| View previous topic :: View next topic |
| Author |
Message |
eightn
n00b
Joined: 23 Apr 2004
Posts: 11
|
 Posted: Tue Aug 10, 2004 9:54 am Post subject: ipsec (2.6 kernel, ipsec-tools) transport mode, auto keying |
 |
|
People, prompt me how to organize "ipsec transport mode connection" with automatic generation of keys between two hosts?
Let there are two hosts:
net (10.10.0.0/24 =10.0.0.1---10.0.0.2=net (10.20.0.0/24)
How between them to organize the ipsec connection in a transport mode?
With the tunnel mode all right, in the elementary case for the left machine (10.0.0.1) configs look so:
/etc/ipsec.conf
spdadd 10.10.0.0/24 10.20.0.0/24 any -P out ipsec
esp/tunnel/10.0.0.1-10.0.0.2/require;
spdadd 10.20.0.0/24 10.10.0.0/24 any -P in ipsec
esp/tunnel/10.0.0.2-10.0.0.1/require;
/etc/racoon.conf
remote 10.0.0.2 {
exchange_mode main;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 5;
}
}
sainfo address 10.10.0.0/24 any address 10.20.0.0/24 any {
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
For right machine (10.0.0.2) all it is mirror displayed. We start for a demon racoon, the tunnel up and the traffic goes through.
And as similar (with automatic generation of keys) to do for
"transport mode ipsec connection"?
I make by analogy:
/etc/ipsec.conf
spdadd 10.0.0.1/32 10.0.0.2/32 any -P out ipsec
esp/transport//require
ah/transport//require;
spdadd 10.0.0.2/32 10.0.0.1/32 any -P in ipsec
esp/transport//require
ah/transport//require;
/etc/racoon.conf
remote 10.0.0.2 {
exchange_mode main;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 5;
}
}
sainfo address 10.0.0.1 any address 10.0.0.2 any {
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
Unfortunately, on www.ipsec-howto.org about transport mode with auto keyed connection it is told nothing.
In racoon logs it is written:
/usr/sbin/racoon -f /etc/racoon/racoon.conf -4 -F
INFO: @(#)ipsec-tools 0.3.3 (http://ipsec-tools.sourceforge.net)
INFO: @(#)This product linked OpenSSL 0.9.7d 17 Mar 2004 (http://www.openssl.org/)
INFO: IPsec-SA request for 10.0.0.2 queued due to no phase1 found.
INFO: initiate new phase 1 negotiation: 10.0.0.1[500]<=>10.0.0.2[500]
INFO: begin Identity Protection mode.
NOTIFY: the packet is retransmitted by 10.0.0.2[500].
ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 10.0.0.2->10.0.0.1
INFO: delete phase 2 handler.
INFO: request for establishing IPsec-SA was queued due to no phase1 found.
NOTIFY: the packet is retransmitted by 10.0.0.2[500].
NOTIFY: the packet is retransmitted by 10.0.0.2[500].
NOTIFY: the packet is retransmitted by 10.0.0.2[500].
ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 10.0.0.2->10.0.0.1
INFO: delete phase 2 handler.
INFO: request for establishing IPsec-SA was queued due to no phase1 found.
NOTIFY: the packet is retransmitted by 10.0.0.2[500].
ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 10.0.0.2->10.0.0.1
INFO: delete phase 2 handler.
INFO: request for establishing IPsec-SA was queued due to no phase1 found.
at 10.0.0.2 machine:
INFO: respond new phase 1 negotiation: 10.0.0.2[500]<=>10.0.0.1[500]
INFO: begin Identity Protection mode.
ERROR: phase1 negotiation failed due to time up. 894021715a4b0fba:0da61a7661898aa9
INFO: respond new phase 1 negotiation: 10.0.0.2[500]<=>10.0.0.1[500]
INFO: begin Identity Protection mode.
I.e. on what that it is braked at 1st phase, but where? |
|
| Back to top |
|
 |
think4urs11
Bodhisattva
Joined: 25 Jun 2003
Posts: 6659
Location: above the cloud
|
| Posted: Tue Aug 10, 2004 10:25 am Post subject: |
|
|
Hi!
1. You are using AH on 10.0.0.2 but not on 10.0.0.1, remove AH
2. you need to have a second sainfo entry with source and destination addresses switched, otherwise you can send traffic out but nothing is allowed to come in
3. (not sure) 'normally' 3DES/SHA1 is bundled with dh_group 2, not 5
HTH
T.
