• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: IPSec/routing bug in 10.2?
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPSec/routing bug in 10.2?

  • Subject: Re: IPSec/routing bug in 10.2?
  • From: Joshua Graessley <email@hidden>
  • Date: Mon, 16 Sep 2002 17:46:24 -0700
On Monday, September 16, 2002, at 02:09 PM, Mike Laster wrote:

I have a VPN tunnel endpoint on a 10.2 box and am seeing what appears to be a bug in either
IPSec or OS X routing.

I can ping the host on the other end of the tunnel just fine from another box on my network. However
any attempt at opening a TCP connection (telnet) times out while trying to establish a socket.

Here's where it gets weird. If I run tcpdump on my gateway box (not the one I'm running the telnet from)
then it works! It seems that en0 on the gateway has to be in promiscous mode or else TCP responses
from the other end of the VPN are not seen. I don't know how ICMP works but TCP doesn't though.
It's a mystery to me.

Is this a bug, or did I just misconfigure something?

Yes. :)

One tool of use is setkey. sudo setkey -D will dump all of the security associations. You should be able to locate the associations that corresponds to your tunnel. These security associations have multiple counts of bytes I think. You may be able to use this information to figure out if your TCP traffic is actually being routed to your tunnel (the counts should be going up).

I believe that IPSec processing occurs before routing on the outbound direction. The packets you send will match the IPSec policy. IPSec will look up the security association for details. When the security association is found, for tunnel mode, the new IP header and any IPSec headers will be created and the encapsulated traffic will be signed and or encrypted. The packet with the new IP header then gets routed normally. I think it might be possible for the new IP header to be checked for a matching IPSec policy before it gets to routing. Anyhow, I'm sure you probably know all of this already.

I didn't see anything obviously wrong with your configuration.

-josh
_______________________________________________
macnetworkprog mailing list | email@hidden
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/macnetworkprog
Do not post admin requests to the list. They will be ignored.
References: 
 >IPSec/routing bug in 10.2? (From: Mike Laster <email@hidden>)

  • Prev by Date: IPSec/routing bug in 10.2?
  • Next by Date: OTGetProtAddress failes with kOTStateChangeErr
  • Previous by thread: IPSec/routing bug in 10.2?
  • Next by thread: OTGetProtAddress failes with kOTStateChangeErr
  • Index(es):
    • Date
    • Thread