[hipl-users] Re: hipd crashes with hipconf and "This connection is insecure. Please enable HIP." problem

  • From: Sateesh Babu <sateesh.kavuri@xxxxxxxxx>
  • To: hipl-users@xxxxxxxxxxxxx
  • Date: Tue, 2 Jun 2009 23:50:13 +0530

2009/6/2 Miika Komu <miika.komu@xxxxxxx>:
> Sateesh Babu wrote:
>
> Hi,
>
>>>> ping6 2001:001b:a9be:c6a6:34e5:8361:c07f:a990
>>
>> ---8<---
>> $> ping6 2001:001b:a9be:c6a6:34e5:8361:c07f:a990
>> PING
>> 2001:001b:a9be:c6a6:34e5:8361:c07f:a990(2001:1b:a9be:c6a6:34e5:8361:c07f:a990)
>> 56 data bytes
>> ^C
>> --- 2001:001b:a9be:c6a6:34e5:8361:c07f:a990 ping statistics ---
>> 11 packets transmitted, 0 received, 100% packet loss, time 10079ms
>> --->8---
>>
>>>> Is the state then I1_SENT?
>>
>> ---8<---
>> $> hipconf get ha all
>> Sending user message 22 to HIPD on socket 3
>> Sent 40 bytes
>> Waiting to receive daemon info.
>> 216 bytes received from HIP daemon
>> HA is ESTABLISHED
>>  Local HIT: 2001:0018:2229:4815:dd66:c380:e0c7:2a71
>>  Peer  HIT: 2001:001b:a9be:c6a6:34e5:8361:c07f:a990
>>  Local LSI: 1.0.0.1
>>  Peer  LSI: 1.0.0.2
>>  Local IP: 192.168.1.2
>>  Local NAT traversal UDP port: 50500
>>  Peer  IP: 193.167.187.134
>>  Peer  NAT traversal UDP port: 50500
>>  Peer  hostname: crossroads.infrahip.net
>> --->8---
>>
>>>> Can you also copy paste output of:
>>>>
>>>> tcpdump -n -i any port 50500 or proto 139 or esp
>>
>> ---8<---
>> sudo tcpdump -n -i any port 50500 or proto 139 or esp
>> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
>> listening on any, link-type LINUX_SLL (Linux cooked), capture size 96
>> bytes
>>
>>
>> 21:01:08.166459 IP 192.168.1.2.50500 > 193.167.187.134.50500: UDP, length
>> 44
>> 21:01:08.166479 IP 192.168.1.2.50500 > 193.167.187.134.50500: UDP, length
>> 44
>
> 2 x I1
>
>> 21:01:08.495036 IP 193.167.187.134.50500 > 192.168.1.2.50500: UDP, length
>> 668
>
> R1
>
>> 21:01:08.653581 IP 192.168.1.2.50500 > 193.167.187.134.50500: UDP, length
>> 636
>> 21:01:08.653602 IP 192.168.1.2.50500 > 193.167.187.134.50500: UDP, length
>> 636
>
> 2 x I2
>
>> 21:01:09.011610 IP 193.167.187.134.50500 > 192.168.1.2.50500: UDP, length
>> 244
>
> R2
>
>> 21:01:09.696582 IP 192.168.1.2.50500 > 193.167.187.134.50500: UDP, length
>> 116
>> 21:01:09.696607 IP 192.168.1.2.50500 > 193.167.187.134.50500: UDP, length
>> 116
>
> 2 x ICMPv6 echo request over ESP over UDP
>
>> 21:01:09.922207 IP 193.167.187.134.50500 > 192.168.1.2.50500: UDP, length
>> 116
>
> 1 x ICMPv6 echo response over ESP over UDP
>
>> 21:01:10.704649 IP 192.168.1.2.50500 > 193.167.187.134.50500: UDP, length
>> 116
>> 21:01:10.704676 IP 192.168.1.2.50500 > 193.167.187.134.50500: UDP, length
>> 116
>> 21:01:10.930596 IP 193.167.187.134.50500 > 192.168.1.2.50500: UDP, length
>> 116
>> 21:01:11.713648 IP 192.168.1.2.50500 > 193.167.187.134.50500: UDP, length
>> 116
>> 21:01:11.713673 IP 192.168.1.2.50500 > 193.167.187.134.50500: UDP, length
>> 116
>> 21:01:11.939719 IP 193.167.187.134.50500 > 192.168.1.2.50500: UDP, length
>> 116
>> 21:01:12.720534 IP 192.168.1.2.50500 > 193.167.187.134.50500: UDP, length
>> 116
>> 21:01:12.720556 IP 192.168.1.2.50500 > 193.167.187.134.50500: UDP, length
>> 116
>> 21:01:12.946564 IP 193.167.187.134.50500 > 192.168.1.2.50500: UDP, length
>> 116
>> 21:01:13.728570 IP 192.168.1.2.50500 > 193.167.187.134.50500: UDP, length
>> 116
>> 21:01:13.728595 IP 192.168.1.2.50500 > 193.167.187.134.50500: UDP, length
>> 116
>> 21:01:13.954634 IP 193.167.187.134.50500 > 192.168.1.2.50500: UDP, length
>> 116
>
> ..
>
>> --->8---
>>
>>
>> Looks like the IPv6 interface of crossroads is disabled. I tried ping6
>> of crossroads.infrahip.net, but does not work. IPv4 ping works.
>
> No, this is not the case. Your host drops the ESP packets from the server.
> Either the SAs don't match or your machine is filtering ESP or ICMPv6.

