Single IP host and IPsec tunnel mode experience

Crist J. Clark crist.clark at attbi.com
Sun Apr 20 13:59:09 PDT 2003 

On Sun, Apr 20, 2003 at 11:55:38AM -0500, Jacques A. Vidrine wrote:
> On Wed, Apr 16, 2003 at 07:36:21AM -0500, Jacques A. Vidrine wrote:
> > On Tue, Apr 15, 2003 at 10:23:35PM -0700, Crist J. Clark wrote:
> > > 'uname -a'?
> > 
> > The endpoints were both 4.7.
> > 
> > > I can't reproduce this on a 4.8 to 4.7 tunnel. On
> > > 192.168.64.70,
> > > 
> > >   spdadd 192.168.64.70/32 10.0.0.0/24 any -P out
> > > 	ipsec esp/tunnel/192.168.64.70-192.168.64.20/require;
> > >   spdadd 10.0.0.0/24 192.168.64.70/32 any -P  in
> > > 	ipsec esp/tunnel/192.168.64.20-192.168.64.70/require;
> > > 
> > > And on 192.168.64.20, the gateway to 10.0.0.0/24,
> > > 
> > >   spdadd 192.168.64.70/32 10.0.0.0/24 any -P  in
> > > 	ipsec esp/tunnel/192.168.64.70-192.168.64.20/require;
> > >   spdadd 10.0.0.0/24 192.168.64.70/32 any -P out
> > > 	ipsec esp/tunnel/192.168.64.20-192.168.64.70/require;
> > > 
> > > Works fine.
> > 
> > Hmm, yes, that appears to be exactly what I'm trying to do.  Well,
> > that's heartening ... it means that there is likely some anomoly in my
> > environment that is hosing me.  Now if only I can figure what it is :-)
> 
> Oddly enough ...  ESP works, AH does not.

Yep, I can reproduce that. This setup,

  bubbles# cat bubbles.spd
  # Security Policy Database
  spdadd 192.168.64.70/32 10.0.0.0/24 any -P out
          ipsec esp/tunnel/192.168.64.70-192.168.64.20/require;
  spdadd 10.0.0.0/24 192.168.64.70/32 any -P  in
          ipsec esp/tunnel/192.168.64.20-192.168.64.70/require;

  # Security Associations Database
  add 192.168.64.70 192.168.64.20 esp 0x4321
          -m tunnel -r 128
          -E rijndael-cbc "encryption keys1"
          -A hmac-md5     "testkey1testkey2";

  add 192.168.64.20 192.168.64.70 esp 0x1234
          -m tunnel -r 128
          -E rijndael-cbc "encryption keys2"
          -A hmac-md5     "testkey2testkey1";

Works great with the apropriate swapping in the SPD on the other end
of the tunnel. However, do the following to both,

  bubbles# ed bubbles.spd
  g/esp/s/esp/ah/
  g/-E/s/^/#/
  wq
  bubbles# setkey -F; setkey -FP; setkey -f bubbles.spd

And things do not work. The sender seems to work fine, but the
receiver increments the,

  "inbound packets violated process security policy"

Counter. But the really puzzling part is that it increments the,

  "inbound packets processed successfully" (which I think I understand)
  "inbound packets considered authentic" (which I do not)

Counters too.

Your conjecture that it may be somehow processing inbound packets
twice may be on the right track.
-- 
Crist J. Clark                     |     cjclark at alum.mit.edu
                                   |     cjclark at jhu.edu
http://people.freebsd.org/~cjc/    |     cjc at freebsd.org

More information about the freebsd-hackers mailing list