Re: IPSEC encodes traffic to local IP? [SOLVED, kindof...]

Mon, 22 Feb 2010 13:28:28 -0800 

Hi,

Problem found (?), so for the records in case someone else runs into the
same  issue...

When configuring the host-host ipsec manually [1] no option is available
to specify the src_flow/dst_flow for the security associations (SAD) and
this seems to cause the problems.
If the setup is done through isakmpd then those options are set
automatically [2] and everything works fine.

So from what I understand there is no way to setup a "clean" host-host
manually through ipsec.conf only; instead you have to let isakmpd do the
negotiation (which is a good idea anyway) to get src/dst_flow set.


[1] setup done manually (= problems)

*) pc50_root# isakmpd -K -4 -a

*) ipsec.conf
flow esp from 10.10.1.50 to 10.10.1.51 \
 local 10.10.1.50 peer 10.10.1.51 \
 srcid 10.10.1.50 dstid 10.10.1.51 \
 type require
esp transport from 10.10.1.50 to 10.10.1.51 spi 0xabd9da39:0xc9dbb83d \
 srcid 10.10.1.50 dstid 10.10.1.51 \
 authkey
0x54f79f479a32814347bb768d3e01b2b58e49ce674ec6e2d327b63408c56ef4e8:0x7f48ee352c626cdc2a731b9d90bd63e29db2a9c683044b70b2f4441521b622d6 
\
 enckey
0xb341aa065c3850edd6a61e150d6a5fd3:0xf7795f6bdd697a43a4d28dcf1b79062d

*) pc50_root# ipsecctl -f /etc/ipsec.conf
*) pc50_root# ipsecctl -kvvs all
FLOWS:
@0 flow esp in from 10.10.1.51 to 10.10.1.50 local 10.10.1.50 peer
10.10.1.51 srcid 10.10.1.50 dstid 10.10.1.51 type require
@1 flow esp out from 10.10.1.50 to 10.10.1.51 local 10.10.1.50 peer
10.10.1.51 srcid 10.10.1.50 dstid 10.10.1.51 type require

SAD:
@0 esp transport from 10.10.1.50 to 10.10.1.51 spi 0xabd9da39 auth
hmac-sha2-256 enc aes \
        authkey
0x54f79f479a32814347bb768d3e01b2b58e49ce674ec6e2d327b63408c56ef4e8 \
        enckey 0xb341aa065c3850edd6a61e150d6a5fd3
        sa: spi 0xabd9da39 auth hmac-sha2-256 enc aes
                state mature replay 0 flags 0
        lifetime_cur: alloc 0 bytes 0 add 1266866658 first 0
        address_src: 10.10.1.50
        address_dst: 10.10.1.51
        key_auth: bits 256:
54f79f479a32814347bb768d3e01b2b58e49ce674ec6e2d327b63408c56ef4e8
        key_encrypt: bits 128: b341aa065c3850edd6a61e150d6a5fd3
@0 esp transport from 10.10.1.51 to 10.10.1.50 spi 0xc9dbb83d auth
hmac-sha2-256 enc aes \
        authkey
0x7f48ee352c626cdc2a731b9d90bd63e29db2a9c683044b70b2f4441521b622d6 \
        enckey 0xf7795f6bdd697a43a4d28dcf1b79062d
        sa: spi 0xc9dbb83d auth hmac-sha2-256 enc aes
                state mature replay 0 flags 0
        lifetime_cur: alloc 0 bytes 0 add 1266866658 first 0
        address_src: 10.10.1.51
        address_dst: 10.10.1.50
        key_auth: bits 256:
7f48ee352c626cdc2a731b9d90bd63e29db2a9c683044b70b2f4441521b622d6
        key_encrypt: bits 128: f7795f6bdd697a43a4d28dcf1b79062d



[2] setup through isakmpd (= works fine)

