Hi all,
I've not been told off with IPsec questions, so here's another one.
Using the Kame tools, I managed to get a network-to-host tunnel set
up:
-------------------------- --------------
10.1.2.0/24 --- | 10.1.2.1 gateway 4.5.6.7 | --- | 4.3.2.1 host |
-------------------------- ^ --------------
|IPsec
In words: everything between the 4.3.2.1 host and the network
10.1.2.0/24 is encrypted, with the (masquerading) gateway and the
host serving as tunnel endpoints.
This is working with the following configuration on the gateway:
add 4.5.6.7 4.3.2.1 ah 0x200 -m tunnel -A hmac-sha1 "key1";
add 4.3.2.1 4.5.6.7 ah 0x300 -m tunnel -A hmac-sha1 "key2";
add 4.5.6.7 4.3.2.1 esp 0x201 -m tunnel -E twofish-cbc "key3";
add 4.3.2.1 4.5.6.7 esp 0x301 -m tunnel -E twofish-cbc "key4";
spdadd 10.1.2.0/24 4.3.2.1 any -P out ipsec
esp/tunnel/4.5.6.7-4.3.2.1/require
ah/tunnel/4.5.6.7-4.3.2.1/require;
spdadd 4.3.2.1 10.1.2.0/24 any -P in ipsec
esp/tunnel/4.3.2.1-4.5.6.7/require
ah/tunnel/4.3.2.1-4.5.6.7/require;
and the same on the single host, with the policies switched.
Connectivity is fine, but as I checked the packets arriving at the
single host with tcpdump, I was kinda startled and don't know
anymore what's going on. Here's the output of one timestep (they are
all at the same time), line by line:
1. 4.5.6.7 > 4.3.2.1: AH(spi=0x00000200,seq=0xcd):
4.5.6.7 > 4.3.2.1: ESP(spi=0x00000201,seq=0xcd)
(DF) [tos 0x10] (ipip-proto-4)
perfect! the packet arrived from the gateway, the AH and ESP SPIs
are what I told them to be.
2. 4.5.6.7 > 4.3.2.1: AH(spi=0x45100080,seq=0x67be4000):
4.5.6.7 > 4.3.2.1: ESP(spi=0x00000201,seq=0xcd)
(DF) [tos 0x10] (ipip-proto-4)
what's this? i only sent one packet, and even though the ESP SPI is
correct, the AH SPI is totally random. tcpdump now says:
truncated-ip - 12 bytes missing!
4.5.6.7 > 4.3.2.1: AH(spi=0x45100080,seq=0x67be4000):
4.5.6.7 > 4.3.2.1: [|ip] (ipip-proto-4) (ipip-proto-4)
and then (a fraction of a second later):
3. 4.3.2.1 > 4.5.6.7: AH(spi=0x00000300,seq=0xfc6):
4.3.2.1 > 4.5.6.7: ESP(spi=0x00000301,seq=0xfc6)
(DF) [tos 0x10] (ipip-proto-4)
this is the answer, using the appropriate SPIs for AH and ESP.
So then, where did the second packet come from?
Thanks for any input!
--
martin; (greetings from the heart of the sun.)
\____ echo mailto: !#^."<*>"|tr "<*> mailto:"; net _at_ madduck
invalid/expired pgp subkeys? use subkeys.pgp.net as keyserver!
there is no place like ~
Attachment:
signature.asc
Description: Digital signature
- Prev by Date: Problem with BitKeeper?
- Next by Date: Re: KM266/VT8235, USB2.0 and problems
- Previous by thread: Problem with BitKeeper?
- Next by thread: psmouse_proto flag
- Indexes:[Main][Thread]