matching ipv6 esp traffic

Sun, 12 Apr 2009 09:00:59 -0700 

Hi,

I'm trying to secure my wlan access point with ipsec.

Apparently I cannot match ipv6 esp traffic. This is on 4.4

I build a simplified setup with qemu, ipsec-gw and ipsec-client:

----- ipsec-gw ----

[r...@ipsec-gw:~]# cat /etc/ipsec.conf
ike passive esp from 10.12.32.235 to 10.12.32.236
ike passive esp from 2001:db8::1 to 2001:db8::2

[r...@ipsec-gw:~]# cat /etc/pf.conf
pass log on enc0
block in log on em0
pass out log on em0
# allow link-local multicast for neighbor solicitation / neighbor advertisement
pass in on em0 proto icmp6 to FF02::/16
pass in on em0 proto tcp from any to em0 port ssh
pass in log on em0 proto udp from any to em0 port isakmp
pass in log on em0 proto esp from any to em0

[r...@ipsec-gw:~]# ipsecctl -s all
FLOWS:
flow esp in from 10.12.32.236 to 10.12.32.235 peer 10.12.32.236 srcid 
10.12.32.235/32 dstid 10.12.32.236/32 type use
flow esp out from 10.12.32.235 to 10.12.32.236 peer 10.12.32.236 srcid 
10.12.32.235/32 dstid 10.12.32.236/32 type require
flow esp in from 2001:db8::2 to 2001:db8::1 peer 2001:db8::2 srcid 
2001:db8::1/128 dstid 2001:db8::2/128 type use
flow esp out from 2001:db8::1 to 2001:db8::2 peer 2001:db8::2 srcid 
2001:db8::1/128 dstid 2001:db8::2/128 type require

SAD:
esp tunnel from 2001:db8::1 to 2001:db8::2 spi 0x20d8f195 auth hmac-sha2-256 
enc aes
esp tunnel from 10.12.32.235 to 10.12.32.236 spi 0x6335527f auth hmac-sha2-256 
enc aes
esp tunnel from 10.12.32.236 to 10.12.32.235 spi 0xa90135ff auth hmac-sha2-256 
enc aes
esp tunnel from 2001:db8::2 to 2001:db8::1 spi 0xd9956a4e auth hmac-sha2-256 
enc aes

----- ipsec-client ----

[r...@ipsec-client:~]# cat /etc/pf.conf
pass all

[r...@ipsec-client:~]# cat /etc/ipsec.conf
ike esp from 10.12.32.236 to 10.12.32.235
ike esp from 2001:db8::2 to 2001:db8::1

[r...@ipsec-client:~]# ipsecctl -s all
FLOWS:
flow esp in from 10.12.32.235 to 10.12.32.236 peer 10.12.32.235 srcid 
10.12.32.236/32 dstid 10.12.32.235/32 type use
flow esp out from 10.12.32.236 to 10.12.32.235 peer 10.12.32.235 srcid 
10.12.32.236/32 dstid 10.12.32.235/32 type require
flow esp in from 2001:db8::1 to 2001:db8::2 peer 2001:db8::1 srcid 
2001:db8::2/128 dstid 2001:db8::1/128 type use
flow esp out from 2001:db8::2 to 2001:db8::1 peer 2001:db8::1 srcid 
2001:db8::2/128 dstid 2001:db8::1/128 type require

SAD:
esp tunnel from 2001:db8::1 to 2001:db8::2 spi 0x20d8f195 auth hmac-sha2-256 
enc aes
esp tunnel from 10.12.32.235 to 10.12.32.236 spi 0x6335527f auth hmac-sha2-256 
enc aes
esp tunnel from 10.12.32.236 to 10.12.32.235 spi 0xa90135ff auth hmac-sha2-256 
enc aes
esp tunnel from 2001:db8::2 to 2001:db8::1 spi 0xd9956a4e auth hmac-sha2-256 
enc aes


-------------------------------------------------------------------------------

loaded rules:

[r...@ipsec-gw:~/pf]# pfctl -vv -s rules | egrep -v 'Evaluations|Inserted'
@0 pass log on enc0 all flags S/SA keep state
@1 block drop in log on em0 all
@2 pass out log on em0 all flags S/SA keep state
@3 pass in on em0 inet6 proto tcp from any to fe80::5652:ff:fe3d:e648 port = 
ssh flags S/SA keep state
@4 pass in on em0 inet6 proto tcp from any to 2001:db8::1 port = ssh flags S/SA 
keep state
@5 pass in on em0 inet6 proto ipv6-icmp from any to ff02::/16 keep state
@6 pass in on em0 inet proto tcp from any to 10.12.32.235 port = ssh flags S/SA 
keep state
@7 pass in log on em0 inet6 proto udp from any to fe80::5652:ff:fe3d:e648 port 
= isakmp keep state
@8 pass in log on em0 inet6 proto udp from any to 2001:db8::1 port = isakmp 
keep state
@9 pass in log on em0 inet6 proto esp from any to fe80::5652:ff:fe3d:e648 keep 
state
@10 pass in log on em0 inet6 proto esp from any to 2001:db8::1 keep state
@11 pass in log on em0 inet proto udp from any to 10.12.32.235 port = isakmp 
keep state
@12 pass in log on em0 inet proto esp from any to 10.12.32.235 keep state