_________________
Nothing is secure / Security is always a trade-off with usability / Do not assume anything / Trust no-one, nothing / Paranoia is your friend / Think for yourself |
|
| Back to top |
|
|
eightn
n00b
Joined: 23 Apr 2004
Posts: 11
|
| Posted: Tue Aug 10, 2004 12:28 pm Post subject: |
|
|
Mysticism... Now changed IP addresses on both computers and consequently has a little corrected (only addresses) in files
ipsec.conf and racoon.conf.
After that all has worked (in transport mode) :-0
Probably last time I have made a mistake where that in syntax.
But I would like to receive some specifications under your message
| Think4UrS11 wrote: |
1. You are using AH on 10.0.0.2 but not on 10.0.0.1, remove AH
|
Has not understood a phrase.
AH it is used on both computers. On one of them it needs to be disabled? What for?
ipsec.conf at 10.0.0.1
| Code: |
spdadd 10.0.0.1/32 10.0.0.2/32 any -P out ipsec
esp/transport//require
ah/transport//require;
spdadd 10.0.0.2/32 10.0.0.1/32 any -P in ipsec
esp/transport//require
ah/transport//require;
|
ipsec.conf at 10.0.0.2
| Code: |
spdadd 10.0.0.2/32 10.0.0.1/32 any -P out ipsec
esp/transport//require
ah/transport//require;
spdadd 10.0.0.1/32 10.0.0.2/32 any -P in ipsec
esp/transport//require
ah/transport//require;
|
| Quote: |
2. you need to have a second sainfo entry with source and destination addresses switched, otherwise you can send traffic out but nothing is allowed to come in
|
in file racoon.conf?
The second sainfo unless should not be specified on the remote computer only?
racoon.conf at 10.0.0.1
| Code: |
remote 10.0.0.2 {
exchange_mode main;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 5;
}
}
sainfo address 10.0.0.1 any address 10.0.0.2 any {
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
|
racoon.conf at 10.0.0.2
| Code: |
remote 10.0.0.1 {
exchange_mode main;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 5;
}
}
sainfo address 10.0.0.2 any address 10.0.0.1 any {
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
|
At least with the above-stated configs all works correctly.
| Quote: |
3. (not sure) 'normally' 3DES/SHA1 is bundled with dh_group 2, not 5
|
Yes, thnx. I simply checked work ipsec on various parameters. |
|
| Back to top |
|
|
think4urs11
Bodhisattva
Joined: 25 Jun 2003
Posts: 6659
Location: above the cloud
|
| Posted: Tue Aug 10, 2004 1:01 pm Post subject: |
|
|
| eightn wrote: | Has not understood a phrase.
AH it is used on both computers. On one of them it needs to be disabled? What for? |
Look at your first post - the racoon.confs differ a lot(!); thats why i mentioned it
| Quote: |
At least with the above-stated configs all works correctly. |
Maybe i'm wrong but i think it is only possible for connections with source 10.0.0.1 to go to 10.0.0.2, NOT from 10.10.0.0/x
What i understood from your first post was you want to tunnel between 10.10.0.0 and 10.20.0.0 networks.
_________________
Nothing is secure / Security is always a trade-off with usability / Do not assume anything / Trust no-one, nothing / Paranoia is your friend / Think for yourself |
|
| Back to top |
|
|
eightn
n00b
Joined: 23 Apr 2004
Posts: 11
|
| Posted: Tue Aug 10, 2004 1:58 pm Post subject: |
|
|
| Think4UrS11 wrote: | | eightn wrote: | Has not understood a phrase.
AH it is used on both computers. On one of them it needs to be disabled? What for? |
Look at your first post - the racoon.confs differ a lot(!); thats why i mentioned it
|
I do not see differences between racoon.conf in the first message and in the last.
Though in the first message I have exampled tow different racoon.conf, the first - for tunnel mode, the second - for transport mode.
Or probably there are language complexities, at me translation of Russian into the English language poorly turns out, in the return side I understand much better:)
| Quote: |
At least with the above-stated configs all works correctly. |
Maybe i'm wrong but i think it is only possible for connections with source 10.0.0.1 to go to 10.0.0.2, NOT from 10.10.0.0/x
What i understood from your first post was you want to tunnel between 10.10.0.0 and 10.20.0.0 networks.[/quote]
Oh, my carelessness 
Sorry.
Initially I want to make ipsec transport mode connection between 10.0.0.1 && 10.0.0.2
With networks behind these two hosts I have resulted a picture only as an example for tunnel mode.
And unless in general it is possible to make transport mode connection between 10.10.0.0/24 && 10.20.0.0/24, what ipsec would provide hosts 10.0.0.1 and 10.0.0.2?
I believed, that transport mode works exclusively between two hosts only. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
