(2.6 IPsec) tcpdump: "truncated-ip - 12 bytes missing!"

[martin f krafft]

Hi all,

I've not been told off with IPsec questions, so here's another one.
Using the Kame tools, I managed to get a network-to-host tunnel set
up:
                   --------------------------       --------------
  10.1.2.0/24 --- | 10.1.2.1 gateway 4.5.6.7 | --- | 4.3.2.1 host |
                   --------------------------   ^   --------------
                                                |IPsec

In words: everything between the 4.3.2.1 host and the network
10.1.2.0/24 is encrypted, with the (masquerading) gateway and the
host serving as tunnel endpoints.

This is working with the following configuration on the gateway:

  add 4.5.6.7 4.3.2.1 ah 0x200 -m tunnel -A hmac-sha1 "key1";
  add 4.3.2.1 4.5.6.7 ah 0x300 -m tunnel -A hmac-sha1 "key2";

  add 4.5.6.7 4.3.2.1 esp 0x201 -m tunnel -E twofish-cbc "key3";
  add 4.3.2.1 4.5.6.7 esp 0x301 -m tunnel -E twofish-cbc "key4";

  spdadd 10.1.2.0/24 4.3.2.1 any -P out ipsec
    esp/tunnel/4.5.6.7-4.3.2.1/require
    ah/tunnel/4.5.6.7-4.3.2.1/require;

  spdadd 4.3.2.1 10.1.2.0/24 any -P in ipsec
    esp/tunnel/4.3.2.1-4.5.6.7/require
    ah/tunnel/4.3.2.1-4.5.6.7/require;

and the same on the single host, with the policies switched.

Connectivity is fine, but as I checked the packets arriving at the
single host with tcpdump, I was kinda startled and don't know
anymore what's going on. Here's the output of one timestep (they are
all at the same time), line by line:

 1. 4.5.6.7 > 4.3.2.1: AH(spi=0x00000200,seq=0xcd):
    4.5.6.7 > 4.3.2.1: ESP(spi=0x00000201,seq=0xcd)
    (DF) [tos 0x10]  (ipip-proto-4)

perfect! the packet arrived from the gateway, the AH and ESP SPIs
are what I told them to be.

 2. 4.5.6.7 > 4.3.2.1: AH(spi=0x45100080,seq=0x67be4000):
    4.5.6.7 > 4.3.2.1: ESP(spi=0x00000201,seq=0xcd)
    (DF) [tos 0x10]  (ipip-proto-4)

what's this? i only sent one packet, and even though the ESP SPI is
correct, the AH SPI is totally random. tcpdump now says:

    truncated-ip - 12 bytes missing!
    4.5.6.7 > 4.3.2.1: AH(spi=0x45100080,seq=0x67be4000):
    4.5.6.7 > 4.3.2.1: [|ip] (ipip-proto-4) (ipip-proto-4)

and then (a fraction of a second later):

 3. 4.3.2.1 > 4.5.6.7: AH(spi=0x00000300,seq=0xfc6):
    4.3.2.1 > 4.5.6.7: ESP(spi=0x00000301,seq=0xfc6)
    (DF) [tos 0x10]  (ipip-proto-4)

this is the answer, using the appropriate SPIs for AH and ESP.

So then, where did the second packet come from?

Thanks for any input!

-- 
martin;              (greetings from the heart of the sun.)
  \____ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck
 
invalid/expired pgp subkeys? use subkeys.pgp.net as keyserver!
 
there is no place like ~

Attachment: signature.asc
Description: Digital signature