Strange IPSEC behavior for a basic setup

Score:

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Subject: Strange IPSEC behavior for a basic setup

Date: Saturday, November 13, 2004 - 10:40 pm

Hi!

I encountered a strange behavior with IPSEC when doing the following:

I have two gateways, A (3.5 GENERIC#1 i386) and B (3.6 GENERIC#59 i386).

Between those two I have created simple security associations, as described 
in the vpn man page. I did not define any flows.

I can connect with SSH from A to B (or the other way round, doesn't matter), 
no problems.

However, when watching the packets on the wire, the first three packets of 
the SSH TCP connection are ALWAYS being sent plain, while the following 
packets are sent encapsulated.

(see attached tcpdump)

Do I miss something?

(Actually, I am also interested in why the packets get encrpyted at all, 
since there is no matching flow?)

Thanks,
Christian

========================================================

SA:

/sbin/ipsecadm new esp -src A.A.A.A -dst B.B.B.B \
        -forcetunnel -spi 1000 -enc aes -auth sha1 \
        -keyfile enc_key -authkeyfile auth_key

/sbin/ipsecadm new esp -src B.B.B.B -dst A.A.A.A \
        -forcetunnel -spi 1001 -enc aes -auth sha1 \
        -keyfile enc_key -authkeyfile auth_key

========================================================

tcpdump -n -i em0: (on B.B.B.B, while A.A.A.A is connecting with SSH, no 
other traffic)

03:50:49.059868 A.A.A.A.29567 > B.B.B.B.22: S 3890748540:3890748540(0) win 
16384 <mss 1404,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 1748988273 0> 
(DF)
03:50:49.059939 B.B.B.B.22 > A.A.A.A.29567: S 27341233:27341233(0) ack 
3890748541 win 16384 <mss 1460,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 
915081925 1748988273> (DF)
03:50:49.104340 A.A.A.A.29567 > B.B.B.B.22: . ack 1 win 16384 
<nop,nop,timestamp 1748988273 915081925> (DF)
03:50:49.113965 esp B.B.B.B > A.A.A.A spi 0x00001001 seq 14520 len 116 (DF)
03:50:49.163055 esp A.A.A.A > B.B.B.B spi 0x00001000 seq 12115 len 116 (DF)
03:50:49.164906 esp B.B.B.B > A.A.A.A spi 0x00001001 seq 14521 len 740 (DF)
03:50:49.217896 esp A.A.A.A > B.B.B.B spi 0x00001000 seq 12116 len 708 (DF)
03:50:49.410039 esp B.B.B.B > A.A.A.A spi 0x00001001 seq 14522 len 100 (DF)
03:50:49.433388 esp A.A.A.A > B.B.B.B spi 0x00001000 seq 12117 len 116 (DF)

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

best source code for IPv6, Knoke, Jim, (Mon Jul 26, 3:07 pm)

QoS with IPv6, Mischa Diehm, (Mon Aug 9, 3:13 pm)

Ipv6 web server, Romain, (Sat Sep 18, 10:39 am)

Strange IPSEC behavior for a basic setup, Christian, (Sat Nov 13, 10:40 pm)

Autoconfigure vs. Static Addressing, eric, (Thu Mar 17, 7:09 pm)

Default route and laptop suspend, Christian Weisgerber, (Tue May 17, 10:40 am)

top 20 gift shops, Jackie, (Wed Nov 30, 4:16 pm)

HP 3550n Colour LaserJet Printer S A L E, Kevin James, (Wed Feb 8, 1:55 pm)

IPv6 Mobility, Loren M. Lang, (Fri Aug 4, 1:39 am)

Porting ipsec code, wend ralph, (Thu Feb 8, 3:30 am)

Newbie to IPv6 ... Help me out .... in deploying ipv6 on lin..., Fazlur Rahaman Naik, (Wed May 16, 2:54 am)

Einladung in mein XING-Netzwerk, Stefan Ramahi, (Wed Jun 11, 10:28 pm)

error with ndp command for ND proxy, mailing BSD, (Fri Apr 4, 8:48 am)

Message important, Banque HSBC, (Thu Jan 24, 8:03 am)

strange installation issue, Flavio Curti, (Thu Aug 29, 12:09 pm)

pf problem, florkle, (Sun Sep 15, 5:00 pm)

Bind4/IPv6/DNSSEC support, Virginie, (Sun Dec 8, 2:01 pm)

blitz.thessalie.net, TrafficMagnet Reseller, (Thu Mar 13, 5:21 pm)

Returned mail: User unknown, Mail Delivery Subsystem, (Tue Jun 24, 1:31 pm)

listening to IPv4 & 6 sockets, Cory C. Albrecht, (Sat Sep 13, 12:57 pm)

GENDIA Newsletter, GENDIA, (Sun Oct 19, 12:41 pm)

Is that any NATPT package for OpenBSD?, Wang Hui, (Wed Nov 26, 11:36 pm)

Laptop to OpenBSD firewall VPN, Bernard Golden, (Fri Jan 2, 6:06 pm)

IPv6 raw socket (ICMPv6), Thomas Delaet, (Tue Mar 16, 6:13 pm)

Din e-mail til Ex-i-data ikke leveret, , (Fri Apr 16, 12:43 am)

EUI 64 autoconfiguration and static assignment, Joseph Birthisel, (Tue May 11, 3:00 pm)

apache 2.x for ipv6, Cory C. Albrecht, (Mon Jun 21, 11:29 pm)

Re: error with ndp command for ND proxy, mailing BSD, (Mon Apr 14, 1:03 pm)

