| View previous topic :: View next topic |
| Author |
Message |
NeddySeagoon
Administrator
Joined: 05 Jul 2003
Posts: 54815
Location: 56N 3W
|
 Posted: Sun Dec 27, 2015 8:37 pm Post subject: IPsec |
 |
|
Team,
I've spent a few days trying to get IPsec going. Ever the optimist, I emerged everything, configured it and nothing happened.
I wasn't really surprised. Now I'm trying to get transport mode to work between two nodes, using manual keying and i can't even get setkeys to work.
One host is at eth0:1 192.168.3.20 (gentoo sources)
The other in an eth1:1 192.168.3.253 (hardened sources)
There is a firewall between them but anything to/from 192.168.3.0/24 is allowed.
My /etc/ipsec-tools.conf is | Code: | #!/usr/sbin/setkey -f
#
# THIS IS A SAMPLE FILE!
#
# This is a sample file to test Gentoo's ipsec-tools out of the box.
# Do not use it in production. See: http://www.ipsec-howto.org/
#
# we are 192.168.3.253
flush;
spdflush;
# Security policies
spdadd 192.168.3.253 192.168.3.20 any -P in ipsec
esp/transport//require
ah/transport//require;
spdadd 192.168.3.20 192.168.3.253 any -P out ipsec
esp/transport//require
ah/transport//require;
# ESP SAs using 192 bit long keys (168 + 24 parity)
add 192.168.3.253 192.168.3.20 esp 0x201 -m transport
-E 3des-cbc 0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831
-A hmac-md5 0xc0291ff014dccdd03874d9e8e4cdf3e6;
add 192.168.3.20 192.168.3.253 esp 0x301 -m transport
-E 3des-cbc 0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df
-A hmac-md5 0x96358c90783bbfa3d7b196ceabe0536b;
|
Which I feed to | Code: | # /usr/sbin/setkey -f /etc/ipsec-tools.conf
The result of line 31: (null) |
So it doesn't like the last statement.
Copying the file to the other host and running | Code: | | /usr/sbin/setkey -f /etc/ipsec-tools.conf |
did not return any errors the first time but subsequent runs produce | Code: | | The result of line 31: (null) |
Google isn't being my friend and according to man setkeys, the file should at least parse correctly.
I know it won't work with both ends identical but its not even setting up keys yet, so there is no possibility of passing any traffic.
If it helps any, racoon stalls at setting up phase2.
What's wrong with my /etc/ipsec-tools.conf?
=== edit ===
Maybe its not my /etc/ipsec-tools.conf. I've just thrown together a Vbox install, handbook, genkernel, the whole 9 yards.
It JustWorks there. That would point to some bits missing from the kernel but the ipsec-tools ebuild passes its kernel checks.
Thoughts?
_________________
Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
| Back to top |
|
 |
schorsch_76
Guru
Joined: 19 Jun 2012
Posts: 452
|
|
| Back to top |
|
|
NeddySeagoon
Administrator
Joined: 05 Jul 2003
Posts: 54815
Location: 56N 3W
|
| Posted: Mon Dec 28, 2015 10:59 am Post subject: |
|
|
schorsch_76,
The VBox kernel is genkerhel all - the first time I have ever used genkernel.
I was planning on doing a binary search of the differences between the kernels just ih the crypto and network areas.
I can also try IPv6 but the aim is to interoperate with windows behind NAT on IPv4.
Thank you for the pointer.
_________________
Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
| Back to top |
|
|
user
Apprentice
Joined: 08 Feb 2004
Posts: 216
|
| Posted: Mon Dec 28, 2015 10:46 pm Post subject: |
|
|
hi great user supporter NeddySeagoon 
maybe the last line needs a carriage return? |
|
| Back to top |
|
|
NeddySeagoon
Administrator
Joined: 05 Jul 2003
Posts: 54815
Location: 56N 3W
|
| Posted: Mon Dec 28, 2015 11:07 pm Post subject: |
|
|
Just to close off, it was several things.
a) The remains of the firewall getting in the way one way.
b) 3des, which is the illustrated encryption doesn't work for me unless I use genkernel. des is broken too but null and aes both work.
Null is not very secure :)
Once I got setkeys to work with manual keying, racoon worked too. Not with des and 3des though.
That's for another day.
A good diagnostic aid was IPsec one way and clear traffic responses. Its just no security association in one direction.
I can now run IPSec in transport mode between two systems on the same subnet.
That's not very useful but I can build on what works.
Next up, tunnel mode, then tunnel mode through NAT.
Then tunnel mode through a firewall.
Lastly, l2tp and Windows ... and android ... and ...
_________________
Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
| Back to top |
|
|
schorsch_76
Guru
Joined: 19 Jun 2012
Posts: 452
|
| Posted: Tue Dec 29, 2015 5:26 pm Post subject: |
|
|
Actually your IPsec attempt made me try it too.... I need to know more about it. I need to try and test 
Edit: net-misc/strongswan should be more easy to configure. It provides ipsec too
_________________
// valid again: I forgot about the git access. Now 1.2GB big. Start: 2015-06-25
git daily portage tree
Web: https://github.com/schorsch1976/portage
git clone https://github.com/schorsch1976/portage |
|
| Back to top |
|
|
NeddySeagoon
Administrator
Joined: 05 Jul 2003
Posts: 54815
Location: 56N 3W
|
| Posted: Tue Dec 29, 2015 8:09 pm Post subject: |
|
|
schorsch_76,
I need ipsec and l2tp to justwork.
The idea is to open the network settings tool in Windows, set a VPN, and have it connect.
All the docs I have seen say that ipsec-tools is the way to go. I'm aware of openswan and others.
Anyway, back to the original problem. I'm at the network traversal stage and needed another box for testing.
I blew the dust off my Acer One netbook, which is a 32bit N270 CPU.
The default 3des just worked with setkey. Ouch.
It appears that the 32 bit kernel forces on all the required crypto but the 64 bit kernel doesn't.
Its not that. Both systems have the same cpyto setup.
_________________
Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
| Back to top |
|
|
schorsch_76
Guru
Joined: 19 Jun 2012
Posts: 452
|
|
| Back to top |
|
|
schorsch_76
Guru
Joined: 19 Jun 2012
Posts: 452
|
| Posted: Wed Dec 30, 2015 7:47 am Post subject: |
|
|
Hi Needy,
One reason for the creation of strongswan was that the setup should more easy. It uses the same kernel functions.
It is just a hint for you. I knew not much about ipsec prior to this experiment.
Schorsch
_________________
// valid again: I forgot about the git access. Now 1.2GB big. Start: 2015-06-25
git daily portage tree
Web: https://github.com/schorsch1976/portage
git clone https://github.com/schorsch1976/portage |
|
| Back to top |
|
|
NeddySeagoon
Administrator
Joined: 05 Jul 2003
Posts: 54815
Location: 56N 3W
|
| Posted: Wed Dec 30, 2015 9:24 am Post subject: |
|
|
schorsch_76,
Thank you. I clearly have a lot more reading to do.
My testing has been on a mix of physical (32bit and 64bit) and KVMs (64 bit hardened).
I've managed to break my test setup so that even racoon no longer works between two hosts on the same subnet.
Its back to manual keying, if I'm still going to try to do it the hard way.
I will probably give Strong Swan a try. I like the certificates part and the Windows set up presentation.
That saves me needing to do my own instructions.
_________________
Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
| Back to top |
|
|
|
Networking & Security
