<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content=text/html;charset=iso-8859-1>
<META content="MSHTML 6.00.6000.16788" name=GENERATOR></HEAD>
<BODY id=MailContainerBody
style="PADDING-RIGHT: 10px; PADDING-LEFT: 10px; PADDING-TOP: 15px"
bgColor=#ffffff leftMargin=0 topMargin=0 CanvasTabStop="true"
name="Compose message area">
<DIV><FONT face="MS UI Gothic" size=2>Hi all,</FONT></DIV>
<DIV><FONT face="MS UI Gothic" size=2></FONT> </DIV>
<DIV><FONT face="MS UI Gothic" size=2>It's nice to join your mailing list
today.</FONT></DIV>
<DIV><FONT face="MS UI Gothic" size=2></FONT> </DIV>
<DIV><FONT face="MS UI Gothic" size=2>I would like to ask you a question about
ipsec.</FONT></DIV>
<DIV><FONT face="MS UI Gothic" size=2>Now I am testing to communicate in ipsec
between openswan and netscreen.</FONT></DIV>
<DIV><FONT face="MS UI Gothic" size=2>I confirmed SA was generated but ping
doesn't succeed to each other.</FONT></DIV>
<DIV><FONT face="MS UI Gothic" size=2>It would be great if you could give me any
help.</FONT></DIV>
<DIV><FONT face="MS UI Gothic" size=2></FONT> </DIV>
<DIV><FONT face="MS UI Gothic" size=2>The ipsec's conditions are
below:</FONT></DIV>
<DIV><FONT face="MS UI Gothic" size=2>aggressive mode</FONT></DIV>
<DIV><FONT face="MS UI Gothic" size=2>quick mode</FONT></DIV>
<DIV><FONT face="MS UI Gothic" size=2>tunnel mode</FONT></DIV>
<DIV><FONT face="MS UI Gothic" size=2>preshare key</FONT></DIV><FONT
face="MS UI Gothic" size=2>
<DIV> </DIV>
<DIV><BR>Network diagram is below:<BR>192.168.11.23 (Linux, Fedora core 7,
Openswan)<BR>|<BR>192.168.11.56 (Untrust side)<BR>Netscreen 5xp<BR>192.168.1.1
(Trust side)<BR>|<BR>192.168.1.2(PC)</DIV>
<DIV> </DIV>
<DIV>I want to ipsec between netscreen and linux as above.</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>According to Openswan's /var/log/secure,<BR>Feb 7 18:38:02 localhost
pluto[20703]: "netscreen" #65: STATE_QUICK_I2: sent QI2, IPsec SA established
{ESP=>0x211d6595 <0x5ef31249 xfrm=3DES_0-HMAC_SHA1 NATD=none
DPD=none}<BR>According to Netscreen's log,<BR>2009-02-07 19:18:49 system
info 00536 IKE<192.168.11.23> Phase 2 msg ID <d0add37f>:
Completed negotiations with SPI <211d6595>, tunnel ID <6>, and
lifetime <3600> seconds/<0> KB.<BR>ns5xp-> get sa active<BR>Total
active sa: 1<BR>total configured sa: 1<BR>HEX ID
Gateway Port
Algorithm SPI Life:sec kb
Sta PID vsys<BR>00000006< 192.168.11.23 500
esp:3des/sha1 211d6595 2760 unlim A/- 6
0<BR>00000006> 192.168.11.23 500 esp:3des/sha1
5ef31249 2760 unlim A/- 5 0<BR></DIV>
<DIV>So, it seems that SA was generated successfully.</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>But I tried ping from linux to netscreen's Trust interface but didn't get
reply as below:<BR>[root@localhost network-scripts]# ping 192.168.1.1<BR>PING
192.168.1.1 (192.168.1.1) 56(84) bytes of data.</DIV>
<DIV> </DIV>
<DIV>--- 192.168.1.1 ping statistics ---<BR>43 packets transmitted, 0 received,
100% packet loss, time 42001ms</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>Capturing packets at the same time as above, it seems that only linux is
putting out packets.<BR></DIV>
<DIV>18:41:43.162671 IP precision > 192.168.1.1: ICMP echo request, id 28515,
seq 1, length 64<BR>18:41:43.164141 IP precision > 192.168.11.56:
ESP(spi=0x211d6595,seq=0x25), length 100<BR>18:41:44.164000 IP precision >
192.168.1.1: ICMP echo request, id 28515, seq 2, length 64<BR>18:41:45.164000 IP
precision > 192.168.1.1: ICMP echo request, id 28515, seq 3, length
64<BR>18:41:46.163999 IP precision > 192.168.1.1: ICMP echo request, id
28515, seq 4, length 64<BR>18:41:47.163998 IP precision > 192.168.1.1: ICMP
echo request, id 28515, seq 5, length 64<BR>18:41:48.161933 arp who-has
192.168.11.56 tell precision<BR>18:41:48.163994 IP precision > 192.168.1.1:
ICMP echo request, id 28515, seq 6, length 64<BR>18:41:48.164179 IP precision
> 192.168.11.56: ESP(spi=0x211d6595,seq=0x26), length 100<BR>18:41:48.164226
arp reply 192.168.11.56 is-at 00:10:db:48:6d:51 (oui Unknown)<BR>18:41:49.163998
IP precision > 192.168.1.1: ICMP echo request, id 28515, seq 7, length
