NetBSD-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: bin/47894: racoon w/NAT-T - pfkey update: wrong ports

The following reply was made to PR bin/47894; it has been noted by GNATS.

From: SUENAGA Hiroki <>
Subject: Re: bin/47894: racoon w/NAT-T - pfkey update: wrong ports
Date: Mon, 16 Jun 2014 11:36:19 +0900

 Hi Gergely, thank you for your test.
 (2014/06/13 23:45), Egerváry Gergely wrote:
 >          esp-udp mode=transport spi=17298023(0x0107f267) reqid=0(0x00000000)
 >  ...
 >          esp-udp mode=transport spi=214723282(0x0ccc6ad2) reqid=0(0x00000000)
 >  and on the client side:
 >          esp-udp mode=transport spi=214723282(0x0ccc6ad2) reqid=0(0x00000000)
 >          esp-udp mode=transport spi=17298023(0x0107f267) reqid=0(0x00000000)
 OK, the SA is correct.
 I found a BUG that there was no ESP header in UDP encapsulated ESP packet
 on my local environment.
 setkey says:
   # setkey -D[4500][4500]
         esp-udp mode=transport spi=262330893(0x0fa2da0d) reqid=0(0x00000000)
         E: null  01020304 05060708
         seq=0x00000000 replay=4 flags=0x00000000 state=mature
         created: Jun 16 11:23:29 2014   current: Jun 16 11:24:27 2014
         diff: 58(s)     hard: 1402885409(s)     soft: 5616830(s)
         last: Jun 13 17:12:07 2014      hard: 0(s)      soft: 0(s)
         current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
         allocated: 0    hard: 0 soft: 0
         sadb_seq=0 pid=10078 refcnt=1
 => SPI is 0x0fa2da0d.
 but tcpdump says:
   # tcpdump -n -i wm0 -s 1500 -x -vvvv udp port 4500
   tcpdump: listening on wm0, link-type EN10MB (Ethernet), capture size 1500 
   11:23:29.569166 IP (tos 0x0, ttl 64, id 0, offset 0, flags [none], proto UDP 
(17), length 60) > [udp sum ok] UDP-encap: 
ESP(spi=0x01020304,seq=0x5060708), length 32
 => SPI and SEQ seem head of payload. It's wrong.
 I'm analyzing the problem now.
 How about your application?
 For your interest, I put my test code on
 The program creates dummy NAT-T SA and send UDP packet. Your application and
 SP settings may cause other problems.
 >  IP reference:
 >    Client internal (NAT) address:
 >    NAT box external address:
 >    Server external address:
 >  btw, I do not see endianness issues here.
 Oops, my test code itself had a endianness issue... thank you.
 Internet Initiative Japan Inc.
 Device Engineering Section,
 Core Product Development Department,
 Product Division,
 Technology Unit
 SUENAGA Hiroki <>
 PGP: 66B3 8939 6758 20BA F243  89EC 557A 8CFB ABA9 5E92

Home | Main Index | Thread Index | Old Index