[ProgSoc] Getting ipsec-tools to work between Ubuntu Lucid hosts
John Elliot
jj5 at jj5.net
Fri Jul 29 09:43:41 EST 2011
On 29/07/2011 8:49 AM, Nigel Sheridan-Smith wrote:
> I'd do the following:
> - configure and test with ESP only
Works with ESP only.
Sample tcpdump:
23:40:09.896140 IP charity.progclub.org > hope:
ESP(spi=0x00002694,seq=0x1), length 64
23:40:09.896274 IP hope > charity.progclub.org:
ESP(spi=0x00002710,seq=0x1), length 64
23:40:09.896628 IP charity.progclub.org > hope:
ESP(spi=0x00002694,seq=0x2), length 56
23:40:09.910394 IP hope > charity.progclub.org:
ESP(spi=0x00002710,seq=0x2), length 96
23:40:09.910881 IP charity.progclub.org > hope:
ESP(spi=0x00002694,seq=0x3), length 56
23:40:09.911085 IP charity.progclub.org > hope:
ESP(spi=0x00002694,seq=0x4), length 96
23:40:09.911151 IP hope > charity.progclub.org:
ESP(spi=0x00002710,seq=0x3), length 56
> - configure and test with AH only
Hangs.
Sample tcpdump:
23:37:17.863149 IP hope > charity.progclub.org:
AH(spi=0x00002711,seq=0x9): ssh > 38192: Flags [P.], seq 40:824, ack 40,
win 362, options [nop,nop,TS val 2250667 ecr 2582652], length 784
23:37:24.284590 IP charity.progclub.org > hope:
AH(spi=0x00002695,seq=0xb): 38192 > ssh: Flags [P.], seq 40:832, ack 40,
win 365, options [nop,nop,TS val 2583978 ecr 2249983], length 792
23:37:24.913201 IP hope > charity.progclub.org:
AH(spi=0x00002711,seq=0xa): ssh > 38192: Flags [P.], seq 40:824, ack 40,
win 362, options [nop,nop,TS val 2251372 ecr 2582652], length 784
> - combine the two
Hangs.
> It is also recommended to apply AH after ESP, not sure why. In your case,
> you have done AH first.
I think they're probably talking about applying AH after ESP in the
spdadd, but I switched them for the SA's anyway.
> Configuration examples: host-to-host encryption+authentication
> (top<http://www.netbsd.org/docs/network/ipsec/#IPsecFAQ>)
>
> If you configure secret keys for both AH and ESP, you can use both of them.
> IPsec document suggests to apply AH after ESP.
>
> #! /bin/sh
> #
> # packet will look like this: IPv4 AH ESP payload
> # the node is on 10.1.1.1, peer is on 20.1.1.1
> setkey -c<<EOF
> add 10.1.1.1 20.1.1.1 esp 9876 -E 3des-cbc "hogehogehogehogehogehoge";
> add 20.1.1.1 10.1.1.1 esp 10000 -E 3des-cbc
> 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef;
> add 10.1.1.1 20.1.1.1 ah 9877 -A hmac-md5 "hogehogehogehoge";
> add 20.1.1.1 10.1.1.1 ah 10001 -A hmac-md5 "mogamogamogamoga";
> spdadd 10.1.1.1 20.1.1.1 any -P out ipsec esp/transport//use ah/transport//use;
> EOF
That's pretty much the config I've been using all along... but it hangs
after connection.
I think there must be some other piece of firewall-like software that is
interfering with the connections... IPTables doesn't seem like it should
be the culprit though, as its policy is ACCEPT for all. Is there some
way I can totally disable IPTables though (rather than just having no
rules with ACCEPT policy)?
More information about the Progsoc
mailing list