[ProgSoc] Getting ipsec-tools to work between Ubuntu Lucid hosts

John Elliot jj5 at jj5.net
Fri Jul 29 08:36:40 EST 2011


On 29/07/2011 8:25 AM, Nigel Sheridan-Smith wrote:
> Okay I'm probably confusing you more... you are using transport mode, not
> tunnel mode. Tunnel mode is likely to introduce new network interfaces and
> alter the route table, where as transport mode probably doesn't need this
> since the decision would be made in the kernel.

OK.

> I don't think the transport is working, because you should see unencrypted
> packets in tcpdump on each end.

I don't think that's correct. For instance in the link you reference 
below the data is shown as encrypted packets in tcpdump.

> This page below has a bit more detail, although still no specifics on
> diagnosis.
>
> http://lartc.org/howto/lartc.ipsec.html#LARTC.IPSEC.INTRO

I found and read that link in my travels while trying to diagnose this 
problem last night.

Here's the output from the diagnostics utility it mentions. I've checked 
and double-checked my SA/SP configurations, and I'm pretty sure they're 
correct (although obviously something is wrong -- somewhere).


root at charity:~# setkey -D
67.207.130.204 67.207.128.184
         esp mode=transport spi=769(0x00000301) reqid=0(0x00000000)
         E: 3des-cbc  f51e36bb 66400726 12366e13 4b5919f6 0f5a0af2 2fefa7fb
         seq=0x00000000 replay=0 flags=0x00000000 state=mature
         created: Jul 28 16:21:55 2011   current: Jul 28 22:32:12 2011
         diff: 22217(s)  hard: 0(s)      soft: 0(s)
         last: Jul 28 16:24:53 2011      hard: 0(s)      soft: 0(s)
         current: 2578(bytes)    hard: 0(bytes)  soft: 0(bytes)
         allocated: 54   hard: 0 soft: 0
         sadb_seq=1 pid=3498 refcnt=0
67.207.128.184 67.207.130.204
         esp mode=transport spi=513(0x00000201) reqid=0(0x00000000)
         E: 3des-cbc  a3f3baea ff7ad1cc 3c00df7a d4b2bd26 e4af4a70 3308431b
         seq=0x00000000 replay=0 flags=0x00000000 state=mature
         created: Jul 28 16:21:55 2011   current: Jul 28 22:32:12 2011
         diff: 22217(s)  hard: 0(s)      soft: 0(s)
         last: Jul 28 16:24:53 2011      hard: 0(s)      soft: 0(s)
         current: 92742(bytes)   hard: 0(bytes)  soft: 0(bytes)
         allocated: 155  hard: 0 soft: 0
         sadb_seq=2 pid=3498 refcnt=0
67.207.130.204 67.207.128.184
         ah mode=transport spi=768(0x00000300) reqid=0(0x00000000)
         A: hmac-md5  de8ba4d9 45acbe6e 85db0978 b0c30184
         seq=0x00000000 replay=0 flags=0x00000000 state=mature
         created: Jul 28 16:21:55 2011   current: Jul 28 22:32:12 2011
         diff: 22217(s)  hard: 0(s)      soft: 0(s)
         last: Jul 28 16:24:53 2011      hard: 0(s)      soft: 0(s)
         current: 3840(bytes)    hard: 0(bytes)  soft: 0(bytes)
         allocated: 54   hard: 0 soft: 0
         sadb_seq=3 pid=3498 refcnt=0
67.207.128.184 67.207.130.204
         ah mode=transport spi=512(0x00000200) reqid=0(0x00000000)
         A: hmac-md5  18caf1d5 d5829747 1cd63a21 fd02adb6
         seq=0x00000000 replay=0 flags=0x00000000 state=mature
         created: Jul 28 16:21:55 2011   current: Jul 28 22:32:12 2011
         diff: 22217(s)  hard: 0(s)      soft: 0(s)
         last: Jul 28 16:24:53 2011      hard: 0(s)      soft: 0(s)
         current: 96368(bytes)   hard: 0(bytes)  soft: 0(bytes)
         allocated: 155  hard: 0 soft: 0
         sadb_seq=0 pid=3498 refcnt=0
root at charity:~# setkey -DP
67.207.130.204[any] 67.207.128.184[any] any
         fwd prio def ipsec
         esp/transport//require
         ah/transport//require
         created: Jul 28 16:21:55 2011  lastused:
         lifetime: 0(s) validtime: 0(s)
         spid=18 seq=1 pid=3499
         refcnt=1
67.207.130.204[any] 67.207.128.184[any] any
         in prio def ipsec
         esp/transport//require
         ah/transport//require
         created: Jul 28 16:21:55 2011  lastused: Jul 28 22:20:25 2011
         lifetime: 0(s) validtime: 0(s)
         spid=8 seq=2 pid=3499
         refcnt=1
67.207.128.184[any] 67.207.130.204[any] any
         out prio def ipsec
         esp/transport//require
         ah/transport//require
         created: Jul 28 16:21:55 2011  lastused: Jul 28 22:20:25 2011
         lifetime: 0(s) validtime: 0(s)
         spid=1 seq=0 pid=3499
         refcnt=2



