<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div>with netkey don't see encryption for packets one way. but of you run tcp dump on both sides you should see packets. people with klips can see packets easier.</div><div><br></div><div>you ipsec without Ike will be less secure as you likely will not roll session key every hour for perfect forward secrecy. what you are doing with manual keying is unwise. <br><br>sent from a tiny device </div><div><br>On 2013-07-15, at 22:26, JALINDAR <<a href="mailto:jalindergat@gmail.com">jalindergat@gmail.com</a>> wrote:<br><br></div><blockquote type="cite"><div><div dir="ltr"><div><div><div><div><div><div>I can not afford for IKE daemon, I do not even afford for setkey in terms of memory and computation.<br><br></div>I just want to have simplest IPSec.<br><br></div>I have tabbed packets using wireshark, at Host A, and also at gateway it connected to, as i get to know from somewhere<br>
</div>that tcpdum get packets which may not be encrypted as IPSec is implemented inside the kernel.<br></div>But still i have seen people showing tcpdump log for verifying IPSec work.<br><br></div>What that i have observed is communication is as usual without any kind of IPSec when i tab packets at host A and its gateway.<br>
<br></div>Am i missing some more setting or what else ??<br><div><div><br><br><div class="gmail_extra"><br><br><div class="gmail_quote">On Mon, Jul 15, 2013 at 9:30 PM, Leto <span dir="ltr"><<a href="mailto:letoams@gmail.com" target="_blank">letoams@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="auto"><div>why use manual keying? you should use the IKE daemon and let it handle SPD an SAD.</div><div><br>
</div>
<div>netkey is bad at showing encrypted packets with tcp dump. are you sure it is not encrypting?<br><br>sent from a tiny device </div><div><div><div><br>On 2013-07-15, at 0:07, JALINDAR <<a href="mailto:jalindergat@gmail.com" target="_blank">jalindergat@gmail.com</a>> wrote:<br>
<br></div><blockquote type="cite"><div><div dir="ltr"><div><div><div>Hi All,<br><br></div>I am trying to set up simplest IPSec on my linux box, which has kernel 2.6.21.<br></div>I have configured kernel for IPSec.<br><br>
</div>I use iproute2 for setting SA and SP for the IPSec using:<br>
<br><br><p><b>#HOST A:192.168.77.24</b><br>
ip xfrm state add src 192.168.77.23 dst 192.168.77.24 proto esp spi
0x53fa0fdd mode transport reqid 16386 replay-window 32 auth “hmac(sha1)”
0x55f01ac07e15e437115dde0aedd18a822ba9f81e enc “cbc(aes)”
0x6aed4975adf006d65c76f63923a6265b sel src <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a></p>
<p>ip xfrm state add src 192.168.77.24 dst 192.168.77.23 proto esp spi
0x53fa0fdd mode transport reqid 16386 replay-window 32 auth “hmac(sha1)”
0x55f01ac07e15e437115dde0aedd18a822ba9f81e enc “cbc(aes)”
0x6aed4975adf006d65c76f63923a6265b sel src <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> </p>
<p>ip xfrm policy add dir out src 192.168.77.23 dst 192.168.77.24 ptype
main action allow priority 2080 tmpl src 192.168.77.23 dst 192.168.77.24
proto esp reqid 16385 mode transport</p>
<p>ip xfrm policy add dir in src 192.168.77.24 dst 192.168.77.23 ptype
main action allow priority 2080 tmpl src 192.168.77.24 dst 192.168.77.23
proto esp reqid 16385 mode transport</p><p><br></p><p><b>#HOST B:192.168.77.23</b><br>
ip xfrm state add src 192.168.77.24 dst 192.168.77.23 proto esp spi
0x53fa0fdd mode transport reqid 16386 replay-window 32 auth “hmac(sha1)”
0x55f01ac07e15e437115dde0aedd18a822ba9f81e enc “cbc(aes)”
0x6aed4975adf006d65c76f63923a6265b sel src <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a></p>
<p>ip xfrm state add src 192.168.77.23 dst 192.168.77.24 proto esp spi
0x53fa0fdd mode transport reqid 16386 replay-window 32 auth “hmac(sha1)”
0x55f01ac07e15e437115dde0aedd18a822ba9f81e enc “cbc(aes)”
0x6aed4975adf006d65c76f63923a6265b sel src <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> </p>
<p>ip xfrm policy add dir out src 192.168.77.24 dst 192.168.77.23 ptype
main action allow priority 2080 tmpl src 192.168.77.24 dst 192.168.77.23
proto esp reqid 16385 mode transport</p>
<p>ip xfrm policy add dir in src 192.168.77.23 dst 192.168.77.24 ptype
main action allow priority 2080 tmpl src 192.168.77.23 dst 192.168.77.24
proto esp reqid 16385 mode transport</p><p><br></p><p>here HOST A is my linux box.</p><p>I can check set values of SA and SP using</p><p><br></p><p><b>#ip x s</b></p><p><b>#ip xfrm policy show</b></p><p>and it shows correct values which i have set.<br>
</p><p>With this setting i expect IPSec should work and i should see ESP protocol packet on wireshark at host A when i ping host B.</p><p><br></p><p>But it shows simple icmp packet, instead of ESP. Ping work as usual without ESP.</p>
<p><br></p><p><b>I have checked same setting on my laptop with ubantu 12.04LTS with kernel 3.2 but shows the same result. On laptop i have checked configuration of kernel using #ipsec verify and it say all OK.<br></b></p>
<p></p><p><br></p><p>i do not know what else setting is missing. Any clue will be helpful.</p><p><br></p><p>Thanks in Advance.<br></p><div><div><div><div><br><br><br><br><br><br><br></div></div></div></div></div>
</div></blockquote></div></div><blockquote type="cite"><div><span>_______________________________________________</span><br><span><a href="mailto:Users@lists.openswan.org" target="_blank">Users@lists.openswan.org</a></span><br>
<span><a href="https://lists.openswan.org/mailman/listinfo/users" target="_blank">https://lists.openswan.org/mailman/listinfo/users</a></span><br><span>Micropayments: <a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy" target="_blank">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a></span><br>
<span>Building and Integrating Virtual Private Networks with Openswan:</span><br><span><a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a></span><br>
</div></blockquote></div></blockquote></div><br><br clear="all"><br><br></div></div></div></div>
</div></blockquote></body></html>