<div dir="ltr"><p class="MsoNormal"><span lang="EN-US">Hi
everybody.</span></p><p class="MsoNormal"><span lang="EN-US"><br></span></p>
<p class="MsoNormal"><span lang="EN-US">I’m
starting to learn <b>IPsec</b> and I'm having some problems.</span></p><p class="MsoNormal"><span lang="EN-US"><br></span></p>
<p class="MsoNormal"><span lang="EN-US">I’m running
two virtual machines with CentOS that simulates the network depicted in the
bellow picture.</span></p><p class="MsoNormal"><span lang="EN-US"><img src="cid:ii_14260a4a0eff4c49" alt="Inline image 1"><br></span></p><p class="MsoNormal"><span lang="EN-US"><span style="margin-left:101px;margin-top:878px;width:595px;height:329px"></span></span></p>
<p class="MsoNormal"><span lang="EN-US"><span style="margin-left:101px;margin-top:878px;width:595px;height:329px"></span></span></p><p class="MsoNormal"><br></p>
<p class="MsoNormal"><span lang="EN-US">I want to
create an IPsec tunnel between machine A and machine B. The keys should be negotiated
using IKE and the tunnel should enable total connectivity between the two
machines. </span></p><p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal"><span lang="EN-US">My
<b>ipsec.conf</b> file on both machines is this:</span></p><p class="MsoNormal"><span lang="EN-US"><br></span></p><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><p class="MsoNormal" style="margin-bottom:0.0001pt">
<span lang="EN-US" style="font-size:8pt;font-family:'Courier New';color:black">config setup</span></p><p class="MsoNormal" style="margin-bottom:0.0001pt"><span lang="EN-US" style="font-size:8pt;font-family:'Courier New';color:black"> protostack=netkey</span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt"><span lang="EN-US" style="font-size:8pt;font-family:'Courier New';color:black"> dumpdir=/var/run/pluto/</span></p><p class="MsoNormal" style="margin-bottom:0.0001pt">
<span lang="EN-US" style="font-size:8pt;font-family:'Courier New';color:black"> nat_traversal=yes</span></p><p class="MsoNormal" style="margin-bottom:0.0001pt"><span lang="EN-US" style="font-size:8pt;font-family:'Courier New';color:black"> virtual_private=%v4:<a href="http://10.1.1.0/24,%v4:10.1.2.0/24">10.1.1.0/24,%v4:10.1.2.0/24</a></span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt"><span lang="EN-US" style="font-size:8pt;font-family:'Courier New';color:black">conn gw-to-gw</span></p><p class="MsoNormal" style="margin-bottom:0.0001pt"><span lang="EN-US" style="font-size:8pt;font-family:'Courier New';color:black"> authby=secret</span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt"><span lang="EN-US" style="font-size:8pt;font-family:'Courier New';color:black"> left=192.168.1.1</span></p><p class="MsoNormal" style="margin-bottom:0.0001pt">
<span lang="EN-US" style="font-size:8pt;font-family:'Courier New';color:black"> leftsubnet=<a href="http://10.1.1.0/24">10.1.1.0/24</a></span></p><p class="MsoNormal" style="margin-bottom:0.0001pt"><span lang="EN-US" style="font-size:8pt;font-family:'Courier New';color:black"> leftnexthop=192.168.1.2</span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt"><span lang="EN-US" style="font-size:8pt;font-family:'Courier New';color:black"> right=192.168.1.2</span></p><p class="MsoNormal" style="margin-bottom:0.0001pt">
<span lang="EN-US" style="font-size:8pt;font-family:'Courier New';color:black"> rightsubnet=<a href="http://10.1.2.0/24">10.1.2.0/24</a></span></p><p class="MsoNormal" style="margin-bottom:0.0001pt"><span lang="EN-US" style="font-size:8pt;font-family:'Courier New';color:black"> rightnexthop=192.168.1.1</span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt"><span lang="EN-US" style="font-size:8pt;font-family:'Courier New';color:black"> auto=start</span></p><p class="MsoNormal">
</p><p class="MsoNormal" style="margin-bottom:0.0001pt"><span lang="EN-US" style="font-size:8pt;font-family:'Courier New';color:black"> type=tunnel</span></p></blockquote><p class="MsoNormal"><span lang="EN-US"><br>
</span></p><p class="MsoNormal"><span lang="EN-US">And
<b>ipsec.secrets</b> on both machines is this:</span></p><p class="MsoNormal"><span lang="EN-US"><br></span></p><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><p class="MsoNormal"><span lang="EN-US"><font face="courier new, monospace">192.168.1.1
192.168.1.2 : PSK "test"</font></span></p></blockquote><p class="MsoNormal"><span lang="EN-US"> </span></p><p class="MsoNormal"><span lang="EN-US">I then do<b>
service ipsec start</b> on machine A followed by the same command on machine B.
