Hi
First, thanks for the answer, but I am stuck with those:
> xt_esp generates debug output if you have "printk" sysctl set to show it.
How would I do so? I never used sysctl for anything but enabling ip
forwarding....
Second: Below is the current output of `ip -s xfrm policy`, `ip -s xfrm
sate` and `setkey -D`.
I noticed,
- `ip -s xfrm policy` contains "proto esp spi 0x00000000(0)".
- `setkey -D` contains "spi=3243547107(0xc15499e3)".
- `ip -s xfrm state` contains "esp spi 0xc4b51d18(3300203800)".
Is this to be expected?
Third, I tried you command:
# iptables -t mangle -A PREROUTING -p esp --spi 0xcdfebb11 -j MARK
--set-mark 1
iptables v1.4.12: Gives: unknown option "--spi"
# iptables -t mangle -A PREROUTING -p esp -m espspi --spi 0xcdfebb11 -j MARK
--set-mark 1
iptables v1.4.12: policy match: neither --dir in nor --dir out specified
# iptables -t mangle -A PREROUTING -p esp -m policy --spi 0xcdfebb11 --dir
out -j MARK --set-mark 1
iptables: Invalid argument. Run `dmesg' for more information.
# iptables -t mangle -A PREROUTING -p esp -m policy --spi 0xcdfebb11 --dir
in -j MARK --set-mark 1
That worked, however I still don't get the packets through.
Because of the different spi information mentioned above, I also tried:
# iptables -t mangle -A PREROUTING -p esp -m policy --spi 0xcdfebb11 --dir
in -j MARK --set-mark 1
Same result: Accepted but not matched.
I can still get it to work removing the conditions, so everything else is
fine:
# iptables -t mangle -A PREROUTING --proto esp -j MARK --set-mark 1
I am still stuck and very thankful for every hint...
Regards,
Steffen
# setkey -D
10.5.0.1 10.5.0.2
esp mode=tunnel spi=3243547107(0xc15499e3) reqid=1(0x00000001)
E: aes-cbc 49e40f42 d0df7e1e 7202ad2e c45110bd
A: hmac-sha1 afa4eefd b81a952d 68f9cf88 3287715b 3d4ae624
seq=0x00000000 replay=32 flags=0x00000000 state=mature
created: May 16 06:02:36 2012 current: May 16 06:16:15 2012
diff: 819(s) hard: 1200(s) soft: 896(s)
last: May 16 06:12:04 2012 hard: 0(s) soft: 0(s)
current: 21168(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 252 hard: 0 soft: 0
sadb_seq=1 pid=11397 refcnt=0
10.5.0.2 10.5.0.1
esp mode=tunnel spi=3456023313(0xcdfebb11) reqid=1(0x00000001)
E: aes-cbc d5bcb28b 0378d65a 97ac2757 1afa6ff8
A: hmac-sha1 1eeb8605 db1f4cc9 c3a4dc22 1a3306d2 b9928a9c
seq=0x00000000 replay=32 flags=0x00000000 state=mature
created: May 16 06:02:36 2012 current: May 16 06:16:15 2012
diff: 819(s) hard: 1200(s) soft: 1014(s)
last: May 16 06:12:04 2012 hard: 0(s) soft: 0(s)
current: 2100(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 25 hard: 0 soft: 0
sadb_seq=0 pid=11397 refcnt=0
# ip -s xfrm policy
src 10.2.1.0/24 dst 10.1.1.0/24 uid 0
dir fwd action allow index 1530 priority 1859 share any flag
(0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2012-05-16 06:16:40 use -
mark 1/0xffffffff
tmpl src 10.5.0.2 dst 10.5.0.1
proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 10.2.1.0/24 dst 10.1.1.0/24 uid 0
dir in action allow index 1520 priority 1859 share any flag
(0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2012-05-16 06:16:40 use -
mark 1/0xffffffff
tmpl src 10.5.0.2 dst 10.5.0.1
proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 10.1.1.0/24 dst 10.2.1.0/24 uid 0
dir out action allow index 1513 priority 1859 share any flag
(0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2012-05-16 06:16:40 use 2012-05-16 06:24:57
mark 1/0xffffffff
tmpl src 10.5.0.1 dst 10.5.0.2
proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
# ip -s xfrm state
src 10.5.0.1 dst 10.5.0.2
proto esp spi 0xc4b51d18(3300203800) reqid 1(0x00000001) mode tunnel
replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)
mark 1/0xffffffff
auth-trunc hmac(sha1) 0x597784c0a0905a2346a797daaa79145e17b1a2ca
(160 bits) 96
enc cbc(aes) 0xd44a6ec5f13010267a2d145f9564b75e (128 bits)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 884(sec), hard 1200(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
49476(bytes), 589(packets)
add 2012-05-16 06:16:40 use 2012-05-16 06:16:41
stats:
replay-window 0 replay 0 failed 0
src 10.5.0.2 dst 10.5.0.1
proto esp spi 0xc2f9a112(3271139602) reqid 1(0x00000001) mode tunnel
replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)
mark 1/0xffffffff
auth-trunc hmac(sha1) 0x98af746b619e7d723696b2f67fc46a127fde097a
(160 bits) 96
enc cbc(aes) 0xef5b3d9a4a0cb8c9cc9787dbba0c7c9c (128 bits)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 907(sec), hard 1200(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2012-05-16 06:16:40 use -
stats:
replay-window 0 replay 0 failed 0
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
