Re: IPSEC encodes traffic to local IP?

Sun, 21 Feb 2010 04:02:50 -0800 

Hi again,

Seems I missed this part in ipsec.conf:
  mode  For ESP and AH the encapsulation mode can be specified. Possible
           modes are tunnel and transport.  When left out, tunnel is
chosen.

Since I obviously want transport mode for host-host I changed psec.conf:
esp transport from 10.10.1.50 to 10.10.1.99 spi 0xabd9da39:0xc9dbb83

(Although I don't fully understand why tunnel mode in a host-host setup
causes those effects)


Unfortunately this still doesn't help.
ICMP works as expected (sent on lo0, unencoded).
But TCP gets encoded and shows up on lo0 as ESP packets (but now from the correct origin IP). Interestingly one answer packet is sent unencoded...
pc50_root# ping 10.10.1.50 
PING 10.10.1.50 (10.10.1.50): 56 data bytes
64 bytes from 10.10.1.50: icmp_seq=0 ttl=255 time=2.551 ms
64 bytes from 10.10.1.50: icmp_seq=1 ttl=255 time=0.608 ms
--- 10.10.1.50 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.608/1.579/2.551/0.972 ms
pc50_root# tcpdump -nettti lo0 



tcpdump: listening on lo0, link-type LOOP
Feb 21 12:41:50.446946 10.10.1.50 > 10.10.1.50: icmp: echo request
Feb 21 12:41:50.447382 10.10.1.50 > 10.10.1.50: icmp: echo reply
Feb 21 12:41:51.459214 10.10.1.50 > 10.10.1.50: icmp: echo request
Feb 21 12:41:51.459353 10.10.1.50 > 10.10.1.50: icmp: echo reply


pc50_root# ssh 10.10.1.50
r...@10.10.1.50's password:

pc50_root# tcpdump -nettti lo0
tcpdump: listening on lo0, link-type LOOP
Feb 21 12:51:57.826919 esp 10.10.1.50 > 10.10.1.50 spi 0xc9dbb83d seq 45 len 84 (DF) Feb 21 12:51:57.829490 10.10.1.50.22 > 10.10.1.50.20625: S 1318751684:1318751684(0) ack 1549685827 win 16384 <mss 1496,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 2957647887 1416697375> (DF) Feb 21 12:51:57.830446 esp 10.10.1.50 > 10.10.1.50 spi 0xc9dbb83d seq 46 len 84 (DF) Feb 21 12:51:58.126336 esp 10.10.1.50 > 10.10.1.50 spi 0xc9dbb83d seq 47 len 100 (DF) Feb 21 12:51:58.132833 esp 10.10.1.50 > 10.10.1.50 spi 0xc9dbb83d seq 48 len 100 (DF) Feb 21 12:51:58.209013 esp 10.10.1.50 > 10.10.1.50 spi 0xc9dbb83d seq 49 len 868 (DF) 

pc50_root# tcpdump -nettti enc0
tcpdump: listening on enc0, link-type ENC
Feb 21 12:51:57.824569 (authentic,confidential): SPI 0xc9dbb83d: 10.10.1.50.20625 > 10.10.1.50.22: S 1549685826:1549685826(0) win 16384 <mss 33160,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 1416697375 0> (DF) Feb 21 12:51:57.828442 (authentic,confidential): SPI 0xc9dbb83d: 10.10.1.50.20625 > 10.10.1.50.22: S 1549685826:1549685826(0) win 16384 <mss 33160,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 1416697375 0> (DF) Feb 21 12:51:57.830061 (authentic,confidential): SPI 0xc9dbb83d: 10.10.1.50.20625 > 10.10.1.50.22: . ack 1318751685 win 16384 <nop,nop,timestamp 1416697375 2957647887> (DF) Feb 21 12:51:57.830759 (authentic,confidential): SPI 0xc9dbb83d: 10.10.1.50.20625 > 10.10.1.50.22: . ack 1 win 16384 <nop,nop,timestamp 1416697375 2957647887> (DF) Feb 21 12:51:58.124201 (authentic,confidential): SPI 0xc9dbb83d: 10.10.1.50.22 > 10.10.1.50.20625: P 1:22(21) ack 0 win 16384 <nop,nop,timestamp 2957647888 1416697375> (DF) Feb 21 12:51:58.127478 (authentic,confidential): SPI 0xc9dbb83d: 10.10.1.50.22 > 10.10.1.50.20625: P 1:22(21) ack 0 win 16384 <nop,nop,timestamp 2957647888 1416697375> (DF) 


kind regards,
Robert


Robert wrote:

SAD:
esp tunnel from 10.10.1.50 to 10.10.1.99 spi 0xabd9da39 auth hmac-sha2-256 enc aes esp tunnel from 10.10.1.99 to 10.10.1.50 spi 0xc9dbb83d auth hmac-sha2-256 enc aes

Reply via email to