I do not think the packets are being dropped. Following is the output:

> Please check:
>
> * iptables -L -n

---8<---
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
HIPFW-INPUT  all  --  0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
HIPFW-FORWARD  all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
HIPFW-OUTPUT  all  --  0.0.0.0/0            0.0.0.0/0

Chain HIPFW-FORWARD (1 references)
target     prot opt source               destination

Chain HIPFW-INPUT (1 references)
target     prot opt source               destination

Chain HIPFW-OUTPUT (1 references)
target     prot opt source               destination
QUEUE      all  --  0.0.0.0/0            1.0.0.0/8
--->8---

> * ip6tables -L -n
---8<---
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
HIPFW-INPUT  all      ::/0                 ::/0

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
HIPFW-FORWARD  all      ::/0                 ::/0

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
HIPFW-OUTPUT  all      ::/0                 ::/0

Chain HIPFW-FORWARD (1 references)
target     prot opt source               destination

Chain HIPFW-INPUT (1 references)
target     prot opt source               destination
QUEUE      all      ::/0                 2001:10::/28

Chain HIPFW-OUTPUT (1 references)
target     prot opt source               destination
--->8---


> * /etc/selinux/config (should be disabled!)

There is no such file in Ubuntu 9.04

> * ip xfrm state output

---8<---
src 192.168.1.2 dst 193.167.187.134
        proto esp spi 0xac9fabb1 reqid 0 mode beet
        replay-window 0
        auth hmac(sha1) 0x6f487f40620682b89811ca8be8c1948b65db39a4
        enc cbc(aes) 0x708f9302614a99a22c3ae8631571152f
        encap type espinudp sport 50500 dport 50500 addr 192.168.1.2
        sel src 2001:18:2229:4815:dd66:c380:e0c7:2a71/128 dst
2001:1b:a9be:c6a6:34e5:8361:c07f:a990/128
src 193.167.187.134 dst 192.168.1.2
        proto esp spi 0x012a974f reqid 0 mode beet
        replay-window 0
        auth hmac(sha1) 0x5b24bfa7fcbec2c742d7d43a5d30f8efd8d1cc86
        enc cbc(aes) 0x75e86162d573caf29ad590ce680e2030
        encap type espinudp sport 50500 dport 50500 addr 193.167.187.134
        sel src 2001:1b:a9be:c6a6:34e5:8361:c07f:a990/128 dst
2001:18:2229:4815:dd66:c380:e0c7:2a71/128
src c1a7:bb86:: dst c0a8:102::
        proto 0 reqid 0 mode transport
        replay-window 0
        sel src 2001:18:2229:4815:dd66:c380:e0c7:2a71/128 dst
2001:1b:a9be:c6a6:34e5:8361:c07f:a990/128 proto ipv6-icmp type 128
code 0
src c1a7:bb86:: dst c0a8:102::
        proto 0 reqid 0 mode transport
        replay-window 0
        sel src 2001:18:2229:4815:dd66:c380:e0c7:2a71/128 dst
2001:1b:a9be:c6a6:34e5:8361:c07f:a990/128 proto udp sport 52463 dport
1025

--->8---

And here is the output of ip xfrm policy

---8<---
src 2001:18:2229:4815:dd66:c380:e0c7:2a71/128 dst
2001:1b:a9be:c6a6:34e5:8361:c07f:a990/128
        dir out priority 0
        tmpl src c0a8:102:: dst c1a7:bb86::
                proto esp reqid 0 mode beet
src 2001:1b:a9be:c6a6:34e5:8361:c07f:a990/128 dst
2001:18:2229:4815:dd66:c380:e0c7:2a71/128
        dir in priority 0
        tmpl src c1a7:bb86:: dst c0a8:102::
                proto esp reqid 0 mode beet
src 2001:10::/28 dst 2001:10::/28
        dir out priority 0
        tmpl src :: dst ::
                proto 0 reqid 0 mode transport
src 2001:10::/28 dst 2001:10::/28
        dir in priority 0
        tmpl src :: dst ::
                proto 0 reqid 0 mode transport

--->8---
>
>

Other related posts:

  1. Home
  2. hipl-users
  3. Archive
  4. 06-2009