Manual IPsec setup with ipsec.conf

Girish Venkatachalam Wed, 04 Apr 2012 17:25:08 -0700

Dear all,

Such a silly thing is not documented anywhere, no vpn(8) man page and
 not on the Internet.


I am forced to send this mail though it is embarrassing having worked on the
 internals of manual IPsec keying back in 2004. But well here goes.

on peer A:

remoteip="173.167.82.52"
remotenet="10.1.23.0/24"

flow esp from 59.99.242.167 to $remoteip
flow esp from 192.168.1.0/24 to $remotenet peer $remoteip
esp from 59.99.242.167 to $remoteip spi 0xdeadbeef:0xbeefdead auth
hmac-sha1 \
       authkey
       0xeda8f06463b2d0fed008ccc474216dba8c463a7c:0x91c763de940ce1745215c84b7
535269acaef516d
       \
       enckey
       0xb341aa065c3850edd6a61e150d6a5fd3:0xf7795f6bdd697a43a4d28dcf1b79062d

on peer B:

localnet="192.168.0.0/16"
remoteip="59.99.242.167"

flow esp from 173.167.82.52 to 59.99.242.167
flow esp from 10.1.23.0/24 to 192.168.1.0/24 peer $remoteip
esp from 173.167.82.52 to 59.99.242.167 spi 0xbeefdead:0xdeadbeef auth
hmac-sha1 \
       authkey
       0x91c763de940ce1745215c84b7535269acaef516d:0xeda8f06463b2d0fed008ccc47
4216dba8c463a7c
       \
       enckey
       0xf7795f6bdd697a43a4d28dcf1b79062d:0xb341aa065c3850edd6a61e150d6a5fd3


It is a test. I don't care about the keys and IP addresses.

pf(4) is disabled both sides and here is the output of

#ipsecctl -sa on peer B

# ipsecctl -sa -v
FLOWS:
flow esp in from 192.168.1.0/24 to 10.1.23.0/24 peer 59.99.242.167 type
require
flow esp out from 10.1.23.0/24 to 192.168.1.0/24 peer 59.99.242.167 type
require
flow esp in from 59.99.242.167 to 173.167.82.52 peer 59.99.242.167 type
require
flow esp out from 173.167.82.52 to 59.99.242.167 peer 59.99.242.167 type
require

SAD:
esp tunnel from 173.167.82.52 to 59.99.242.167 spi 0xbeefdead auth
hmac-sha1 enc aes
        sa: spi 0xbeefdead auth hmac-sha1 enc aes
                state mature replay 0 flags 4
        lifetime_cur: alloc 0 bytes 0 add 1333585323 first 0
        address_src: 173.167.82.52
        address_dst: 59.99.242.167
esp tunnel from 59.99.242.167 to 173.167.82.52 spi 0xdeadbeef auth
hmac-sha1 enc aes
        sa: spi 0xdeadbeef auth hmac-sha1 enc aes
                state mature replay 0 flags 4
        lifetime_cur: alloc 0 bytes 0 add 1333585323 first 0
        address_src: 59.99.242.167
        address_dst: 173.167.82.52

And peer A:

# ipsecctl -sa -v
FLOWS:
flow esp in from 10.1.23.0/24 to 192.168.1.0/24 peer 173.167.82.52 type
require
flow esp out from 192.168.1.0/24 to 10.1.23.0/24 peer 173.167.82.52 type
require
flow esp in from 173.167.82.52 to 59.99.242.167 peer 173.167.82.52 type
require
flow esp out from 59.99.242.167 to 173.167.82.52 peer 173.167.82.52 type
require

SAD:
esp tunnel from 173.167.82.52 to 59.99.242.167 spi 0xbeefdead auth
hmac-sha1 enc aes
        sa: spi 0xbeefdead auth hmac-sha1 enc aes
                state mature replay 0 flags 4
        lifetime_cur: alloc 0 bytes 0 add 1333585275 first 0
        address_src: 173.167.82.52
        address_dst: 59.99.242.167
esp tunnel from 59.99.242.167 to 173.167.82.52 spi 0xdeadbeef auth
hmac-sha1 enc aes
        sa: spi 0xdeadbeef auth hmac-sha1 enc aes
                state mature replay 0 flags 4
        lifetime_cur: alloc 0 bytes 196 add 1333585275 first 1333585277
        address_src: 59.99.242.167
        address_dst: 173.167.82.52
        lifetime_lastuse: alloc 0 bytes 0 add 0 first 1333585277

I cannot ping between 192.168.1.50 and 10.1.23.2

What is going on?

-Girish

--
G3 Tech
Networking appliance company
web: http://g3tech.in  mail: gir...@g3tech.in

Manual IPsec setup with ipsec.conf

Reply via email to