Sylvain BERTRAND
2005-Apr-27 14:29 UTC
26sec kame ipsec tunnel : packets leave unencrypted...
Hi everyone,
First of all, this is my first post in this ML, so I''m not sure that
this
is the right place for my question (please don''t shoot me down ;)). For
the record, I''ve been reading and using LARTC for almost 3 years now,
and
it''s a great help for anyone who wants to learn linux networking.
My problem:
I want to setup a tunnel for the following networks (tunnel esp 3des):
192.168.1.0/24 -|A|- 62.212.109.16 <--- INTERNET ---> 82.234.240.117 -|B|-
192.168.0.0/24
On "B", setkey -DP gives the following:
192.168.0.0/24[any] 192.168.1.0/24[any] any
out ipsec
esp/tunnel/82.234.240.117-62.212.109.16/require
created: Apr 27 12:18:35 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=313 seq=5 pid=5812
refcnt=1
When I try to ping the A router from the B router (using 192.168.
addresses of course), packets are sent unencrypted. And I can''t figure
out
why.
Does anyone have an idea?
I''ve already set up such tunnels in the past (successfully), but before
the 26sec was modified, and with ipsec-tools prior to 0.5.
Thanks for your help.
Sylvain
salut sylvain,
to do your vpn, you''ll need a little bit more policy (if you want to
set
your policy manually). here''s an example shell script to set policy:
#!/sbin/setkey -f
flush;
spdflush;
# ======ESP=====# | |
#Network Left --- Gateway Left --- Gateway Right --- Network Right
# ----- Gateway Left
#spdadd left_net/nn right_net/nn any -P out ipsec
# esp/tunnel/left_gateway_ip-right_gateway_ip/require;
#spdadd right_net/nn left_net/nn any -P in ipsec
# esp/tunnel/right_gateway_ip-left_gateway_ip/require;
#spdadd right_net/nn left_net/nn any -P fwd ipsec
# esp/tunnel/right_gateway_ip-left_gateway_ip/require;
# ----- Gateway Right
#spdadd right_net/nn left_net/nn any -P out ipsec
# esp/tunnel/right_gateway_ip-left_gateway_ip/require;
#spdadd left_net/nn right_net/nn any -P in ipsec
# esp/tunnel/left_gateway_ip-right_gateway_ip/require;
#spdadd left_net/nn right_net/nn any -P fwd ipsec
# esp/tunnel/left_gateway_ip-right_gateway_ip/require;
# left side is then:
spdadd 192.168.1.0/24 192.168.0.0/24 any -P out ipsec
esp/tunnel/62.212.109.16-82.234.240.117/require;
spdadd 192.168.0.0/24 192.168.1.0/24 any -P in ipsec
esp/tunnel/82.234.240.117-62.212.109.16/require;
spdadd 192.168.0.0/24 192.168.1.0/24 any -P in ipsec
esp/tunnel/82.234.240.117-62.212.109.16/require;
#EOF
check "man racoon.conf" and look at "generate_policy" and
"passive"
these options allow you to have one side of your vpn set as passive and
will build its policy based on the other side''s request.
cheers
charles shick
On Wed, 2005-04-27 at 16:29 +0200, Sylvain BERTRAND
wrote:> Hi everyone,
>
> First of all, this is my first post in this ML, so I''m not sure
that this
> is the right place for my question (please don''t shoot me down
;)). For
> the record, I''ve been reading and using LARTC for almost 3 years
now, and
> it''s a great help for anyone who wants to learn linux networking.
>
> My problem:
>
> I want to setup a tunnel for the following networks (tunnel esp 3des):
>
>
> 192.168.1.0/24 -|A|- 62.212.109.16 <--- INTERNET ---> 82.234.240.117
-|B|-
> 192.168.0.0/24
>
>
> On "B", setkey -DP gives the following:
>
> 192.168.0.0/24[any] 192.168.1.0/24[any] any
> out ipsec
> esp/tunnel/82.234.240.117-62.212.109.16/require
> created: Apr 27 12:18:35 2005 lastused:
> lifetime: 0(s) validtime: 0(s)
> spid=313 seq=5 pid=5812
> refcnt=1
>
> When I try to ping the A router from the B router (using 192.168.
> addresses of course), packets are sent unencrypted. And I can''t
figure out
> why.
>
> Does anyone have an idea?
>
> I''ve already set up such tunnels in the past (successfully), but
before
> the 26sec was modified, and with ipsec-tools prior to 0.5.
>
>
> Thanks for your help.
