DragonFly BSD
DragonFly bugs List (threaded) for 2006-04
[Date Prev][Date Next]  [Thread Prev][Thread Next]  [Date Index][Thread Index]

Re: IPSEC/FAST_IPSEC panic.


From: Gary Allan <dragonfly@xxxxxxxxxxxxxxx>
Date: Mon, 24 Apr 2006 17:57:30 +0100

Matthew Dillon wrote:

Could you explain the TCP timeout issue more? Does TCP work initially and then fail at some point after the connection has been working for a whlie ? I need to be able to duplicate the problem to track it down.

    It might also help to use tcpdump to observe the packet traffic at the
    point where the connection starts to fail and times out.

tcpdump -s 4096 -vvv -i em0 -n -l port <port_you_are_testing_tcp_on>

-Matt

I was able to setup another DragonFly box and configure IPSEC between two DragonFly machines. FTP, DNS and PING (8000 bytes) worked between the PCs but ssh did not (Same timeout errors). I have enabled IPSEC_DEBUG but there is no diagnostic output. All PCs are built without IPv6 support. (I'll test again with it enabled.)


Server:
192.168.20.4
DragonFly fire.local 1.5.3-DEVELOPMENT DragonFly 1.5.3-DEVELOPMENT #0: Sun Apr 23 18:27:00 BST 2006 gary@xxxxxxxxxx:/usr/obj/usr/src/sys/BUILD-IPSEC i386


fire ~ # sockstat -4 -l
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
root     vsftpd     642   3  tcp4   *:21                  *:*
root     sendmail   592   4  tcp4   127.0.0.1:25          *:*
root     sshd       583   3  tcp4   *:22                  *:*
bind     named      307   20 udp4   192.168.20.4:53       *:*
bind     named      307   21 tcp4   192.168.20.4:53       *:*
bind     named      307   22 udp4   127.0.0.1:53          *:*
bind     named      307   23 tcp4   127.0.0.1:53          *:*
bind     named      307   24 udp4   *:1024                *:*
bind     named      307   25 tcp4   127.0.0.1:953         *:*

Client:
192.168.20.6
FreeBSD lappy.local 6.0-RELEASE-p6 FreeBSD 6.0-RELEASE-p6 #1: Wed Apr 19 15:55:17 UTC 2006 root@xxxxxxxxxxx:/usr/obj/usr/src/sys/BUILD i386


When using FreeBSD 4.11 or 6.0 as a client UDP and ICMP connections work but TCP connections to vsftpd and ssh time out. The ssh connections are partially successful as the server displays the message.

Apr 25 17:48:59 fire sshd[708]: fatal: Timeout before authentication for 192.168.20.6

Thanks

Gary
17:25:56.132650 IP (tos 0x0, ttl  64, id 153, offset 0, flags [DF], length: 108) 192.168.20.6 > fire: AH(spi=0x00005fb4,sumlen=16,seq=0x17): ESP(spi=0x00005fb5,seq=0x17)
17:25:59.131242 IP (tos 0x0, ttl  64, id 154, offset 0, flags [DF], length: 108) 192.168.20.6 > fire: AH(spi=0x00005fb4,sumlen=16,seq=0x18): ESP(spi=0x00005fb5,seq=0x18)
17:25:59.131491 IP (tos 0x0, ttl  64, id 178, offset 0, flags [none], length: 84) fire > 192.168.20.6: AH(spi=0x00003d54,sumlen=16,seq=0x13): ESP(spi=0x00003d55,seq=0x13)
17:26:02.330203 IP (tos 0x0, ttl  64, id 155, offset 0, flags [DF], length: 108) 192.168.20.6 > fire: AH(spi=0x00005fb4,sumlen=16,seq=0x19): ESP(spi=0x00005fb5,seq=0x19)
17:26:02.330422 IP (tos 0x0, ttl  64, id 179, offset 0, flags [none], length: 84) fire > 192.168.20.6: AH(spi=0x00003d54,sumlen=16,seq=0x14): ESP(spi=0x00003d55,seq=0x14)
17:26:05.529001 IP (tos 0x0, ttl  64, id 156, offset 0, flags [DF], length: 92) 192.168.20.6 > fire: AH(spi=0x00005fb4,sumlen=16,seq=0x1a): ESP(spi=0x00005fb5,seq=0x1a)
17:26:05.529217 IP (tos 0x0, ttl  64, id 180, offset 0, flags [none], length: 84) fire > 192.168.20.6: AH(spi=0x00003d54,sumlen=16,seq=0x15): ESP(spi=0x00003d55,seq=0x15)
17:26:08.727881 IP (tos 0x0, ttl  64, id 157, offset 0, flags [DF], length: 92) 192.168.20.6 > fire: AH(spi=0x00005fb4,sumlen=16,seq=0x1b): ESP(spi=0x00005fb5,seq=0x1b)
17:26:11.927255 IP (tos 0x0, ttl  64, id 158, offset 0, flags [DF], length: 92) 192.168.20.6 > fire: AH(spi=0x00005fb4,sumlen=16,seq=0x1c): ESP(spi=0x00005fb5,seq=0x1c)
17:26:18.126097 IP (tos 0x0, ttl  64, id 159, offset 0, flags [DF], length: 92) 192.168.20.6 > fire: AH(spi=0x00005fb4,sumlen=16,seq=0x1d): ESP(spi=0x00005fb5,seq=0x1d)
17:26:30.321695 IP (tos 0x0, ttl  64, id 160, offset 0, flags [DF], length: 92) 192.168.20.6 > fire: AH(spi=0x00005fb4,sumlen=16,seq=0x1e): ESP(spi=0x00005fb5,seq=0x1e)
17:26:30.321926 IP (tos 0x0, ttl  64, id 181, offset 0, flags [none], length: 84) fire > 192.168.20.6: AH(spi=0x00003d54,sumlen=16,seq=0x16): ESP(spi=0x00003d55,seq=0x16)
17:26:54.513533 IP (tos 0x0, ttl  64, id 161, offset 0, flags [DF], length: 92) 192.168.20.6 > fire: AH(spi=0x00005fb4,sumlen=16,seq=0x1f): ESP(spi=0x00005fb5,seq=0x1f)
17:26:54.513776 IP (tos 0x0, ttl  64, id 182, offset 0, flags [none], length: 84) fire > 192.168.20.6: AH(spi=0x00003d54,sumlen=16,seq=0x17): ESP(spi=0x00003d55,seq=0x17)

