LARTC - Sep 2004 - strange behavior of ipsec tunnel mode

hello

i am trying to set up ipsec in my network, for now just between two hosts, using
to use AH & ESP
in tunnel mode to get all of packet encrypted. keys are negotiated with racoon.
mayby using tunnel mode in this case can seems strange, but i know what i am
doing.
after setting up everything i have done few tests with ping & tcpdump. but
the results are very suprising.
bellow is what i got when trying to ping (ping -I 192.168.2.11 192.168.1)

16:09:36.289743 IP 192.168.2.11 > 192.168.2.10: AH(spi=0x00db7ebd,seq=0x3):
IP 192.168.2.11 > 192.168.2.10: ESP(spi=0x05ec9334,seq=0x3) (ipip-proto-4)
16:09:36.289968 IP 192.168.2.10 > 192.168.2.11: AH(spi=0x02c8c78c,seq=0x3):
IP 192.168.2.10 > 192.168.2.11: ESP(spi=0x043cdc13,seq=0x3) (ipip-proto-4)

so far so nice...

16:09:36.289968 IP 192.168.2.10 > 192.168.2.11: ESP(spi=0x043cdc13,seq=0x3)

yet another ESP ?

16:09:36.289968 IP 192.168.2.10 > 192.168.2.11: icmp 64: echo reply seq 2

???? (you do not exist. go away.)

16:09:37.290596 IP 192.168.2.11 > 192.168.2.10: AH(spi=0x00db7ebd,seq=0x4):
IP 192.168.2.11 > 192.168.2.10: ESP(spi=0x05ec9334,seq=0x4) (ipip-proto-4)
16:09:37.290935 IP 192.168.2.10 > 192.168.2.11: AH(spi=0x02c8c78c,seq=0x4):
IP 192.168.2.10 > 192.168.2.11: ESP(spi=0x043cdc13,seq=0x4) (ipip-proto-4)
16:09:37.290935 IP 192.168.2.10 > 192.168.2.11: ESP(spi=0x043cdc13,seq=0x4)
16:09:37.290935 IP 192.168.2.10 > 192.168.2.11: icmp 64: echo reply seq 3

so as you can see 192.168.2.10 responds with three packets on each ping. why is
it so ?
what should i od to get proper ipsec configuration here ? i can add that same
results are with other protocols as well.

bellow is my configuration:

on host 192.168.2.10:

raccon.conf

path include "/usr/local/etc/racoon";
path pre_shared_key "/usr/local/etc/racoon/psk.txt";
path certificate "/usr/local/etc/racoon/certs";

listen {
        isakmp 192.168.2.10;
        strict_address;
}

remote 192.168.2.11 {

        exchange_mode main;
        doi ipsec_doi;
        situation identity_only;
        my_identifier asn1dn;
        peers_identifier asn1dn;
        verify_identifier on;
        certificate_type x509 "mad.public" "mad.private";
        peers_certfile x509 "laptop.public";
        send_cert on;
        send_cr on;
        verify_cert on;
        lifetime time 300 sec;
        passive off;
        proposal_check strict;
        nonce_size 256;

        proposal {
                encryption_algorithm blowfish 448;
                hash_algorithm sha1 512;
                authentication_method rsasig;
                dh_group modp4096;
                lifetime time 300 sec;
        }
}

sainfo anonymous {

       pfs_group modp4096;
       lifetime time 300 sec;
       encryption_algorithm rijndael 256;
       authentication_algorithm hmac_sha1;
       compression_algorithm deflate;
}

padding {
        randomize on;
        randomize_length on;
        strict_check on;
}

script for setting up policy:


#!/usr/bin/setkey -f
flush;
spdflush;


spdadd 192.168.2.10/32 192.168.2.11/32 any -P out ipsec
            esp/tunnel/192.168.2.10-192.168.2.11/require
            ah/tunnel/192.168.2.10-192.168.2.11/require;

spdadd 192.168.2.11/32 192.168.2.10/32 any -P in ipsec
            esp/tunnel/192.168.2.11-192.168.2.10/require
            ah/tunnel/192.168.2.11-192.168.2.10/require;


configuration for host 192.168.2.11:

path include "/usr/local/etc/racoon";
path pre_shared_key "/usr/local/etc/racoon/psk.txt";
path certificate "/usr/local/etc/racoon/certs";

listen {
        isakmp 192.168.2.11;
        strict_address;
}

remote 192.168.2.10 {

        exchange_mode main;
        doi ipsec_doi;
        situation identity_only;
        my_identifier asn1dn;
        peers_identifier asn1dn;
        verify_identifier on;
        certificate_type x509 "laptop.public"
"laptop.private";
        peers_certfile x509 "mad.public";
        send_cert on;
        send_cr on;
        verify_cert on;
        lifetime time 300 sec;
        passive off;
        proposal_check strict;
        nonce_size 256;

        proposal {
                encryption_algorithm blowfish 448;
                hash_algorithm sha1 512;
                authentication_method rsasig;
                dh_group modp4096;
                lifetime time 300 sec;
        }
}

sainfo anonymous {

       pfs_group modp4096;
       lifetime time 300 sec;
       encryption_algorithm rijndael 256;
       authentication_algorithm hmac_sha1;
       compression_algorithm deflate;
}

padding {
        randomize on;
        randomize_length on;
        strict_check on;
}


script for setting up policy:

#!/usr/bin/setkey -f
flush;
spdflush;


spdadd 192.168.2.11/32 192.168.2.10/32 any -P out ipsec
            esp/tunnel/192.168.2.11-192.168.2.10/require
            ah/tunnel/192.168.2.11-192.168.2.10/require;

spdadd 192.168.2.10/32 192.168.2.11/32 any -P in ipsec
            esp/tunnel/192.168.2.10-192.168.2.11/require
            ah/tunnel/192.168.2.10-192.168.2.11/require;


what have i done wrong ?

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

It''s because recived packet is decapsulated (from AH) and reinserted
into your
interface (e.g. eth0). Then it''s decapsulated from ESP and reinserted
one more
time in plain. In FreeS/WAN packets ware inserted in ipsec0 instead of original
eth0.

It''s normal. You don''t see the same with sent packets because
wey are inserted
into interface (eth0) after being encrypted.


PoltoS/

-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/
-------------------------------------------------
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

ok, so why i do not see such a packets in transport mode ?
if everything works good (as it looks so) i should not care, but anyway.

Albeiro



_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/