(2.6 IPsec) tcpdump: "truncated-ip - 12 bytes missing!"

To: debian users <debian-user@lists.debian.org>
Subject: (2.6 IPsec) tcpdump: "truncated-ip - 12 bytes missing!"
From: martin f krafft <madduck@madduck.net>
Date: Thu, 8 Jan 2004 12:15:36 +0100
Message-id: <[🔎] 20040108111536.GA22080@piper.madduck.net>
Mail-followup-to: debian users <debian-user@lists.debian.org>

Hi all,

linux-kernel apparently has no answer for me, so please don't blame
me for resorting to the real wise people...
Using the Kame tools with the 2.6 IPsec stack, I managed to get a
network-to-host tunnel set up:

                  --------------------------       --------------
  10.1.2.0/24 --- | 10.1.2.1 gateway 4.5.6.7 | --- | 4.3.2.1 host |
                   --------------------------   ^   --------------
                                                |IPsec

In words: everything between the 4.3.2.1 host and the network
10.1.2.0/24 is encrypted, with the (masquerading) gateway and the
host serving as tunnel endpoints.

This is working with the following configuration on the gateway:

  add 4.5.6.7 4.3.2.1 ah 0x200 -m tunnel -A hmac-sha1 "key1";
  add 4.3.2.1 4.5.6.7 ah 0x300 -m tunnel -A hmac-sha1 "key2";

  add 4.5.6.7 4.3.2.1 esp 0x201 -m tunnel -E twofish-cbc "key3";
  add 4.3.2.1 4.5.6.7 esp 0x301 -m tunnel -E twofish-cbc "key4";

  spdadd 10.1.2.0/24 4.3.2.1 any -P out ipsec
    esp/tunnel/4.5.6.7-4.3.2.1/require
    ah/tunnel/4.5.6.7-4.3.2.1/require;

  spdadd 4.3.2.1 10.1.2.0/24 any -P in ipsec
    esp/tunnel/4.3.2.1-4.5.6.7/require
    ah/tunnel/4.3.2.1-4.5.6.7/require;

and the same on the single host, with the policies switched.

Connectivity is fine, but as I checked the packets arriving at the
single host with tcpdump, I was kinda startled and don't know
anymore what's going on. Here's the output of one timestep (they are
all at the same time), line by line:

 1. 4.5.6.7 > 4.3.2.1: AH(spi=0x00000200,seq=0xcd):
    4.5.6.7 > 4.3.2.1: ESP(spi=0x00000201,seq=0xcd)
    (DF) [tos 0x10]  (ipip-proto-4)

perfect! the packet arrived from the gateway, the AH and ESP SPIs
are what I told them to be.

 2. 4.5.6.7 > 4.3.2.1: AH(spi=0x45100080,seq=0x67be4000):
    4.5.6.7 > 4.3.2.1: ESP(spi=0x00000201,seq=0xcd)
    (DF) [tos 0x10]  (ipip-proto-4)

what's this? i only sent one packet, and even though the ESP SPI is
correct, the AH SPI is totally random. tcpdump now says:

    truncated-ip - 12 bytes missing!
    4.5.6.7 > 4.3.2.1: AH(spi=0x45100080,seq=0x67be4000):
    4.5.6.7 > 4.3.2.1: [|ip] (ipip-proto-4) (ipip-proto-4)

and then (a fraction of a second later):

 3. 4.3.2.1 > 4.5.6.7: AH(spi=0x00000300,seq=0xfc6):
    4.3.2.1 > 4.5.6.7: ESP(spi=0x00000301,seq=0xfc6)
    (DF) [tos 0x10]  (ipip-proto-4)

this is the answer, using the appropriate SPIs for AH and ESP.

So then, where did the second packet come from?

The same situation applies in simple transport mode, using RSA
signatures or pre-shared secrets.

Thanks for any input!

-- 
martin;              (greetings from the heart of the sun.)
  \____ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck
 
invalid/expired pgp subkeys? use subkeys.pgp.net as keyserver!
 
there is no place like ~

Attachment: signature.asc
Description: Digital signature

Reply to:

Prev by Date: Need Help
Next by Date: compiler error - Help
Previous by thread: Need Help
Next by thread: compiler error - Help
Index(es):
- Date
- Thread