IPSec through my firewall (SOLVED!!)
Ola Nilsson
ola at fam-nilsson.org
Wed Feb 23 09:24:17 CET 2005
Ola Nilsson <ola at fam-nilsson.org> writes:
> The ESPinUDP packets where seen as bad packets by
> ip_conntrack_proto_udp.c on line 105 function udp_error():
>
> /* Truncated/malformed packets */
> if (ntohs(hdr->len) > udplen || ntohs(hdr->len) < sizeof(*hdr)) {
> if (LOG_INVALID(IPPROTO_UDP))
> nf_log_packet(PF_INET, 0, skb, NULL, NULL,
> "ip_ct_udp: truncated/malformed packet ");
> return -NF_ACCEPT;
> }
>
> By removing this code from udp_error() I can successfully connect my
> IPSec tunnel.
Answering myself (again...) I have now confirmed that it is the
clients UDP packets that are wrong. A nice sysop at the other end of
the tunnel has also started working on getting it fixed in the client.
Stange, if I where to write an application using UDP, I would use the
TCP/IP stack of the machine. What I saw here was that the ISAKMP
packets had the correct length in the header, but the ESP in UDP did
not. That has to mean that someone used raw sockets, and wrote their
own UDP/IP packets to it.
Anyhow, don't take any more notice of me, of cause netfilter should
not be changed since the client sends bad UDP packets...
--
/Ola Nilsson
More information about the netfilter
mailing list