Hi Some more info on this that I obtained using kernel printk: 1. The decrypted Echo reply being dropped in the kernel is NOT a firewall issue. 2. After decryption, the ICMP echo Reply takes the path ip_local_deliver_finish() -> raw_v4_input() -> raw_rcv() 3. raw_rcv calls xfrm4_policy_check(sk, XFRM_POLICY_IN, skb) and this returns 0. This causes the packet to be freed and dropped silently. CONCLUSION ---------- This is definitely a IPSec policy setup issue. BTW, ping works fine in transport mode. The reason I cannot use transport mode is lack of NAT-T support. TCP packets are rejected due to header checksum errors because the checksum is calculated with private IP whereas the peer sees packets with the public IP. Any ideas on how to proceed ? Can someone explain the notion of 'skb->sp' and the rationale behind the policy checking ? Thanks -gopal On Tue, Aug 23, 2005 at 06:07:24AM -0700, Gopalakrishnan Raman wrote: > Hi all > I'm running IPSec tunnel mode between host 'A' running 2.6.12.5 > and host 'B' running 2.6.11.10. 'A' is behind a NAT. I have one > problem but the stuff that's working correctly is the following : > 1. racoon sets up the IPSec SA on demand. IKE messages are all > NAT-T encapsulated and I used tcpdump on both ends to verify > that KeepAlive messages go out and are NAT-T encapsulated > 2. ESP encrypt/decrypt seems to be fine. From 'A' I ping 'B' and > I see the encrypted Echo response come back to 'A'. It gets > decrypted and tcpdump shows that the plaintext pkt is re-injected > back into the stack. > PROBLEM: > The plaintext echo response does not make it to the ICMP layer > or to the ping program. > DIAGNOSIS: > 0. /proc/sys/net/ipv4/ip_forward is 1 on both hosts > 1. I did 'iptables --flush' ; 'iptables --list' shows no rules > 2. setkey.conf has a 'require' rule for in and out. No 'fwd' rule > racoon.conf has 'generate_policy on' > QUESTION: > 1. If I have no netfilter rules, this can't be a firewall issue right ? > I saw some mail about marking the ESP pkt in the mangle table but > none of that should apply since I have disabled my firewall right ? > 2. The stack accepts and decrypts the ESP pkt. but the 'require' rule > should force it to throw away all cleartext pkts correct ? If this > is true, how can IPSec ever work ? > > What am I missing ??? > Thanks > -gopal - : send the line "unsubscribe linux-net" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
