[ProgSoc] Getting ipsec-tools to work between Ubuntu Lucid hosts

John Elliot jj5 at jj5.net
Fri Jul 29 09:43:41 EST 2011 

On 29/07/2011 8:49 AM, Nigel Sheridan-Smith wrote:
> I'd do the following:
> - configure and test with ESP only

Works with ESP only.

Sample tcpdump:

23:40:09.896140 IP charity.progclub.org > hope: 
ESP(spi=0x00002694,seq=0x1), length 64
23:40:09.896274 IP hope > charity.progclub.org: 
ESP(spi=0x00002710,seq=0x1), length 64
23:40:09.896628 IP charity.progclub.org > hope: 
ESP(spi=0x00002694,seq=0x2), length 56
23:40:09.910394 IP hope > charity.progclub.org: 
ESP(spi=0x00002710,seq=0x2), length 96
23:40:09.910881 IP charity.progclub.org > hope: 
ESP(spi=0x00002694,seq=0x3), length 56
23:40:09.911085 IP charity.progclub.org > hope: 
ESP(spi=0x00002694,seq=0x4), length 96
23:40:09.911151 IP hope > charity.progclub.org: 
ESP(spi=0x00002710,seq=0x3), length 56

> - configure and test with AH only

Hangs.

Sample tcpdump:

23:37:17.863149 IP hope > charity.progclub.org: 
AH(spi=0x00002711,seq=0x9): ssh > 38192: Flags [P.], seq 40:824, ack 40,
  win 362, options [nop,nop,TS val 2250667 ecr 2582652], length 784 

23:37:24.284590 IP charity.progclub.org > hope: 
AH(spi=0x00002695,seq=0xb): 38192 > ssh: Flags [P.], seq 40:832, ack 40,
  win 365, options [nop,nop,TS val 2583978 ecr 2249983], length 792 

23:37:24.913201 IP hope > charity.progclub.org: 
AH(spi=0x00002711,seq=0xa): ssh > 38192: Flags [P.], seq 40:824, ack 40,
  win 362, options [nop,nop,TS val 2251372 ecr 2582652], length 784

> - combine the two

Hangs.

> It is also recommended to apply AH after ESP, not sure why. In your case,
> you have done AH first.

I think they're probably talking about applying AH after ESP in the 
spdadd, but I switched them for the SA's anyway.

> Configuration examples: host-to-host encryption+authentication
> (top<http://www.netbsd.org/docs/network/ipsec/#IPsecFAQ>)
>
> If you configure secret keys for both AH and ESP, you can use both of them.
> IPsec document suggests to apply AH after ESP.
>
> #! /bin/sh
> #
> # packet will look like this: IPv4 AH ESP payload
> # the node is on 10.1.1.1, peer is on 20.1.1.1
> setkey -c<<EOF
> add 10.1.1.1 20.1.1.1 esp 9876 -E 3des-cbc "hogehogehogehogehogehoge";
> add 20.1.1.1 10.1.1.1 esp 10000 -E 3des-cbc
> 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef;
> add 10.1.1.1 20.1.1.1 ah 9877 -A hmac-md5 "hogehogehogehoge";
> add 20.1.1.1 10.1.1.1 ah 10001 -A hmac-md5 "mogamogamogamoga";
> spdadd 10.1.1.1 20.1.1.1 any -P out ipsec esp/transport//use ah/transport//use;
> EOF

That's pretty much the config I've been using all along... but it hangs 
after connection.

I think there must be some other piece of firewall-like software that is 
interfering with the connections... IPTables doesn't seem like it should 
be the culprit though, as its policy is ACCEPT for all. Is there some 
way I can totally disable IPTables though (rather than just having no 
rules with ACCEPT policy)?

More information about the Progsoc mailing list