17:23:56.284365 IP (tos 0x0, ttl  64, id 122, offset 0, flags [DF], length: 108) 192.168.20.6 > fire: AH(spi=0x00005fb4,sumlen=16,seq=0x8): ESP(spi=0x00005fb5,seq=0x8)
17:23:56.284599 IP (tos 0x0, ttl  64, id 160, offset 0, flags [none], length: 84) fire > 192.168.20.6: AH(spi=0x00003d54,sumlen=16,seq=0x5): ESP(spi=0x00003d55,seq=0x5)
17:23:59.283225 IP (tos 0x0, ttl  64, id 123, offset 0, flags [DF], length: 108) 192.168.20.6 > fire: AH(spi=0x00005fb4,sumlen=16,seq=0x9): ESP(spi=0x00005fb5,seq=0x9)
17:24:02.482010 IP (tos 0x0, ttl  64, id 124, offset 0, flags [DF], length: 108) 192.168.20.6 > fire: AH(spi=0x00005fb4,sumlen=16,seq=0xa): ESP(spi=0x00005fb5,seq=0xa)
17:24:05.680898 IP (tos 0x0, ttl  64, id 125, offset 0, flags [DF], length: 92) 192.168.20.6 > fire: AH(spi=0x00005fb4,sumlen=16,seq=0xb): ESP(spi=0x00005fb5,seq=0xb)
17:24:05.681163 IP (tos 0x0, ttl  64, id 163, offset 0, flags [none], length: 84) fire > 192.168.20.6: AH(spi=0x00003d54,sumlen=16,seq=0x6): ESP(spi=0x00003d55,seq=0x6)
17:24:08.879729 IP (tos 0x0, ttl  64, id 126, offset 0, flags [DF], length: 92) 192.168.20.6 > fire: AH(spi=0x00005fb4,sumlen=16,seq=0xc): ESP(spi=0x00005fb5,seq=0xc)
17:24:12.078713 IP (tos 0x0, ttl  64, id 127, offset 0, flags [DF], length: 92) 192.168.20.6 > fire: AH(spi=0x00005fb4,sumlen=16,seq=0xd): ESP(spi=0x00005fb5,seq=0xd)
17:24:12.078953 IP (tos 0x0, ttl  64, id 164, offset 0, flags [none], length: 84) fire > 192.168.20.6: AH(spi=0x00003d54,sumlen=16,seq=0x7): ESP(spi=0x00003d55,seq=0x7)
17:24:18.276958 IP (tos 0x0, ttl  64, id 128, offset 0, flags [DF], length: 92) 192.168.20.6 > fire: AH(spi=0x00005fb4,sumlen=16,seq=0xe): ESP(spi=0x00005fb5,seq=0xe)
17:24:18.277184 IP (tos 0x0, ttl  64, id 165, offset 0, flags [none], length: 84) fire > 192.168.20.6: AH(spi=0x00003d54,sumlen=16,seq=0x8): ESP(spi=0x00003d55,seq=0x8)
17:24:30.473180 IP (tos 0x0, ttl  64, id 129, offset 0, flags [DF], length: 92) 192.168.20.6 > fire: AH(spi=0x00005fb4,sumlen=16,seq=0xf): ESP(spi=0x00005fb5,seq=0xf)
17:24:30.473419 IP (tos 0x0, ttl  64, id 166, offset 0, flags [none], length: 84) fire > 192.168.20.6: AH(spi=0x00003d54,sumlen=16,seq=0x9): ESP(spi=0x00003d55,seq=0x9)

flush;
spdflush;

add 192.168.20.4 192.168.20.6 ah 15700 -A hmac-md5 "1234567890123456";
add 192.168.20.6 192.168.20.4 ah 24500 -A hmac-md5 "1234567890123456";

add 192.168.20.4 192.168.20.6 esp 15701 -E 3des-cbc "123456789012345678901234";
add 192.168.20.6 192.168.20.4 esp 24501 -E 3des-cbc "123456789012345678901234";

spdadd 192.168.20.4 192.168.20.6 any -P out ipsec 
	esp/transport//require
	ah/transport//require;

flush;
spdflush;

add 192.168.20.4 192.168.20.6 ah 15700 -A hmac-md5 "1234567890123456";
add 192.168.20.6 192.168.20.4 ah 24500 -A hmac-md5 "1234567890123456";

add 192.168.20.4 192.168.20.6 esp 15701 -E 3des-cbc "123456789012345678901234";
add 192.168.20.6 192.168.20.4 esp 24501 -E 3des-cbc "123456789012345678901234";

spdadd 192.168.20.6 192.168.20.4 any -P out ipsec 
	esp/transport//require
	ah/transport//require;



[Date Prev][Date Next]  [Thread Prev][Thread Next]  [Date Index][Thread Index]