Re: Newbie to IPv6 ... Help me out .... in deploying ipv6 on..., Prabhu Gurumurthy, (Wed May 16, 1:59 pm)

Re: IPv6 Mobility, Dikshie, (Fri Aug 4, 10:15 am)

Re: Default route and laptop suspend, Todd T. Fries, (Tue May 17, 12:11 pm)

Re: Default route and laptop suspend, Paul de Weerd, (Tue May 17, 11:27 am)

Re: Autoconfigure vs. Static Addressing, Alexandre Anriot, (Fri Mar 18, 12:34 am)

Re: Autoconfigure vs. Static Addressing, eric, (Fri Mar 18, 12:58 am)

Re: Autoconfigure vs. Static Addressing, eric, (Fri Mar 18, 1:57 am)

Re: Strange IPSEC behavior for a basic setup, Diego Righi, (Sun Nov 14, 7:10 am)

Re: Ipv6 web server, Waldemar Brodkorb, (Sat Sep 18, 11:28 am)

Re: Ipv6 web server, Thorsten Glaser, (Sat Sep 18, 12:09 pm)

Re: QoS with IPv6, Mischa Diehm, (Fri Aug 13, 6:23 am)

Re: QoS with IPv6, Todd T. Fries, (Fri Aug 13, 10:45 am)

Re: best source code for IPv6, Thorsten Glaser, (Mon Jul 26, 3:30 pm)

Re: best source code for IPv6, Todd T. Fries, (Wed Jul 28, 10:12 am)

Re: best source code for IPv6, Mischa Diehm, (Tue Jul 27, 3:42 am)

Re: best source code for IPv6, M. Warner Losh, (Tue Jul 27, 4:39 am)

Re: apache 2.x for ipv6, Peter Hessler, (Tue Jun 22, 11:43 am)

Re: apache 2.x for ipv6, Henning Brauer, (Tue Jun 22, 5:01 pm)

Re: apache 2.x for ipv6, Henning Brauer, (Tue Jun 22, 4:34 am)

Re: apache 2.x for ipv6, Cory C. Albrecht, (Tue Jun 22, 5:00 am)

Re: apache 2.x for ipv6, Thorsten Glaser, (Tue Jun 22, 1:30 pm)

Re: EUI 64 autoconfiguration and static assignment, Todd T. Fries, (Tue May 11, 3:41 pm)

Re: IPv6 raw socket (ICMPv6), Thomas Delaet, (Tue Mar 16, 6:57 pm)

Re: Laptop to OpenBSD firewall VPN, Robert Mooney, (Mon Jan 5, 11:14 pm)

Re: Laptop to OpenBSD firewall VPN, Tobias Crefeld, (Tue Jan 6, 9:29 pm)

Re: Laptop to OpenBSD firewall VPN, Dan Brosemer, (Wed Jan 7, 2:10 am)

Re: Laptop to OpenBSD firewall VPN, Todd T. Fries, (Mon Jan 5, 1:47 pm)

Re: Is that any NATPT package for OpenBSD?, Todd T. Fries, (Sun Nov 30, 9:34 am)

Re: listening to IPv4 & 6 sockets, Thorsten Glaser, (Sat Sep 13, 1:43 pm)

Re: listening to IPv4 & 6 sockets, Cory C. Albrecht, (Sat Sep 13, 5:14 pm)

Re: listening to IPv4 & 6 sockets, Theo de Raadt, (Thu Sep 18, 2:28 pm)

Re: listening to IPv4 & 6 sockets, Cory C. Albrecht, (Fri Sep 19, 12:37 pm)

Re: Bind4/IPv6/DNSSEC support, David Terrell, (Mon Dec 9, 1:48 pm)

Re: Bind4/IPv6/DNSSEC support, Virginie, (Tue Jan 21, 4:39 pm)


linux-kernel:
David Newall	Re: Slow DOWN, please!!!
Renato S. Yamane	Error -71 on device descriptor read/all
Greg Kroah-Hartman	[PATCH 004/196] Chinese: add translation of SubmittingPatches
Bart Van Assche	Integration of SCST in the mainstream Linux kernel
git:
Shawn O. Pearce	libgit2 - a true git library
Martin Langhoff	Re: pack operation is thrashing my server
Aubrey Li	git proxy issue
Pierre Habouzit	git send-email improvements
netbsd-tech-kern:
Elad Efrat	Integrating securelevel and kauth(9)
Hubert Feyrer	Compressed vnd handling tested successfully
Matt Thomas	Interrupt, interrupt threads, continuations, and kernel lwps
Michael	Re: yamt-km branch
openbsd-misc:
Richard Stallman	Real men don't attack straw men
Will Maier	cron doesn't run commands in /etc/crontab?
askthelist	Packets Per Second Limit?
Harald Dunkel	Packet Filter: how to keep device names on hardware failure?


Question on swap as ramdisk partition	2 hours ago	Linux kernel
Netfilter kernel module	13 hours ago	Linux kernel
serial driver xmit problem	15 hours ago	Linux kernel
Why Windows is better than Linux	15 hours ago	Linux general
How can I see my kernel messages in vt12?	22 hours ago	Linux kernel
Grub	1 day ago	Linux general
vmalloc_fault handling in x86_64	1 day ago	Linux kernel
epoll_wait()ing on epoll FD	1 day ago	Linux kernel
Framebuffer in x86_64 causes problems to multiseat	2 days ago	Linux kernel
Difference between 2.4 and 2.6 regarding thread creation	2 days ago	Linux general

Strange IPSEC behavior for a basic setup

Online users