[ProgSoc] Getting ipsec-tools to work between Ubuntu Lucid hosts
John Elliot
jj5 at jj5.net
Fri Jul 29 08:36:40 EST 2011
On 29/07/2011 8:25 AM, Nigel Sheridan-Smith wrote:
> Okay I'm probably confusing you more... you are using transport mode, not
> tunnel mode. Tunnel mode is likely to introduce new network interfaces and
> alter the route table, where as transport mode probably doesn't need this
> since the decision would be made in the kernel.
OK.
> I don't think the transport is working, because you should see unencrypted
> packets in tcpdump on each end.
I don't think that's correct. For instance in the link you reference
below the data is shown as encrypted packets in tcpdump.
> This page below has a bit more detail, although still no specifics on
> diagnosis.
>
> http://lartc.org/howto/lartc.ipsec.html#LARTC.IPSEC.INTRO
I found and read that link in my travels while trying to diagnose this
problem last night.
Here's the output from the diagnostics utility it mentions. I've checked
and double-checked my SA/SP configurations, and I'm pretty sure they're
correct (although obviously something is wrong -- somewhere).
root at charity:~# setkey -D
67.207.130.204 67.207.128.184
esp mode=transport spi=769(0x00000301) reqid=0(0x00000000)
E: 3des-cbc f51e36bb 66400726 12366e13 4b5919f6 0f5a0af2 2fefa7fb
seq=0x00000000 replay=0 flags=0x00000000 state=mature
created: Jul 28 16:21:55 2011 current: Jul 28 22:32:12 2011
diff: 22217(s) hard: 0(s) soft: 0(s)
last: Jul 28 16:24:53 2011 hard: 0(s) soft: 0(s)
current: 2578(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 54 hard: 0 soft: 0
sadb_seq=1 pid=3498 refcnt=0
67.207.128.184 67.207.130.204
esp mode=transport spi=513(0x00000201) reqid=0(0x00000000)
E: 3des-cbc a3f3baea ff7ad1cc 3c00df7a d4b2bd26 e4af4a70 3308431b
seq=0x00000000 replay=0 flags=0x00000000 state=mature
created: Jul 28 16:21:55 2011 current: Jul 28 22:32:12 2011
diff: 22217(s) hard: 0(s) soft: 0(s)
last: Jul 28 16:24:53 2011 hard: 0(s) soft: 0(s)
current: 92742(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 155 hard: 0 soft: 0
sadb_seq=2 pid=3498 refcnt=0
67.207.130.204 67.207.128.184
ah mode=transport spi=768(0x00000300) reqid=0(0x00000000)
A: hmac-md5 de8ba4d9 45acbe6e 85db0978 b0c30184
seq=0x00000000 replay=0 flags=0x00000000 state=mature
created: Jul 28 16:21:55 2011 current: Jul 28 22:32:12 2011
diff: 22217(s) hard: 0(s) soft: 0(s)
last: Jul 28 16:24:53 2011 hard: 0(s) soft: 0(s)
current: 3840(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 54 hard: 0 soft: 0
sadb_seq=3 pid=3498 refcnt=0
67.207.128.184 67.207.130.204
ah mode=transport spi=512(0x00000200) reqid=0(0x00000000)
A: hmac-md5 18caf1d5 d5829747 1cd63a21 fd02adb6
seq=0x00000000 replay=0 flags=0x00000000 state=mature
created: Jul 28 16:21:55 2011 current: Jul 28 22:32:12 2011
diff: 22217(s) hard: 0(s) soft: 0(s)
last: Jul 28 16:24:53 2011 hard: 0(s) soft: 0(s)
current: 96368(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 155 hard: 0 soft: 0
sadb_seq=0 pid=3498 refcnt=0
root at charity:~# setkey -DP
67.207.130.204[any] 67.207.128.184[any] any
fwd prio def ipsec
esp/transport//require
ah/transport//require
created: Jul 28 16:21:55 2011 lastused:
lifetime: 0(s) validtime: 0(s)
spid=18 seq=1 pid=3499
refcnt=1
67.207.130.204[any] 67.207.128.184[any] any
in prio def ipsec
esp/transport//require
ah/transport//require
created: Jul 28 16:21:55 2011 lastused: Jul 28 22:20:25 2011
lifetime: 0(s) validtime: 0(s)
spid=8 seq=2 pid=3499
refcnt=1
67.207.128.184[any] 67.207.130.204[any] any
out prio def ipsec
esp/transport//require
ah/transport//require
created: Jul 28 16:21:55 2011 lastused: Jul 28 22:20:25 2011
lifetime: 0(s) validtime: 0(s)
spid=1 seq=0 pid=3499
refcnt=2
root at hope:~# setkey -D
67.207.129.103 67.207.130.204
esp mode=transport spi=1281(0x00000501) reqid=0(0x00000000)
E: 3des-cbc f51e36bb 66400726 12366e13 4b5919f6 0f5a0af2 2fefa7fb
seq=0x00000000 replay=0 flags=0x00000000 state=mature
created: Jul 28 18:16:51 2011 current: Jul 28 22:34:39 2011
diff: 15468(s) hard: 0(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=1 pid=2769 refcnt=0
67.207.130.204 67.207.129.103
esp mode=transport spi=1025(0x00000401) reqid=0(0x00000000)
