IPSEC via NAT-Interface does not work properly in Linux Guest -> fixed in svn/3.0.8

I just saw that I forgot to mention: Host OS is either Debian Lenny or Ubuntu 9.10 (both tested positive regarding this issue) and the message regarding IPv6 is seen in the vBox-log.

Could you please attach the log file anyway?

Replying to Hachiman:

Could you please attach the log file anyway?

Could you please send me [vasily _dot_ levchenko _at_ Sun _dot_ COM] pcap file?

A saved logfile of the pcap debugging session mentioned below

please try 3.0.6 b1?

Thank you very much for the link to the upcoming 3.0.6 release. I've mailed you a logfile and three .pcaps of an ipsec session.
Seems like the VBox-NAT engine does currently not forward the NONESP-encap packets on port 4500/udp.

Could you please send me pcap files you've got with 3.0.6 b1?

In addition to that I tried every hardware type which Virtualbox provides to rule out driver dependencies on the guest operation system but to no avail.
After analyzing the pcaps made this morning, I saw that the missing UDP-packets are fragmented.

tcpdump -vvnr trace-guest-nat.pcap | less

leads to:

06:02:31.836466 IP (tos 0x0, ttl 64, id 47184, offset 0, flags [+], proto UDP (17), length 1500) 10.0.2.15.4500 > 217.XXX.XXX.XXX.4500: NONESP-encap: [.. omitted ..])
06:02:31.836515 IP (tos 0x0, ttl 64, id 47184, offset 1480, flags [none], proto UDP (17), length 436) 10.0.2.15 > 217.XXX.XXX.XXX: udp

The NONESP-Packet is split into two fragments according to the MTU of the 'nat'ed interface of the guest.
None of the fragments show up on the host interface. Don't know whether this finding is directly related to this issue though.

Forgot to mention: This finding is made from the "trace-guest-nat.pcap" sent to you this morning.

Replying to vondralbra:

Forgot to mention: This finding is made from the "trace-guest-nat.pcap" sent to you this morning.

Could you please re-send it because I've not got it yet?

Good, finely received, thanks. BTW does skip packets with if change adapter on pcnet or e1k ?

Like i said at 2009-09-08 07:17:03: I switched through every available hardware to check whether a driver problem is in question.
I made a pcap of all sessions involved in this driver switch.
All pcaps had the same pattern: The fragmented NONESP on 4500/udp did not get through the NAT layer.
The sourcecode on the changeset query is recent and all the same over the different flavours of VirtualBox?
I saw some interesting debugging hooks lurking around there and I wonder whether they are compile time only.

Issue exists also in the 3.0.6 release as of 9/9/9.
To reproduce the packet drop of fragmented packets in this 3.0.6 release install hping2 on the guest and run:

hping --udp -p 4500 -d 1500 217.XXX.XXX.XXX

on the guest. This sends a 1500 byte UDP-Packet on Port 4500 to the host 217.XXX.XXX.XXX.

When monitoring the traffic to 217.XXX.XXX.XXX on the host interface no traffic is seen by the command

tcpdump -n -i eth0 host 217.XXX.XXX.XXX

on the host.

If the "-d " parameter to hping2 is set to 1300 then the traffic passes flawlessly.

tcpdump -n -i eth0 host 217.XXX.XXX.XXX
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
09:55:30.075483 IP 192.168.186.199.34351 > 217.XXX.XXX.XXX.4500: UDP-encap: ESP(...), length 1300
09:55:31.073671 IP 192.168.186.199.60190 > 217.XXX.XXX.XXX.4500: UDP-encap: ESP(...), length 1300
09:55:32.069253 IP 192.168.186.199.45788 > 217.XXX.XXX.XXX.4500: UDP-encap: ESP(...), length 1300
^C
3 packets captured
4 packets received by filter
0 packets dropped by kernel

The "-d" parameter should be modified accordingly to your setup and network's MTU size.
I saw a ICMP-Frag-needed packet was able to switch the NAT-Engine to pass the fragments through.

root@fw:~# hping --udp -p 4500 -d 1470 217.XXX.XXX.XXX
HPING 217.XXX.XXX.XXX (eth1 217.XXX.XXX.XXX): udp mode set, 28 headers + 1470 data bytes
ICMP Fragmentation Needed/DF set from ip=192.168.186.254

like seen here:

