall mailing list