64<BR>18:41:50.163996 IP precision > 192.168.1.1: ICMP echo request, id
28515, seq 8, length 64</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>When linux pings to netscreen's untrust side, the ping reaches and packets
seem to be exchanged.<BR>I'm concerned that ICMP and ESP are mixed in the
capture as blow:</DIV>
<DIV>[root@localhost network-scripts]# ping 192.168.11.56<BR>64 bytes from
192.168.11.56: icmp_seq=1 ttl=64 time=3.86 ms<BR>64 bytes from 192.168.11.56:
icmp_seq=2 ttl=64 time=3.60 ms<BR>64 bytes from 192.168.11.56: icmp_seq=3 ttl=64
time=3.59 ms<BR>[root@precision ~]# tcpdump<BR>18:39:42.500189 IP precision >
192.168.11.56: ESP(spi=0x211d6595,seq=0x1), length 116<BR>18:39:42.501688 IP
precision > 192.168.11.56: ESP(spi=0x211d6595,seq=0x2), length
108<BR>18:39:42.503900 IP 192.168.11.56 > precision:
ESP(spi=0x5ef31249,seq=0x1), length 116<BR>18:39:42.503900 IP 192.168.11.56 >
precision: ICMP echo reply, id 25443, seq 1, length 64<BR>18:39:43.500072 IP
precision > 192.168.11.56: ESP(spi=0x211d6595,seq=0x3), length
116<BR>18:39:43.503551 IP 192.168.11.56 > precision:
ESP(spi=0x5ef31249,seq=0x2), length 116<BR>18:39:43.503551 IP 192.168.11.56 >
precision: ICMP echo reply, id 25443, seq 2, length 64<BR>18:39:44.500071 IP
precision > 192.168.11.56: ESP(spi=0x211d6595,seq=0x4), length
116<BR>18:39:44.503538 IP 192.168.11.56 > precision:
ESP(spi=0x5ef31249,seq=0x3), length 116<BR>18:39:44.503538 IP 192.168.11.56 >
precision: ICMP echo reply, id 25443, seq 3, length 64<BR>18:39:45.500083 IP
precision > 192.168.11.56: ESP(spi=0x211d6595,seq=0x5), length
116<BR>18:39:45.503565 IP 192.168.11.56 > precision:
ESP(spi=0x5ef31249,seq=0x4), length 116<BR>18:39:45.503565 IP 192.168.11.56 >
precision: ICMP echo reply, id 25443, seq 4, length 64</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>I added the routing on linux to 192.168.1.0 because I thought there is no
router or interface such as interface, but the situation is the
same. <BR>[root@localhost network-scripts]# route<BR>Kernel IP routing
table<BR>Destination
Gateway
Genmask Flags Metric
Ref Use Iface<BR>192.168.1.0
192.168.11.56 255.255.255.0 UG
0 0 0
eth0<BR>192.168.11.0
*
255.255.255.0 U
0 0 0
eth0<BR>default
192.168.11.1
0.0.0.0 UG
0 0 0
eth0<BR>[root@precision network-scripts]# uname -a<BR>Linux precision
2.6.23.17-88.fc7 #1 SMP Thu May 15 00:35:10 EDT 2008 i686 i686 i386
GNU/Linux<BR>[root@precision network-scripts]# ifconfig
-a<BR>eth0 Link encap:Ethernet HWaddr
00:B0:D0:7B:C3:3E
<BR> inet
addr:192.168.11.23 Bcast:192.168.11.255
Mask:255.255.255.0<BR>
inet6 addr: fe80::2b0:d0ff:fe7b:c33e/64
Scope:Link<BR> UP
BROADCAST RUNNING MULTICAST MTU:1500
Metric:1<BR> RX
packets:3677897 errors:0 dropped:0 overruns:1
frame:0<BR> TX
packets:1807082 errors:0 dropped:0 overruns:0
carrier:1<BR> collisions:0
txqueuelen:1000 <BR> RX
bytes:604802735 (576.7 MiB) TX bytes:130499028 (124.4
MiB)<BR> Interrupt:18 Base
address:0x8c00 </DIV>
<DIV> </DIV>
<DIV>lo Link encap:Local
Loopback <BR> inet
addr:127.0.0.1
Mask:255.0.0.0<BR> inet6
addr: ::1/128
Scope:Host<BR> UP LOOPBACK
RUNNING MTU:16436
Metric:1<BR> RX
packets:18802 errors:0 dropped:0 overruns:0
frame:0<BR> TX
packets:18802 errors:0 dropped:0 overruns:0
carrier:0<BR> collisions:0
txqueuelen:0 <BR> RX
bytes:55093760 (52.5 MiB) TX bytes:55093760 (52.5 MiB)</DIV>
<DIV> </DIV>
<DIV>sit0 Link encap:IPv6-in-IPv4
<BR> NOARP
MTU:1480
Metric:1<BR> RX packets:0
errors:0 dropped:0 overruns:0
frame:0<BR> TX packets:0
errors:0 dropped:0 overruns:0
carrier:0<BR> collisions:0
txqueuelen:0 <BR> RX
bytes:0 (0.0 b) TX bytes:0 (0.0 b)</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>In my memory, Racoon makes a new interface such as ipsec0.
But doesns't Openswan make an interface like that usually?</DIV>
<DIV> </DIV>
<DIV>Thank you very much! <IMG title="スマイル 絵文字"
style="FLOAT: none; MARGIN: 0px; POSITION: static" tabIndex=-1 alt="スマイル 絵文字"
src="cid:5ED7585131F648A1AC4BD0CE9ECF02E3@tokyovalnote"
MSNNonUserImageOrEmoticon="true"></DIV></FONT>
<DIV><FONT face="MS UI Gothic" size=2>Hiro Shimizu</FONT></DIV></BODY></HTML>