help in basic IPsec host-host test
This is a discussion on help in basic IPsec host-host test within the comp.unix.bsd.openbsd.misc forums, part of the OpenBSD category; --> I'm on OpenBSD 3.8 trying to test a simple vpn in a host-host context but it's not working. Any ...
| |||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
02-16-2008, 07:07 AM
| ||||
| ||||
 help in basic IPsec host-host test I'm on OpenBSD 3.8 trying to test a simple vpn in a host-host context but it's not working. Any help is appreciated. On HOST A: -------------------------------------------------- # more host-host_A.vpn #!/bin/sh # Run this script on host A A_EXTERNAL_IP=192.168.2.220 B_EXTERNAL_IP=192.168.2.213 ipsecadm flush ipsecadm new esp \ -spi 1000 \ -src $A_EXTERNAL_IP -dst $B_EXTERNAL_IP \ -enc blf -keyfile /root/vpn/blf-esp-enc-key \ -auth sha1 -authkeyfile /root/vpn/sha1-esp-auth-key ipsecadm new esp \ -spi 1001 \ -src $B_EXTERNAL_IP -dst $A_EXTERNAL_IP \ -enc blf -keyfile /root/vpn/blf-esp-enc-key \ -auth sha1 -authkeyfile /root/vpn/sha1-esp-auth-key ipsecadm flow -out -require -proto esp \ -src $A_EXTERNAL_IP -dst $B_EXTERNAL_IP \ -addr $A_EXTERNAL_IP/32 $B_EXTERNAL_IP/32 ipsecadm flow -in -require -proto esp \ -src $A_EXTERNAL_IP -dst $B_EXTERNAL_IP \ -addr $B_EXTERNAL_IP/32 $A_EXTERNAL_IP/32 # cat /kern/ipsec Hashmask: 31, policy entries: 2 SPI = 00001001, Destination = 192.168.2.220, Sproto = 50 Established 8 seconds ago Source = (null) <<<----------- HUH? Flags (00000000) = <none> Crypto ID: 2 xform = <IPsec ESP> Encryption = <Blowfish> Authentication = <HMAC-SHA1> 0 bytes processed by this SA Expirations: (none) SPI = 00001000, Destination = 192.168.2.213, Sproto = 50 Established 8 seconds ago Source = (null) <<<----------- HUH? Flags (00000000) = <none> Crypto ID: 1 xform = <IPsec ESP> Encryption = <Blowfish> Authentication = <HMAC-SHA1> 0 bytes processed by this SA Expirations: (none) # ipsecadm show sadb_dump: satype esp vers 2 len 22 seq 0 pid 0 sa: spi 0x00001001 auth hmac-sha1 enc blowfish state mature replay 0 flags 0 lifetime_cur: alloc 0 bytes 0 add 1136872437 first 0 address_src: 192.168.2.213 address_dst: 192.168.2.220 key_auth: bits 160: 97995523bc17287cd3246721580fe21d80ad48b1 key_encrypt: bits 160: f493a0253eed238302be106dc0e9b627714ef7c1 sadb_dump: satype esp vers 2 len 26 seq 0 pid 0 sa: spi 0x00001000 auth hmac-sha1 enc blowfish state mature replay 0 flags 0 lifetime_cur: alloc 0 bytes 768 add 1136872437 first 1136872452 x_lifetime_lastuse: alloc 0 bytes 0 add 0 first 1136873153 address_src: 192.168.2.220 address_dst: 192.168.2.213 key_auth: bits 160: 97995523bc17287cd3246721580fe21d80ad48b1 key_encrypt: bits 160: f493a0253eed238302be106dc0e9b627714ef7c # netstat -rnf encap Routing tables Encap: Source Port Destination Port Proto SA(Address/Proto/Type/Direction) 192.168.2.213/32 0 192.168.2.220/32 0 0 192.168.2.213/50/require/in 192.168.2.220/32 0 192.168.2.213/32 0 0 192.168.2.213/50/require/out -------------------------------------------------- On HOST B: -------------------------------------------------- # more host-host_B.vpn #!/bin/sh # Run this script on host B A_EXTERNAL_IP=192.168.2.220 B_EXTERNAL_IP=192.168.2.213 ipsecadm flush ipsecadm new esp \ -spi 1000 \ -src $A_EXTERNAL_IP -dst $B_EXTERNAL_IP \ -enc blf -keyfile /root/vpn/blf-esp-enc-key \ -auth sha1 -authkeyfile /root/vpn/sha1-esp-auth-key ipsecadm new esp \ -spi 1001 \ -src $B_EXTERNAL_IP -dst $A_EXTERNAL_IP \ -enc blf -keyfile /root/vpn/blf-esp-enc-key \ -auth sha1 -authkeyfile /root/vpn/sha1-esp-auth-key ipsecadm flow -out -require -proto esp \ -src $B_EXTERNAL_IP -dst $A_EXTERNAL_IP \ -addr $A_EXTERNAL_IP/32 $B_EXTERNAL_IP/32 ipsecadm flow -in -require -proto esp \ -src $B_EXTERNAL_IP -dst $A_EXTERNAL_IP \ -addr $B_EXTERNAL_IP/32 $A_EXTERNAL_IP/32 # ipsecadm show sadb_dump: satype esp vers 2 len 26 seq 0 pid 0 sa: spi 0x00001000 auth hmac-sha1 enc blowfish state mature replay 0 flags 0 lifetime_cur: alloc 0 bytes 864 add 1136872351 first 1136872397 x_lifetime_lastuse: alloc 0 bytes 0 add 0 first 1136873097 address_src: 192.168.2.220 address_dst: 192.168.2.213 key_auth: bits 160: 97995523bc17287cd3246721580fe21d80ad48b1 key_encrypt: bits 160: f493a0253eed238302be106dc0e9b627714ef7c1 sadb_dump: satype esp vers 2 len 22 seq 0 pid 0 sa: spi 0x00001001 auth hmac-sha1 enc blowfish state mature replay 0 flags 0 lifetime_cur: alloc 0 bytes 0 add 1136872351 first 0 address_src: 192.168.2.213 address_dst: 192.168.2.220 key_auth: bits 160: 97995523bc17287cd3246721580fe21d80ad48b1 key_encrypt: bits 160: f493a0253eed238302be106dc0e9b627714ef7c1 # netstat -rnf encap Routing tables Encap: Source Port Destination Port Proto SA(Address/Proto/Type/Direction) 192.168.2.213/32 0 192.168.2.220/32 0 0 192.168.2.220/50/require/in 192.168.2.220/32 0 192.168.2.213/32 0 0 192.168.2.220/50/require/out -------------------------------------------------- This is what is seen on HOST B when HOST A pings HOST B: Jan 10 01:04:49.840080 esp 192.168.2.220 > 192.168.2.213 spi 0x00001000 seq 4 len 100 Jan 10 01:04:49.840612 192.168.2.213 > 192.168.2.220: icmp: 0 0 Jan 10 01:04:50.850041 esp 192.168.2.220 > 192.168.2.213 spi 0x00001000 seq 5 len 100 Jan 10 01:04:50.850582 192.168.2.213 > 192.168.2.220: icmp: 0 0 Jan 10 01:04:51.860043 esp 192.168.2.220 > 192.168.2.213 spi 0x00001000 seq 6 len 100 Jan 10 01:04:51.860546 192.168.2.213 > 192.168.2.220: icmp: 0 0 ESP traffic is coming in but it tries to respond without IPsec protection. What could be the problem? -- Peter      |
Linear Mode
