[ProgSoc] Getting ipsec-tools to work between Ubuntu Lucid hosts

John Elliot jj5 at jj5.net
Fri Jul 29 07:42:57 EST 2011 

On 29/07/2011 7:22 AM, Nigel Sheridan-Smith wrote:
> Can you ping?

Yes.

root at charity:~# ping hope.progclub.org.
PING hope.progclub.org (67.207.130.204) 56(84) bytes of data.
64 bytes from hope.progclub.org (67.207.130.204): icmp_seq=1 ttl=63 
time=0.632 ms
64 bytes from hope.progclub.org (67.207.130.204): icmp_seq=2 ttl=63 
time=0.667 ms
64 bytes from hope.progclub.org (67.207.130.204): icmp_seq=3 ttl=63 
time=0.691 ms

Watching tcpdump on hope at the same time:

21:35:54.167762 IP charity.progclub.org > hope: 
AH(spi=0x00000200,seq=0x6a): ESP(spi=0x00000201,seq=0x6a), length 88
21:35:54.167900 IP hope > charity.progclub.org: 
AH(spi=0x00000300,seq=0x45): ESP(spi=0x00000301,seq=0x45), length 88
21:35:55.169247 IP charity.progclub.org > hope: 
AH(spi=0x00000200,seq=0x6b): ESP(spi=0x00000201,seq=0x6b), length 88
21:35:55.169348 IP hope > charity.progclub.org: 
AH(spi=0x00000300,seq=0x46): ESP(spi=0x00000301,seq=0x46), length 88
21:35:56.170669 IP charity.progclub.org > hope: 
AH(spi=0x00000200,seq=0x6c): ESP(spi=0x00000201,seq=0x6c), length 88
21:35:56.170775 IP hope > charity.progclub.org: 
AH(spi=0x00000300,seq=0x47): ESP(spi=0x00000301,seq=0x47), length 88

ICMP echo seems to be being routed through IPSec, successfully.

> What are your configured routes?

root at charity:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use 
Iface
67.207.128.0    *               255.255.255.0   U     0      0        0 eth0
default         67.207.128.1    0.0.0.0         UG    100    0        0 eth0

root at hope:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use 
Iface
67.207.130.0    *               255.255.255.0   U     0      0        0 eth0
default         67.207.130.1    0.0.0.0         UG    100    0        0 eth0

> These [1,2] may be of use... in particular, netstat should indicate packet
> counts on each interface
>
> [1] http://www.netbsd.org/docs/network/ipsec/#pitfalls
> [2] http://ipsec-tools.sourceforge.net/checklist.html

Will read them in a minute.

> I would also temporarily disable IP Tables to see if an empty policy makes
> any difference, at least to rule that out.

root at charity:~# iptables -F
root at charity:~# iptables -L -v
Chain INPUT (policy ACCEPT 85 packets, 7996 bytes)
  pkts bytes target     prot opt in     out     source 
destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
  pkts bytes target     prot opt in     out     source 
destination

Chain OUTPUT (policy ACCEPT 60 packets, 6304 bytes)
  pkts bytes target     prot opt in     out     source 
destination

Dropped IPTables configuration on Charity (IPTables is not configured on 
Hope), but I'm experiencing the same problem whereby I can't ssh to/from 
either machine. Tcpdump continues to display the IPSec packets during 
ssh connection attempts, but ssh "does nothing".

More information about the Progsoc mailing list