Then, again on machine A, I do <b>ipsec auto –up gw-to-gw</b> followed by the exact
same command on machine B. </span></p><p class="MsoNormal"><span lang="EN-US">Machine A output:</span></p><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><p class="MsoNormal" style="margin-bottom:0.0001pt">
<span lang="EN-US" style="font-size:8pt;font-family:'Courier New';color:black">[root@mainmachine
etc]# service ipsec start</span></p><p class="MsoNormal" style="margin-bottom:0.0001pt"><span lang="EN-US" style="font-size:8pt;font-family:'Courier New';color:black">ipsec_setup:
Starting Openswan IPsec U2.6.32/K2.6.32-358.23.2.el6.i686...</span></p><p class="MsoNormal" style="margin-bottom:0.0001pt"><span lang="EN-US" style="font-size:8pt;font-family:'Courier New';color:black">ipsec_setup:
/usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled</span></p><p class="MsoNormal" style="margin-bottom:0.0001pt"><span lang="EN-US" style="font-size:8pt;font-family:'Courier New';color:black">[root@mainmachine
etc]# ipsec auto --up gw-to-gw</span></p><p class="MsoNormal" style="margin-bottom:0.0001pt"><span lang="EN-US" style="font-size:8pt;font-family:'Courier New';color:black">117
"gw-to-gw" #5: STATE_QUICK_I1: initiate</span></p><p class="MsoNormal" style="margin-bottom:0.0001pt"><span lang="EN-US" style="font-size:8pt;font-family:'Courier New';color:black">004
"gw-to-gw" #5: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel
mode {ESP=>0xc17e5cb7 <0xefd31319 xfrm=AES_128-HMAC_SHA1 NATOA=none
NATD=none DPD=none}</span></p><p class="MsoNormal" style="margin-bottom:0.0001pt"><span lang="EN-US" style="font-size:8pt;font-family:'Courier New';color:black">[root@mainmachine
etc]#</span></p></blockquote><p class="MsoNormal" style="margin-bottom:0.0001pt"><br></p><p class="MsoNormal"><span lang="EN-US">Machine B
output:</span></p><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><p class="MsoNormal" style="margin-bottom:0.0001pt"><span lang="EN-US" style="font-size:8pt;font-family:'Courier New';color:black">[root@mainmachine
etc]# service ipsec start</span></p><p class="MsoNormal" style="margin-bottom:0.0001pt"><span lang="EN-US" style="font-size:8pt;font-family:'Courier New';color:black">ipsec_setup:
Starting Openswan IPsec U2.6.32/K2.6.32-358.23.2.el6.i686...</span></p><p class="MsoNormal" style="margin-bottom:0.0001pt"><span lang="EN-US" style="font-size:8pt;font-family:'Courier New';color:black">ipsec_setup:
/usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled</span></p><p class="MsoNormal" style="margin-bottom:0.0001pt"><span lang="EN-US" style="font-size:8pt;font-family:'Courier New';color:black">[root@mainmachine
etc]# ipsec auto --up gw-to-gw</span></p><p class="MsoNormal" style="margin-bottom:0.0001pt"><span lang="EN-US" style="font-size:8pt;font-family:'Courier New';color:black">117
"gw-to-gw" #6: STATE_QUICK_I1: initiate</span></p><p class="MsoNormal" style="margin-bottom:0.0001pt"><span lang="EN-US" style="font-size:8pt;font-family:'Courier New';color:black">004
"gw-to-gw" #6: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel
mode {ESP=>0xf5fe7b43 <0x94c97925 xfrm=AES_128-HMAC_SHA1 NATOA=none
NATD=none DPD=none}</span></p><p class="MsoNormal" style="margin-bottom:0.0001pt"><span lang="EN-US" style="font-size:8pt;font-family:'Courier New';color:black">[root@mainmachine
etc]#</span></p></blockquote><p class="MsoNormal"><span lang="EN-US"> </span></p><p class="MsoNormal"><span lang="EN-US">I’m now
using Wireshark to see how the traffic goes through the network from machine A
to machine B. </span></p><p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal"><span lang="EN-US">Listening
on interface <b>eth5 </b>of machine B and pinging<b> 10.1.2.254</b> or <b>10.1.2.2</b> from machine
A, Wireshark does not capture any packet. If I do the exact same procedure but
not listening on interface <b>eth6</b> Wireshark captures the following image.</span></p><p class="MsoNormal"><span lang="EN-US"><img src="cid:ii_14260a8878502b5c" alt="Inline image 2"><br></span></p><p class="MsoNormal">
<span lang="EN-US"> </span></p><p class="MsoNormal"><span lang="EN-US">I believe
that the packet should somehow be encrypted but Wireshark is telling me that it
is not, so probably I have some kind of error on my <b>ipsec.conf</b> configuration.</span></p><p class="MsoNormal"><span lang="EN-US"> </span></p><p class="MsoNormal"><span lang="EN-US">Can someone
point me in some direction?</span></p><p class="MsoNormal"><span lang="EN-US"> </span></p><p class="MsoNormal"><span lang="EN-US">Thanks, </span></p><p class="MsoNormal"><span lang="EN-US"> </span></p><p class="MsoNormal">
<span lang="EN-US">
</span></p><p class="MsoNormal"><span lang="EN-US">Kent Davies</span></p><p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal"><span lang="EN-US"><br>
</span></p><p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal"><span lang="EN-US"><br></span></p>
<p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal">
<span lang="EN-US"><br></span></p><p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal"><span lang="EN-US"><br>
</span></p><p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal"><span lang="EN-US"><br></span></p>
<p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal"><span lang="EN-US"><br></span></p></div>