root at hope:~# setkey -D
67.207.129.103 67.207.130.204
         esp mode=transport spi=1281(0x00000501) reqid=0(0x00000000)
         E: 3des-cbc  f51e36bb 66400726 12366e13 4b5919f6 0f5a0af2 2fefa7fb
         seq=0x00000000 replay=0 flags=0x00000000 state=mature
         created: Jul 28 18:16:51 2011   current: Jul 28 22:34:39 2011
         diff: 15468(s)  hard: 0(s)      soft: 0(s)
         last:                           hard: 0(s)      soft: 0(s)
         current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
         allocated: 0    hard: 0 soft: 0
         sadb_seq=1 pid=2769 refcnt=0
67.207.130.204 67.207.129.103
         esp mode=transport spi=1025(0x00000401) reqid=0(0x00000000)
         E: 3des-cbc  a3f3baea ff7ad1cc 3c00df7a d4b2bd26 e4af4a70 3308431b
         seq=0x00000000 replay=0 flags=0x00000000 state=mature
         created: Jul 28 18:16:51 2011   current: Jul 28 22:34:39 2011
         diff: 15468(s)  hard: 0(s)      soft: 0(s)
         last:                           hard: 0(s)      soft: 0(s)
         current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
         allocated: 0    hard: 0 soft: 0
         sadb_seq=2 pid=2769 refcnt=0
67.207.129.103 67.207.130.204
         ah mode=transport spi=1280(0x00000500) reqid=0(0x00000000)
         A: hmac-md5  de8ba4d9 45acbe6e 85db0978 b0c30184
         seq=0x00000000 replay=0 flags=0x00000000 state=mature
         created: Jul 28 18:16:51 2011   current: Jul 28 22:34:39 2011
         diff: 15468(s)  hard: 0(s)      soft: 0(s)
         last:                           hard: 0(s)      soft: 0(s)
         current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
         allocated: 0    hard: 0 soft: 0
         sadb_seq=3 pid=2769 refcnt=0
67.207.130.204 67.207.129.103
         ah mode=transport spi=1024(0x00000400) reqid=0(0x00000000)
         A: hmac-md5  18caf1d5 d5829747 1cd63a21 fd02adb6
         seq=0x00000000 replay=0 flags=0x00000000 state=mature
         created: Jul 28 18:16:51 2011   current: Jul 28 22:34:39 2011
         diff: 15468(s)  hard: 0(s)      soft: 0(s)
         last:                           hard: 0(s)      soft: 0(s)
         current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
         allocated: 0    hard: 0 soft: 0
         sadb_seq=4 pid=2769 refcnt=0
67.207.130.204 67.207.128.184
         esp mode=transport spi=769(0x00000301) reqid=0(0x00000000)
         E: 3des-cbc  f51e36bb 66400726 12366e13 4b5919f6 0f5a0af2 2fefa7fb
         seq=0x00000000 replay=0 flags=0x00000000 state=mature
         created: Jul 28 18:16:51 2011   current: Jul 28 22:34:39 2011
         diff: 15468(s)  hard: 0(s)      soft: 0(s)
         last: Jul 28 18:25:16 2011      hard: 0(s)      soft: 0(s)
         current: 57180(bytes)   hard: 0(bytes)  soft: 0(bytes)
         allocated: 111  hard: 0 soft: 0
         sadb_seq=5 pid=2769 refcnt=0
67.207.128.184 67.207.130.204
         esp mode=transport spi=513(0x00000201) reqid=0(0x00000000)
         E: 3des-cbc  a3f3baea ff7ad1cc 3c00df7a d4b2bd26 e4af4a70 3308431b
         seq=0x00000000 replay=0 flags=0x00000000 state=mature
         created: Jul 28 18:16:51 2011   current: Jul 28 22:34:39 2011
