Single IP host and IPsec tunnel mode experience

Jacques A. Vidrine nectar at FreeBSD.org
Sun Apr 20 16:26:17 PDT 2003 

On Sun, Apr 20, 2003 at 10:20:53AM -0700, Lars Eggert wrote:
> On 4/20/2003 9:55 AM, Jacques A. Vidrine wrote:
> >On Wed, Apr 16, 2003 at 07:36:21AM -0500, Jacques A. Vidrine wrote:
> >
> >>On Tue, Apr 15, 2003 at 10:23:35PM -0700, Crist J. Clark wrote:
> >>
> >>>'uname -a'?
> >>
> >>The endpoints were both 4.7.
> >>
> >>
> >>>I can't reproduce this on a 4.8 to 4.7 tunnel. On
> >>>192.168.64.70,
> >>>
> >>> spdadd 192.168.64.70/32 10.0.0.0/24 any -P out
> >>>	ipsec esp/tunnel/192.168.64.70-192.168.64.20/require;
> >>> spdadd 10.0.0.0/24 192.168.64.70/32 any -P  in
> >>>	ipsec esp/tunnel/192.168.64.20-192.168.64.70/require;
> >>>
> >>>And on 192.168.64.20, the gateway to 10.0.0.0/24,
> >>>
> >>> spdadd 192.168.64.70/32 10.0.0.0/24 any -P  in
> >>>	ipsec esp/tunnel/192.168.64.70-192.168.64.20/require;
> >>> spdadd 10.0.0.0/24 192.168.64.70/32 any -P out
> >>>	ipsec esp/tunnel/192.168.64.20-192.168.64.70/require;
> >>>
> >>>Works fine.
> >>
> >>Hmm, yes, that appears to be exactly what I'm trying to do.  Well,
> >>that's heartening ... it means that there is likely some anomoly in my
> >>environment that is hosing me.  Now if only I can figure what it is :-)
> >
> >
> >Oddly enough ...  ESP works, AH does not.
> 
> Are you going through a NAT box? (Sorry, haven't been following this 
> thread closely.) AH includes more of the IP header when computing the 
> crypto checksum (compared to ESP), if those fields get diddled by a NAT 
> box, the receiver will drop the packets because of bad crypto. One of 
> the netstat counters on the receiver will show this.

No NAT.

> If you need to authenticate, maybe try using ESP authentication?

Yes, I believe that's what I tested.  e.g.

  223.223.223.223 117.117.117.117 
          esp mode=tunnel spi=40396514(0x26866e25) reqid=0(0x00000000)
          E: 3des-cbc 4dafcf14 1e11dd81 4dafcf14 1e11dd81 4dafcf14 1e11dd81
          A: hmac-sha1 4dafcf14 1e11dd81 4dafcf14 1e11dd81 4dafcf14
          seq=0x00000000 replay=4 flags=0x00000000 state=mature 
          created: Mar  2 07:52:31 2003   current: Mar  2 07:59:28 2003
          diff: 20(s)     hard: 30(s)     soft: 24(s)
          last:                           hard: 0(s)      soft: 0(s)
          current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
          allocated: 0    hard: 0 soft: 0
          sadb_seq=2 pid=90010 refcnt=1

I actually don't need AH ... I was using AH because it is easier to see
what is going on.

Cheers,
-- 
Jacques A. Vidrine <nectar at celabo.org>          http://www.celabo.org/
NTT/Verio SME          .     FreeBSD UNIX     .       Heimdal Kerberos
jvidrine at verio.net     .  nectar at FreeBSD.org  .          nectar at kth.se

More information about the freebsd-hackers mailing list