>
>
> Sylvain
>
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>
>
hi sylvain, what does "setkey -D" say? cheers charles On Thu, 2005-04-28 at 10:16 +0200, Sylvain BERTRAND wrote:> On Jeu 28 avril 2005 9:50, lartc a écrit : > > salut sylvain, > > > > to do your vpn, you''ll need a little bit more policy (if you want to set > > your policy manually). here''s an example shell script to set policy: > > > > > > > > #!/sbin/setkey -f > > flush; > > spdflush; > > > > # ======ESP=====> > # | | > > #Network Left --- Gateway Left --- Gateway Right --- Network Right > > > > > > # ----- Gateway Left > > > > #spdadd left_net/nn right_net/nn any -P out ipsec > > # esp/tunnel/left_gateway_ip-right_gateway_ip/require; > > > > #spdadd right_net/nn left_net/nn any -P in ipsec > > # esp/tunnel/right_gateway_ip-left_gateway_ip/require; > > > > #spdadd right_net/nn left_net/nn any -P fwd ipsec > > # esp/tunnel/right_gateway_ip-left_gateway_ip/require; > > > > # ----- Gateway Right > > > > #spdadd right_net/nn left_net/nn any -P out ipsec > > # esp/tunnel/right_gateway_ip-left_gateway_ip/require; > > > > #spdadd left_net/nn right_net/nn any -P in ipsec > > # esp/tunnel/left_gateway_ip-right_gateway_ip/require; > > > > #spdadd left_net/nn right_net/nn any -P fwd ipsec > > # esp/tunnel/left_gateway_ip-right_gateway_ip/require; > > > > > > # left side is then: > > > > spdadd 192.168.1.0/24 192.168.0.0/24 any -P out ipsec > > esp/tunnel/62.212.109.16-82.234.240.117/require; > > > > spdadd 192.168.0.0/24 192.168.1.0/24 any -P in ipsec > > esp/tunnel/82.234.240.117-62.212.109.16/require; > > > > spdadd 192.168.0.0/24 192.168.1.0/24 any -P in ipsec > > esp/tunnel/82.234.240.117-62.212.109.16/require; > > > > #EOF > > > > check "man racoon.conf" and look at "generate_policy" and "passive" > > > > these options allow you to have one side of your vpn set as passive and > > will build its policy based on the other side''s request. > > > > cheers > > > > charles shick > > > > > > This is exactly what I did (except for the spdadd fw which is done > automatically). I did not include the whole script in my original mail, > but this really is what I did (below is my /etc/ipsec.conf file on > 192.168.0.95). > > I just don''t get why packets leave unencrypted... > > Regards, > > Sylvain > > > > > #!/usr/bin/setkey -f > > # ipsec.conf > > > flush; > spdflush; > > add 62.212.109.16 82.234.240.117 esp 0x201 -m tunnel -E 3des-cbc\ > 0x**** -A hmac-md5 0x****; > > add 82.234.240.117 62.212.109.16 esp 0x301 -m tunnel -E 3des-cbc\ > 0x**** -A hmac-md5\ 0x****; > > spdadd 192.168.1.0/24 192.168.0.0/24 any -P in ipsec\ > esp/tunnel/62.212.109.16-82.234.240.117/require; > > spdadd 192.168.0.0/24 192.168.1.0/24 any -P out ipsec\ > esp/tunnel/82.234.240.117-62.212.109.16/require; > > > >
hi sylvain, yea -- i''m a little lost here as well. it appears that you have a tunnel and policy, therefore, i too am a bit confused. counters reflect 0 in setkey -D ... traffic is not using the tunnel. if i were you, i would start with a simple tunnel (psk) and watch what happens on each side with racoon -F -d -- make small changes each time and work back towards your current config. you could also post to ralf spenneberg''s site -- he''s quite the whiz http://www.spenneberg.com cheers & bonne chance charles On Thu, 2005-04-28 at 15:55 +0200, Sylvain BERTRAND wrote:> Here''s the output: > > black:~# setkey -D > 62.212.109.16 82.234.240.117 > esp mode=tunnel spi=513(0x00000201) reqid=0(0x00000000) > E: 3des-cbc ******** ******** ******** ******** ******** ******** > A: hmac-md5 ******** ******** ******** ******** > seq=0x00000000 replay=0 flags=0x00000000 state=mature > created: Apr 28 14:14:23 2005 current: Apr 28 15:53:54 2005 > diff: 5971(s) hard: 0(s) soft: 0(s) > last: hard: 0(s) soft: 0(s) > current: 0(bytes) hard: 0(bytes) soft: 0(bytes) > allocated: 0 hard: 0 soft: 0 > sadb_seq=1 pid=8747 refcnt=0 > 82.234.240.117 62.212.109.16 > esp mode=tunnel spi=769(0x00000301) reqid=0(0x00000000) > E: 3des-cbc ******** ******** ******** ******** ******** ******** > A: hmac-md5 ******** ******** ******** ******** > seq=0x00000000 replay=0 flags=0x00000000 state=mature > created: Apr 28 14:14:23 2005 current: Apr 28 15:53:54 2005 > diff: 5971(s) hard: 0(s) soft: 0(s) > last: hard: 0(s) soft: 0(s) > current: 0(bytes) hard: 0(bytes) soft: 0(bytes) > allocated: 0 hard: 0 soft: 0 > sadb_seq=0 pid=8747 refcnt=0 > black:~# > > > > Thank you for your help > > Sylvain > > > On Jeu 28 avril 2005 15:44, lartc a écrit : > > hi sylvain, > > > > what does "setkey -D" say? > > > > cheers > > > > charles > > > > On Thu, 2005-04-28 at 10:16 +0200, Sylvain BERTRAND wrote: > >> On Jeu 28 avril 2005 9:50, lartc a écrit : > >> > salut sylvain, > >> > > >> > to do your vpn, you''ll need a little bit more policy (if you want to > >> set > >> > your policy manually). here''s an example shell script to set policy: > >> > > >> > > >> > > >> > #!/sbin/setkey -f > >> > flush; > >> > spdflush; > >> > > >> > # ======ESP=====> >> > # | | > >> > #Network Left --- Gateway Left --- Gateway Right --- Network Right > >> > > >> > > >> > # ----- Gateway Left > >> > > >> > #spdadd left_net/nn right_net/nn any -P out ipsec > >> > # esp/tunnel/left_gateway_ip-right_gateway_ip/require; > >> > > >> > #spdadd right_net/nn left_net/nn any -P in ipsec > >> > # esp/tunnel/right_gateway_ip-left_gateway_ip/require; > >> > > >> > #spdadd right_net/nn left_net/nn any -P fwd ipsec > >> > # esp/tunnel/right_gateway_ip-left_gateway_ip/require; > >> > > >> > # ----- Gateway Right > >> > > >> > #spdadd right_net/nn left_net/nn any -P out ipsec > >> > # esp/tunnel/right_gateway_ip-left_gateway_ip/require; > >> > > >> > #spdadd left_net/nn right_net/nn any -P in ipsec > >> > # esp/tunnel/left_gateway_ip-right_gateway_ip/require; > >> > > >> > #spdadd left_net/nn right_net/nn any -P fwd ipsec > >> > # esp/tunnel/left_gateway_ip-right_gateway_ip/require; > >> > > >> > > >> > # left side is then: > >> > > >> > spdadd 192.168.1.0/24 192.168.0.0/24 any -P out ipsec > >> > esp/tunnel/62.212.109.16-82.234.240.117/require; > >> > > >> > spdadd 192.168.0.0/24 192.168.1.0/24 any -P in ipsec > >> > esp/tunnel/82.234.240.117-62.212.109.16/require; > >> > > >> > spdadd 192.168.0.0/24 192.168.1.0/24 any -P in ipsec > >> > esp/tunnel/82.234.240.117-62.212.109.16/require; > >> > > >> > #EOF > >> > > >> > check "man racoon.conf" and look at "generate_policy" and "passive" > >> > > >> > these options allow you to have one side of your vpn set as passive > >> and > >> > will build its policy based on the other side''s request. > >> > > >> > cheers > >> > > >> > charles shick > >> > > >> > >> > >> > >> This is exactly what I did (except for the spdadd fw which is done > >> automatically). I did not include the whole script in my original mail, > >> but this really is what I did (below is my /etc/ipsec.conf file on > >> 192.168.0.95). > >> > >> I just don''t get why packets leave unencrypted... > >> > >> Regards, > >> > >> Sylvain > >> > >> > >> > >> > >> #!/usr/bin/setkey -f > >> > >> # ipsec.conf > >> > >> > >> flush; > >> spdflush; > >> > >> add 62.212.109.16 82.234.240.117 esp 0x201 -m tunnel -E 3des-cbc\ > >> 0x**** -A hmac-md5 0x****; > >> > >> add 82.234.240.117 62.212.109.16 esp 0x301 -m tunnel -E 3des-cbc\ > >> 0x**** -A hmac-md5\ 0x****; > >> > >> spdadd 192.168.1.0/24 192.168.0.0/24 any -P in ipsec\ > >> esp/tunnel/62.212.109.16-82.234.240.117/require; > >> > >> spdadd 192.168.0.0/24 192.168.1.0/24 any -P out ipsec\ > >> esp/tunnel/82.234.240.117-62.212.109.16/require; > >> > >> > >> > >> > > > > > > > >
Sylvain BERTRAND
2005-Apr-29 15:07 UTC
Re: 26sec kame ipsec tunnel : packets leave unencrypted...
I''ve been looking around (kerneltrap, spennberg) and it looks like ipsec is broken for 2.6.11... that might be a good explanation for my unsolvable problem ;) Sylvain
hi sylvain, yes it would! cheers charles On Fri, 2005-04-29 at 17:07 +0200, Sylvain BERTRAND wrote:> I''ve been looking around (kerneltrap, spennberg) and it looks like ipsec > is broken for 2.6.11... that might be a good explanation for my unsolvable > problem ;) > > > Sylvain > > > >