         diff: 15468(s)  hard: 0(s)      soft: 0(s)
         last: Jul 28 18:25:16 2011      hard: 0(s)      soft: 0(s)
         current: 2026(bytes)    hard: 0(bytes)  soft: 0(bytes)
         allocated: 43   hard: 0 soft: 0
         sadb_seq=6 pid=2769 refcnt=0
67.207.130.204 67.207.128.184
         ah mode=transport spi=768(0x00000300) reqid=0(0x00000000)
         A: hmac-md5  de8ba4d9 45acbe6e 85db0978 b0c30184
         seq=0x00000000 replay=0 flags=0x00000000 state=mature
         created: Jul 28 18:16:51 2011   current: Jul 28 22:34:39 2011
         diff: 15468(s)  hard: 0(s)      soft: 0(s)
         last: Jul 28 18:25:16 2011      hard: 0(s)      soft: 0(s)
         current: 59792(bytes)   hard: 0(bytes)  soft: 0(bytes)
         allocated: 111  hard: 0 soft: 0
         sadb_seq=7 pid=2769 refcnt=0
67.207.128.184 67.207.130.204
         ah mode=transport spi=512(0x00000200) reqid=0(0x00000000)
         A: hmac-md5  18caf1d5 d5829747 1cd63a21 fd02adb6
         seq=0x00000000 replay=0 flags=0x00000000 state=mature
         created: Jul 28 18:16:51 2011   current: Jul 28 22:34:39 2011
         diff: 15468(s)  hard: 0(s)      soft: 0(s)
         last: Jul 28 18:25:16 2011      hard: 0(s)      soft: 0(s)
         current: 3032(bytes)    hard: 0(bytes)  soft: 0(bytes)
         allocated: 43   hard: 0 soft: 0
         sadb_seq=0 pid=2769 refcnt=0
root at hope:~# setkey -DP
67.207.129.103[any] 67.207.130.204[any] any
         fwd prio def ipsec
         esp/transport//require
         ah/transport//require
         created: Jul 28 18:16:51 2011  lastused:
         lifetime: 0(s) validtime: 0(s)
         spid=186 seq=1 pid=2770
         refcnt=1
67.207.129.103[any] 67.207.130.204[any] any
         in prio def ipsec
         esp/transport//require
         ah/transport//require
         created: Jul 28 18:16:51 2011  lastused:
         lifetime: 0(s) validtime: 0(s)
         spid=176 seq=2 pid=2770
         refcnt=1
67.207.130.204[any] 67.207.129.103[any] any
         out prio def ipsec
         esp/transport//require
         ah/transport//require
         created: Jul 28 18:16:51 2011  lastused:
         lifetime: 0(s) validtime: 0(s)
         spid=169 seq=3 pid=2770
         refcnt=1
67.207.130.204[any] 67.207.128.184[any] any
         out prio def ipsec
         esp/transport//require
         ah/transport//require
         created: Jul 28 18:16:51 2011  lastused: Jul 28 22:20:24 2011
         lifetime: 0(s) validtime: 0(s)
         spid=161 seq=4 pid=2770
         refcnt=3
67.207.128.184[any] 67.207.130.204[any] any
         fwd prio def ipsec
         esp/transport//require
         ah/transport//require
         created: Jul 28 18:16:51 2011  lastused:
         lifetime: 0(s) validtime: 0(s)
         spid=154 seq=5 pid=2770
         refcnt=1
67.207.128.184[any] 67.207.130.204[any] any
         in prio def ipsec
         esp/transport//require
         ah/transport//require
         created: Jul 28 18:16:51 2011  lastused: Jul 28 22:20:24 2011
         lifetime: 0(s) validtime: 0(s)
         spid=144 seq=0 pid=2770
         refcnt=1








More information about the Progsoc mailing list