[LARTC] 26sec kame ipsec tunnel : packets leave unencrypted...

lartc lartc at manchotnetworks.net
Fri Apr 29 09:39:20 CEST 2005 

hi sylvain,

yea -- i'm a little lost here as well.

it appears that you have a tunnel and policy, therefore, i too am a bit
confused. counters reflect 0 in setkey -D ... traffic is not using the
tunnel.

if i were you, i would start with a simple tunnel (psk) and watch what
happens on each side with racoon -F -d -- make small changes each time
and work back towards your current config.

you could also post to ralf spenneberg's site -- he's quite the whiz

http://www.spenneberg.com


cheers & bonne chance

charles



On Thu, 2005-04-28 at 15:55 +0200, Sylvain BERTRAND wrote: 
> Here's the output:
> 
> black:~# setkey -D
> 62.212.109.16 82.234.240.117
>         esp mode=tunnel spi=513(0x00000201) reqid=0(0x00000000)
>         E: 3des-cbc  ******** ******** ******** ******** ******** ********
>         A: hmac-md5  ******** ******** ******** ********
>         seq=0x00000000 replay=0 flags=0x00000000 state=mature
>         created: Apr 28 14:14:23 2005   current: Apr 28 15:53:54 2005
>         diff: 5971(s)   hard: 0(s)      soft: 0(s)
>         last:                           hard: 0(s)      soft: 0(s)
>         current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
>         allocated: 0    hard: 0 soft: 0
>         sadb_seq=1 pid=8747 refcnt=0
> 82.234.240.117 62.212.109.16
>         esp mode=tunnel spi=769(0x00000301) reqid=0(0x00000000)
>         E: 3des-cbc  ******** ******** ******** ******** ******** ********
>         A: hmac-md5  ******** ******** ******** ********
>         seq=0x00000000 replay=0 flags=0x00000000 state=mature
>         created: Apr 28 14:14:23 2005   current: Apr 28 15:53:54 2005
>         diff: 5971(s)   hard: 0(s)      soft: 0(s)
>         last:                           hard: 0(s)      soft: 0(s)
>         current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
>         allocated: 0    hard: 0 soft: 0
>         sadb_seq=0 pid=8747 refcnt=0
> black:~#
> 
> 
> 
> Thank you for your help
> 
> Sylvain
> 
> 
> On Jeu 28 avril 2005 15:44, lartc a écrit :
> > hi sylvain,
> >
> > what does "setkey -D" say?
> >
> > cheers
> >
> > charles
> >
> > On Thu, 2005-04-28 at 10:16 +0200, Sylvain BERTRAND wrote:
> >> On Jeu 28 avril 2005 9:50, lartc a écrit :
> >> > salut sylvain,
> >> >
> >> > to do your vpn, you'll need a little bit more policy (if you want to
> >> set
> >> > your policy manually). here's an example shell script to set policy:
> >> >
> >> >
> >> >
> >> > #!/sbin/setkey -f
> >> > flush;
> >> > spdflush;
> >> >
> >> > #                        ======ESP======
> >> > #                        |              |
> >> > #Network Left --- Gateway Left --- Gateway Right --- Network Right
> >> >
> >> >
> >> > # ----- Gateway Left
> >> >
> >> > #spdadd            left_net/nn right_net/nn any -P out ipsec
> >> > #      esp/tunnel/left_gateway_ip-right_gateway_ip/require;
> >> >
> >> > #spdadd           right_net/nn left_net/nn any -P in ipsec
> >> > #      esp/tunnel/right_gateway_ip-left_gateway_ip/require;
> >> >
> >> > #spdadd           right_net/nn left_net/nn any -P fwd ipsec
> >> > #      esp/tunnel/right_gateway_ip-left_gateway_ip/require;
> >> >
> >> > # ----- Gateway Right
> >> >
> >> > #spdadd           right_net/nn left_net/nn any -P out ipsec
> >> > #      esp/tunnel/right_gateway_ip-left_gateway_ip/require;
> >> >
> >> > #spdadd            left_net/nn right_net/nn any -P in ipsec
> >> > #      esp/tunnel/left_gateway_ip-right_gateway_ip/require;
> >> >
> >> > #spdadd            left_net/nn right_net/nn any -P fwd ipsec
> >> > #      esp/tunnel/left_gateway_ip-right_gateway_ip/require;
> >> >
> >> >
> >> > # left side is then:
> >> >
> >> > spdadd           192.168.1.0/24 192.168.0.0/24 any -P out ipsec
> >> >       esp/tunnel/62.212.109.16-82.234.240.117/require;
> >> >
> >> > spdadd           192.168.0.0/24 192.168.1.0/24 any -P in ipsec
> >> >       esp/tunnel/82.234.240.117-62.212.109.16/require;
> >> >
> >> > spdadd           192.168.0.0/24 192.168.1.0/24 any -P in ipsec
> >> >       esp/tunnel/82.234.240.117-62.212.109.16/require;
> >> >
> >> > #EOF
> >> >
> >> > check "man racoon.conf"  and look at "generate_policy" and "passive"
> >> >
> >> > these options allow you to have one side of your vpn set as passive
> >> and
> >> > will build its policy based on the other side's request.
> >> >
> >> > cheers
> >> >
> >> > charles shick
> >> >
> >>
> >>
> >>
> >> This is exactly what I did (except for the spdadd fw which is done
> >> automatically). I did not include the whole script in my original mail,
> >> but this really is what I did (below is my /etc/ipsec.conf file on
> >> 192.168.0.95).
> >>
> >> I just don't get why packets leave unencrypted...
> >>
> >> Regards,
> >>
> >> Sylvain
> >>
> >>
> >>
> >>
> >> #!/usr/bin/setkey -f
> >>
> >> # ipsec.conf
> >>
> >>
> >> flush;
> >> spdflush;
> >>
> >> add 62.212.109.16 82.234.240.117 esp 0x201 -m tunnel -E 3des-cbc\
> >>     0x**** -A hmac-md5 0x****;
> >>
> >> add 82.234.240.117 62.212.109.16 esp 0x301 -m tunnel -E 3des-cbc\
> >>     0x**** -A hmac-md5\ 0x****;
> >>
> >> spdadd 192.168.1.0/24 192.168.0.0/24 any -P in ipsec\
> >>     esp/tunnel/62.212.109.16-82.234.240.117/require;
> >>
> >> spdadd 192.168.0.0/24 192.168.1.0/24 any -P out ipsec\
> >>     esp/tunnel/82.234.240.117-62.212.109.16/require;
> >>
> >>
> >>
> >>
> >
> >
> 
> 
> 
>

More information about the LARTC mailing list