E: 3des-cbc a3f3baea ff7ad1cc 3c00df7a d4b2bd26 e4af4a70 3308431b
seq=0x00000000 replay=0 flags=0x00000000 state=mature
created: Jul 28 18:16:51 2011 current: Jul 28 22:34:39 2011
diff: 15468(s) hard: 0(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=2 pid=2769 refcnt=0
67.207.129.103 67.207.130.204
ah mode=transport spi=1280(0x00000500) reqid=0(0x00000000)
A: hmac-md5 de8ba4d9 45acbe6e 85db0978 b0c30184
seq=0x00000000 replay=0 flags=0x00000000 state=mature
created: Jul 28 18:16:51 2011 current: Jul 28 22:34:39 2011
diff: 15468(s) hard: 0(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=3 pid=2769 refcnt=0
67.207.130.204 67.207.129.103
ah mode=transport spi=1024(0x00000400) reqid=0(0x00000000)
A: hmac-md5 18caf1d5 d5829747 1cd63a21 fd02adb6
seq=0x00000000 replay=0 flags=0x00000000 state=mature
created: Jul 28 18:16:51 2011 current: Jul 28 22:34:39 2011
diff: 15468(s) hard: 0(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=4 pid=2769 refcnt=0
67.207.130.204 67.207.128.184
esp mode=transport spi=769(0x00000301) reqid=0(0x00000000)
E: 3des-cbc f51e36bb 66400726 12366e13 4b5919f6 0f5a0af2 2fefa7fb
seq=0x00000000 replay=0 flags=0x00000000 state=mature
created: Jul 28 18:16:51 2011 current: Jul 28 22:34:39 2011
diff: 15468(s) hard: 0(s) soft: 0(s)
last: Jul 28 18:25:16 2011 hard: 0(s) soft: 0(s)
current: 57180(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 111 hard: 0 soft: 0
sadb_seq=5 pid=2769 refcnt=0
67.207.128.184 67.207.130.204
esp mode=transport spi=513(0x00000201) reqid=0(0x00000000)
E: 3des-cbc a3f3baea ff7ad1cc 3c00df7a d4b2bd26 e4af4a70 3308431b
seq=0x00000000 replay=0 flags=0x00000000 state=mature
created: Jul 28 18:16:51 2011 current: Jul 28 22:34:39 2011
diff: 15468(s) hard: 0(s) soft: 0(s)
last: Jul 28 18:25:16 2011 hard: 0(s) soft: 0(s)
current: 2026(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 43 hard: 0 soft: 0
sadb_seq=6 pid=2769 refcnt=0
67.207.130.204 67.207.128.184
ah mode=transport spi=768(0x00000300) reqid=0(0x00000000)
A: hmac-md5 de8ba4d9 45acbe6e 85db0978 b0c30184
seq=0x00000000 replay=0 flags=0x00000000 state=mature
created: Jul 28 18:16:51 2011 current: Jul 28 22:34:39 2011
diff: 15468(s) hard: 0(s) soft: 0(s)
last: Jul 28 18:25:16 2011 hard: 0(s) soft: 0(s)
current: 59792(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 111 hard: 0 soft: 0
sadb_seq=7 pid=2769 refcnt=0
67.207.128.184 67.207.130.204
ah mode=transport spi=512(0x00000200) reqid=0(0x00000000)
A: hmac-md5 18caf1d5 d5829747 1cd63a21 fd02adb6
seq=0x00000000 replay=0 flags=0x00000000 state=mature
created: Jul 28 18:16:51 2011 current: Jul 28 22:34:39 2011
diff: 15468(s) hard: 0(s) soft: 0(s)
last: Jul 28 18:25:16 2011 hard: 0(s) soft: 0(s)
current: 3032(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 43 hard: 0 soft: 0
sadb_seq=0 pid=2769 refcnt=0
root at hope:~# setkey -DP
67.207.129.103[any] 67.207.130.204[any] any
fwd prio def ipsec
esp/transport//require
ah/transport//require
created: Jul 28 18:16:51 2011 lastused:
lifetime: 0(s) validtime: 0(s)
spid=186 seq=1 pid=2770
refcnt=1
67.207.129.103[any] 67.207.130.204[any] any
in prio def ipsec
esp/transport//require
ah/transport//require
created: Jul 28 18:16:51 2011 lastused:
lifetime: 0(s) validtime: 0(s)
spid=176 seq=2 pid=2770
refcnt=1
67.207.130.204[any] 67.207.129.103[any] any
out prio def ipsec
esp/transport//require
ah/transport//require
created: Jul 28 18:16:51 2011 lastused:
lifetime: 0(s) validtime: 0(s)
spid=169 seq=3 pid=2770
refcnt=1
67.207.130.204[any] 67.207.128.184[any] any
out prio def ipsec
esp/transport//require
ah/transport//require
created: Jul 28 18:16:51 2011 lastused: Jul 28 22:20:24 2011
lifetime: 0(s) validtime: 0(s)
spid=161 seq=4 pid=2770
refcnt=3
67.207.128.184[any] 67.207.130.204[any] any
fwd prio def ipsec
esp/transport//require
ah/transport//require
created: Jul 28 18:16:51 2011 lastused:
lifetime: 0(s) validtime: 0(s)
spid=154 seq=5 pid=2770
refcnt=1
67.207.128.184[any] 67.207.130.204[any] any
in prio def ipsec
esp/transport//require
ah/transport//require
created: Jul 28 18:16:51 2011 lastused: Jul 28 22:20:24 2011
lifetime: 0(s) validtime: 0(s)
spid=144 seq=0 pid=2770
refcnt=1
More information about the Progsoc
mailing list