[strongSwan] issue about the IPsec (tunnel mode) over IP-in-IP tunnel, please help, thanks!

Tue Nov 23 10:50:34 CET 2010

Hi All,

I have encountered one tough issue and need your all help. Please give me a
help.  Thanks!

The scenario is:

__________________________________________________________________________________________

{IP-in-IP Client }<-- Ip package --> {IP-in-IP server} <-- IP-in-IP package
--> {IPsec Gateway} <--IPsec over IP-in-IP package--> {Client with IPsec
(using tunnel mode) over IP-in-IP}

-------------------------------------------------------------------------------------------------------------------------------------------------

Note:

1) two tunnel used in Client: IPsec tunnel over IP-in-IP tunnel;

2) the three Sourece IP in the header used in the client of IPsec over
IP-in-IP is the same.

The issue is:

When I initiate a ping from client of IPsec over IP-in-IP, from TCPDUMP log,
we can see that the package of ICMP request can reach IP-in-IP Client and
ICMP reply can also reach client of IPsec over IP-in-IP successfully but
ICMP reply can not be delievered to the upper layer (ICMP reply package can
not be seen on the console).

More Information:

1) The implementation of IPsec uses the method: "integrate IPsec to native
IP stack"  --- ie: NETKEY

2) The IP-In-IP configuration listed as followed: (a virtual interface
IP-in-IP adopted)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

ifconfig eth1 172.19.2.168 netmask 255.255.255.0

ip tunnel add ip-in-ip mode ipip remote 139.200.9.1 local 172.19.2.168 dev
eth1

ip addr add 172.19.2.168/24 dev ip-in-ip

ip link set ip-in-ip up

route add -host 139.200.9.9 gateway 172.19.2.177 dev ip-in-ip

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

3) The Linux Kernel Version is: 2.6.28

Question:

1) Whether two tunnel mode (IPsec tunnel over IP-in-IP tunnel) can be
supported?

2) The Root causes of the above issue?

3) Whether there are some patches of kernel can fix this issue?

4) Any suggestion can be given?

Look forward to your answer, Thanks a lot!

Best Wishes

David Morris

在 2010年11月16日 下午4:44，David Deng <david.live.koo at gmail.com>写道：

> Hi Andreas, Hi All,
>
> During the last two weeks, I did a interesting testing which will be
> described as followed.
>
> 1) I established IPSEC tunnel by using strongswan over IP-in-IP tunnel
> (that means two tunnel has been established);
>
> 2) In these two tunnel, I used the same inner IP as the original IP (that
> means there IPs are the same);
>
> 3) I use the linux kernel 2.6.28 with the following patches and enabled the
> IPsec related kernel options.
>
>
> *1*
>
> SKB True Size Problem, detail information can be found in:
>
> http://patchwork.kernel.org/patch/11964/
>
> *2*
>
> IPV6 Stack Problem, detail information can be found in:
>
> *http://kerneltrap.org/mailarchive/linux-netdev/2008/11/25/4231304*<http://kerneltrap.org/mailarchive/linux-netdev/2008/11/25/4231304>
>
> 4) After two tunnel established successfully, I initiate ping from the
> host{A} to host{B}. ICMP reply package can not be seen on the cosole but
>  I can see these packages in the cratched list of tcpdump (tcpdump -i
> ip-in-ip).
>
> so I am wander that if this scenarios (IPsec tunnel mode over IP-IN-IP
> tunnel mode) can be supported by linux kernel2.6.28 or later version of
> kernel.
>
> If I need apply some patches to support this scenarios (IPsec tunnel mode
> over IP-IN-IP tunnel mode).
>
> look forward to your answer, thanks a lot!
>
> cheers,
> David Morris
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20101123/d9393f6b/attachment.html>