09:51:00.002204 IP 192.168.186.199.37574 > 217.XXX.XXX.XXX.4500: UDP-encap: ESP(...), length 1464
09:51:00.002212 IP 192.168.186.199 > 217.XXX.XXX.XXX: udp
09:51:00.998175 IP 192.168.186.199.60287 > 217.XXX.XXX.XXX.4500: UDP-encap: ESP(...), length 1464
09:51:00.998181 IP 192.168.186.199 > 217.XXX.XXX.XXX: udp
09:51:01.997823 IP 192.168.186.199.38287 > 217.XXX.XXX.XXX.4500: UDP-encap: ESP(...), length 1464
09:51:01.997831 IP 192.168.186.199 > 217.XXX.XXX.XXX: udp
09:51:02.990996 IP 192.168.186.199.44635 > 217.XXX.XXX.XXX.4500: UDP-encap: ESP(...), length 1464
09:51:02.991000 IP 192.168.186.199 > 217.XXX.XXX.XXX: udp

vondralbra, Could you please check if http://virtualbox.org/download/testcase/virtualbox-3.0_3.0.7-52933_Debian_lenny_amd64.deb fixes problem for you?

Thank you very much.
Installation went flawlessly atop 3.0.6 production.
But IPSEC is still not working in NAT but in bridged mode.

md5sum of the DeviceDriver? is: c55788251663d30656ba8d598b22e2cd VBoxDD.so
pcaps taken on the guest and on the host simultaneously show,
that the sending side (guest) is ok now.

The receiving side on the guest receives malformed packets during IKE_AUTH.

Replying to vondralbra:

Thank you very much.
Installation went flawlessly atop 3.0.6 production.
But IPSEC is still not working in NAT but in bridged mode.
md5sum of the DeviceDriver? is: c55788251663d30656ba8d598b22e2cd VBoxDD.so
pcaps taken on the guest and on the host simultaneously show,
that the sending side (guest) is ok now.

The receiving side on the guest receives malformed packets during IKE_AUTH.

Could you please send pcaps files to me ?

Thanks for pcap files. From them I can conclude that udp socket fetches received server response not fully, to verify this I'd offer you debug library to get more detailed log.

Replying to Hachiman:

Thanks for pcap files. From them I can conclude that udp socket fetches received server response not fully, to verify this I'd offer you debug library to get more detailed log.

Could you please download http://virtualbox.org/download/testcase/VBoxDD.so.4801? It's debug build compatible you've downloaded before. Could you please replace corresponded bits and do the following:

# export VBOX_LOG=drv_nat.e.l2.l3.l4
# export VBOX_LOG_DEST=file=nat.log
# VirtualBox -startvm <your-vm>

I'd very appreciate if you'll able to send to me nat.log and release log from ~/.VirtualBox plus pcap files :).

Replying to Hachiman:

Replying to Hachiman:

Other bits http://virtualbox.org/download/testcase/VBoxDD.so.4801.exp

# export VBOX_LOG=drv_nat.e.l2.l3.l4
# export VBOX_LOG_DEST=file=nat.log
# VirtualBox -startvm <your-vm>

I'd very appreciate if you'll able to send to me nat.log. Here I've add code checking the rest bits on the socket available for reading after first read.

In received pcap files I observed that IKE_AUTH, indeed not fully forwarded to guest. I've updated VBoxDD.so.4801.exp bits to log socket operation and latter fragmentation, to detect at which steps the corruption is happens. I'd appreciate if you collect pcap files with the logs like we did it before.
Thank you for cooperation.

I've updated VBoxDD.so.4801 bits, that fixes socket reading bug. Please try if it fixes problem for you. If no, please send me logs and pcaps will dig deeper.

Just tested the binary.
IPSEC in a NAT'ed guest works like a charm and out of the box now using this VBoxDD.so.4801. md5sum (for the record) of it is :
60ea1d7d8ce6e03c016b48b8e25055eb VBoxDD.so
Thank you very very much for your hard and eager work on this issue.

Replying to vondralbra:

Just tested the binary.
IPSEC in a NAT'ed guest works like a charm and out of the box now using this VBoxDD.so.4801. md5sum (for the record) of it is :
60ea1d7d8ce6e03c016b48b8e25055eb VBoxDD.so
Thank you very very much for your hard and eager work on this issue.

Great, will send you release bits.

here are release bits

Release-binary installs without any glitches atop 3.0.6 production.
IPSEC via NAT works right out of the box.
You guys - and especially hachiman - did a pretty good job!
Thanks a lot and all the best wishes!