===============================================================================

pinging ipv4 (this is working):

[r...@ipsec-client:~]# ping -c 1 ipsec-gw
PING ipsec-gw (10.12.32.235): 56 data bytes
64 bytes from 10.12.32.235: icmp_seq=0 ttl=255 time=0.950 ms
--- ipsec-gw ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.950/0.950/0.950/0.000 ms

[r...@ipsec-gw:~]# tcpdump -nlp -i em0 not port ssh
tcpdump: listening on em0, link-type EN10MB
16:33:44.585647 esp 10.12.32.236 > 10.12.32.235 spi 0xA90135FF seq 11 len 132
16:33:44.585955 esp 10.12.32.235 > 10.12.32.236 spi 0x6335527F seq 11 len 132


[r...@ipsec-gw:~]# tcpdump -nlp -i enc0 not port ssh
tcpdump: listening on enc0, link-type ENC
16:33:44.585838 (authentic,confidential): SPI 0xa90135ff: 10.12.32.236 > 
10.12.32.235: icmp: echo request (encap)
16:33:44.585919 (authentic,confidential): SPI 0x6335527f: 10.12.32.235 > 
10.12.32.236: icmp: echo reply (encap)

[r...@ipsec-gw:~]# tcpdump -nle -i pflog0
tcpdump: listening on pflog0, link-type PFLOG
16:33:44.585715 rule 12/(match) pass in on em0: esp 10.12.32.236 > 10.12.32.235 
spi 0xA90135FF seq 11 len 132
16:33:44.585854 rule 0/(match) pass in on enc0: [|ip] (encap)
16:33:44.585877 rule 0/(match) pass in on enc0: 10.12.32.236 > 10.12.32.235: 
icmp: echo request

===============================================================================

pinging ipv6 (this is not working):

[r...@ipsec-client:~]# ping6 -c 1 ipsec-gw
PING6(56=40+8+8 bytes) 2001:db8::2 --> 2001:db8::1

--- ipsec-gw ping6 statistics ---
1 packets transmitted, 0 packets received, 100.0% packet loss


[r...@ipsec-gw:~]# tcpdump -nlp -i em0 not port ssh
tcpdump: listening on em0, link-type EN10MB
16:35:31.317331 esp 2001:db8::2 > 2001:db8::1 spi 0xD9956A4E seq 4 len 100
16:35:36.316415 esp 2001:db8::2 > 2001:db8::1 spi 0xD9956A4E seq 5 len 116
16:35:37.316401 esp 2001:db8::2 > 2001:db8::1 spi 0xD9956A4E seq 6 len 116
16:35:38.316426 esp 2001:db8::2 > 2001:db8::1 spi 0xD9956A4E seq 7 len 116


[r...@ipsec-gw:~]# tcpdump -nlp -i enc0 not port ssh
tcpdump: listening on enc0, link-type ENC
16:35:31.317520 (authentic,confidential): SPI 0xd9956a4e: 2001:db8::2 > 
2001:db8::1: 2001:db8::2 > 2001:db8::1: icmp6: echo request
16:35:36.316530 (authentic,confidential): SPI 0xd9956a4e: 2001:db8::2 > 
2001:db8::1: 2001:db8::2 > 2001:db8::1: [|icmp6]
16:35:37.316500 (authentic,confidential): SPI 0xd9956a4e: 2001:db8::2 > 
2001:db8::1: 2001:db8::2 > 2001:db8::1: [|icmp6]
16:35:38.316523 (authentic,confidential): SPI 0xd9956a4e: 2001:db8::2 > 
2001:db8::1: 2001:db8::2 > 2001:db8::1: [|icmp6]

[r...@ipsec-gw:~]# tcpdump -nle -i pflog0
tcpdump: listening on pflog0, link-type PFLOG
16:35:31.317408 rule 10/(match) pass in on em0: [|ip6]
16:35:31.317540 rule 1/(match) block in on em0: [|ip6]
16:35:36.316558 rule 1/(match) block in on em0: [|ip6]
16:35:37.316519 rule 1/(match) block in on em0: [|ip6]
16:35:38.316541 rule 1/(match) block in on em0: [|ip6]

Thank you for your time.