*) pc50_root# isakmpd -K -4

*) ipsec.conf
ike passive esp transport \
 from 10.10.1.50 to 10.10.1.51 \
 local 10.10.1.50 peer 10.10.1.51 \
 srcid 10.10.1.50 dstid 10.10.1.51 \
 psk TEST

*) pc50_root# ipsecctl -f /etc/ipsec.conf
*) pc50_root# ipsecctl -kvvs all
FLOWS:
@0 flow esp in from 10.10.1.51 to 10.10.1.50 peer 10.10.1.51 srcid
10.10.1.50 dstid 10.10.1.51 type use
@1 flow esp out from 10.10.1.50 to 10.10.1.51 peer 10.10.1.51 srcid
10.10.1.50 dstid 10.10.1.51 type require

SAD:
@0 esp transport from 10.10.1.51 to 10.10.1.50 spi 0x7709d9c3 auth
hmac-sha2-256 enc aes \
        authkey
0x79b951f992cf17d041f1224d3c4a9703b9a66db0c5012b65b656fc5109ae59eb \
        enckey 0x367fd3fee168706968f605bbf00699f0
        sa: spi 0x7709d9c3 auth hmac-sha2-256 enc aes
                state mature replay 16 flags 0
        lifetime_cur: alloc 0 bytes 2448 add 1266865920 first 1266866026
        lifetime_hard: alloc 0 bytes 0 add 1200 first 0
        lifetime_soft: alloc 0 bytes 0 add 1080 first 0
        address_src: 10.10.1.51
        address_dst: 10.10.1.50
        key_auth: bits 256:
79b951f992cf17d041f1224d3c4a9703b9a66db0c5012b65b656fc5109ae59eb
        key_encrypt: bits 128: 367fd3fee168706968f605bbf00699f0
        identity_src: type fqdn id 0: 10.10.1.51
        identity_dst: type fqdn id 0: 10.10.1.50
        src_mask: 255.255.255.255
        dst_mask: 255.255.255.255
        protocol: proto 0 flags 0
        flow_type: type use direction in
        src_flow: 10.10.1.51
        dst_flow: 10.10.1.50
        lifetime_lastuse: alloc 0 bytes 0 add 0 first 1266866075
@0 esp transport from 10.10.1.50 to 10.10.1.51 spi 0x9aec4ceb auth
hmac-sha2-256 enc aes \
        authkey
0x0e277d8457bbdb4ae5f9d391f2e568250b6d11af6226b1a0406b8ad92e155d28 \
        enckey 0x205ddd7b6fb2dd9876b49281beef9a8b
        sa: spi 0x9aec4ceb auth hmac-sha2-256 enc aes
                state mature replay 16 flags 0
        lifetime_cur: alloc 0 bytes 1581 add 1266865920 first 1266866026
        lifetime_hard: alloc 0 bytes 0 add 1200 first 0
        lifetime_soft: alloc 0 bytes 0 add 1080 first 0
        address_src: 10.10.1.50
        address_dst: 10.10.1.51
        key_auth: bits 256:
0e277d8457bbdb4ae5f9d391f2e568250b6d11af6226b1a0406b8ad92e155d28
        key_encrypt: bits 128: 205ddd7b6fb2dd9876b49281beef9a8b
        identity_src: type fqdn id 0: 10.10.1.50
        identity_dst: type fqdn id 0: 10.10.1.51
        src_mask: 255.255.255.255
        dst_mask: 255.255.255.255
        protocol: proto 0 flags 0
        flow_type: type use direction out
        src_flow: 10.10.1.50
        dst_flow: 10.10.1.51
        lifetime_lastuse: alloc 0 bytes 0 add 0 first 1266866075


kind regards,
Robert


Robert wrote:

ICMP works as expected (sent on lo0, unencoded).
But TCP gets encoded and shows up on lo0 as ESP packets (but now from the correct origin IP). Interestingly one answer packet is sent unencoded...

Reply via email to