I've just seen something similar and can recreate it with static keying via setkey.
The symptom was that ping was only working in one direction, and I quintuple-checked the configs and that they have the same kernels etc., then ran a bunch of tcpdumps on each and and a router in the middle with various protocols. Some protocols work (ssh) but others (ftp) doesn't. Also verified the problem via simple telnet to these ports. In one case, the ftp server receives a SYN from the client over ipsec just fine but the synack goes out in cleartext (also verified the server is in SYN_RECV), and the client drops these. tcpdump on intermediate router: [ SYN packet from client, ESP encapsulated as expected ] IP (tos 0x10, ttl 63, id 4588, offset 0, flags [DF], proto: ESP (50), length: 104) 10.1.2.2 > 10.1.3.2: ESP(spi=0x00055555,seq=0x4), length 84 [ SYNACK from server, in the clear, not expected ] IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: TCP (6), length: 60) 10.1.3.2.ftp > 10.1.2.2.53123: S, cksum 0x314c (correct), 2413701424:2413701424(0) ack 2343803769 win 11844 <mss 3960,sackOK,timestamp 1018642 690836,nop,wscale 9> Again note that another protocol such as SSH works as expected. Connecting from the other side, it looks fine: IP (tos 0x10, ttl 64, id 33701, offset 0, flags [DF], proto: ESP (50), length: 104) 10.1.3.2 > 10.1.2.2: ESP(spi=0x00066666,seq=0x1), length 84 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto: ESP (50), length: 104) 10.1.2.2 > 10.1.3.2: ESP(spi=0x00055555,seq=0x1), length 84 Another odd thing I noticed was a ping client in the non-working direction segfaulted under strace (once). These are both x86 machines running the kernel: 2.6.18-1.2699.fc6 (note that this has xen patches but is running bare metal). I ran tcpdump for the above ftp and ssh cases to see if there was anything different about the packets (e.g. TOS or TCP opts) but found nothing -- it all looks fine, as well as using nc to make sure they're selecting source ports of a similar value etc. Will try with an upstream kernel and see what happens. -- James Morris <[EMAIL PROTECTED]> - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