Florian

OpenBSD 4.4 (GENERIC) #1021: Tue Aug 12 17:16:55 MDT 2008
    dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: QEMU Virtual CPU version 0.9.1 ("AuthenticAMD" 686-class, 512KB L2 cache) 
2.11 GHz
cpu0: 
FPU,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3
real mem  = 536375296 (511MB)
avail mem = 510218240 (486MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 02/12/09, BIOS32 rev. 0 @ 0xfb4d0, SMBIOS 
rev. 2.4 @ 0xfbd3f (10 entries)
bios0: vendor QEMU version "QEMU" date 01/01/2007
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
acpi at bios0 function 0x0 not configured
pcibios0 at bios0: rev 2.1 @ 0xf0000/0x0
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfb820/128 (6 entries)
pcibios0: PCI Interrupt Router at 000:01:0 ("Intel 82371FB ISA" rev 0x00)
pcibios0: PCI bus #0 is the last bus
bios0: ROM list: 0xc0000/0x8c00 0xd0000/0x600!
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 "Intel 82441FX" rev 0x02
pcib0 at pci0 dev 1 function 0 "Intel 82371SB ISA" rev 0x00
pciide0 at pci0 dev 1 function 1 "Intel 82371SB IDE" rev 0x00: DMA, channel 0 
wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0: <QEMU HARDDISK>
wd0: 16-sector PIO, LBA48, 10240MB, 20971520 sectors
wd0(pciide0:0:0): using PIO mode 0, DMA mode 2
atapiscsi0 at pciide0 channel 1 drive 0
scsibus0 at atapiscsi0: 2 targets, initiator 7
cd0 at scsibus0 targ 0 lun 0: <QEMU, QEMU DVD-ROM, 0.9.> ATAPI 5/cdrom removable
cd0(pciide0:1:0): using PIO mode 0
piixpm0 at pci0 dev 1 function 3 "Intel 82371AB Power" rev 0x03: irq 9
iic0 at piixpm0
iic0: addr 0x18 00=d0 01=d0 02=d0 03=d0 04=d0 05=d0 06=d0 07=d0 08=d0 words 
00=0000 01=0000 02=0000 03=0000 04=0000 05=0000 06=0000 07=0000
iic0: addr 0x1a 00=d0 01=d0 02=d0 03=d0 04=d0 05=d0 06=d0 07=d0 08=d0 words 
00=0000 01=0000 02=0000 03=0000 04=0000 05=0000 06=0000 07=0000
iic0: addr 0x4c 00=d0 01=d0 02=d0 03=d0 04=d0 05=d0 06=d0 07=d0 08=d0 words 
00=0000 01=0000 02=0000 03=0000 04=0000 05=0000 06=0000 07=0000
iic0: addr 0x4e 00=d0 01=d0 02=d0 03=d0 04=d0 05=d0 06=d0 07=d0 08=d0 words 
00=0000 01=0000 02=0000 03=0000 04=0000 05=0000 06=0000 07=0000
spdmem0 at iic0 addr 0x50: no EEPROM found
spdmem1 at iic0 addr 0x51: no EEPROM found
spdmem2 at iic0 addr 0x52: no EEPROM found
spdmem3 at iic0 addr 0x53: no EEPROM found
spdmem4 at iic0 addr 0x54: no EEPROM found
spdmem5 at iic0 addr 0x55: no EEPROM found
spdmem6 at iic0 addr 0x56: no EEPROM found
spdmem7 at iic0 addr 0x57: no EEPROM found
vga1 at pci0 dev 2 function 0 "Cirrus Logic CL-GD5446" rev 0x00
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
drm at vga1 unsupported
em0 at pci0 dev 3 function 0 "Intel PRO/1000MT (82540EM)" rev 0x03: irq 11, 
address 54:52:00:3d:e6:48
unknown vendor 0x1af4 product 0x1002 (class memory subclass RAM, rev 0x00) at 
pci0 dev 4 function 0 not configured
unknown vendor 0x1af4 product 0x1003 (class prehistoric unknown subclass 0xff, 
rev 0x00) at pci0 dev 5 function 0 not configured
isa0 at pcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com0: console
com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
com1: probed fifo depth: 0 bytes
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pmsi0 at pckbc0 (aux slot)
pckbc0: using irq 12 for aux slot
wsmouse0 at pmsi0 mux 0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: <PC speaker>
spkr0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: density unknown
fd1 at fdc0 drive 1: density unknown
biomask e765 netmask ef65 ttymask ffff
mtrr: CPU supports MTRRs but not enabled
nvram: invalid checksum
softraid0 at root
root on wd0a swap on wd0b dump on wd0b
clock: unknown CMOS layout

Reply via email to