<div dir="ltr">Hello Eliezer.<div><br></div><div>The <a href="http://10.1.1.0/24">10.1.1.0/24</a> and <a href="http://10.1.2.0/24">10.1.2.0/24</a> are just "imaginary" networks. The only thing that exists is the interface on machine A and machine B that were to connect to those networks if they exists. At the end, since my environment, is a virtual one, I just need to create another virtual machine and plug to either end.</div>
<div><br></div><div>For testing, Wireshark is listening at machine B interface (10.1.2.254) that connects to the "imaginary" internal network.</div><div>On the first try, using ipsec with preshared secrets, with the help of this list I got it to work and see that the data was being encrypted.</div>
<div>Now I'm trying to accomplish the same thing but using x509 certificates. And this is where I'm getting in trouble.</div><div><br></div><div>After ipsec auto --up cert nothing happens. Probably have some misconfiguration at ipsec.conf or even at the CA or the certs generated but I can't seem to find where the problem lies.</div>
<div><br></div><div>Thanks for your reply,</div><div><br></div><div>Kent Davies</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Sun, Nov 17, 2013 at 2:05 PM, Eliezer Croitoru <span dir="ltr"><<a href="mailto:eliezer@ngtech.co.il" target="_blank">eliezer@ngtech.co.il</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hey,<br>
<br>
I was reading the thread and didn't got it yet.<br>
Wanted to understand:<br>
On the machine that is the "END" either A or B you are trying to use wireshark\tcpdump?<br>
<br>
In this case it is reasonable that all IP stack level should be transparent to the OS since for example it should recognize in some level that there an IP level to respond to.<br>
If it's 100% encrypted and the OS will not be able to read it's own encryption it will be weird.<br>
<br>
To make sure this is indeed encrypted session you need to "tap" the cable between that machine and there do wireshark\tcpdump.<br>
For this case you can use for example Tinycore(CorePlus) linux that has two interfaces and acts as a bridge.<br>
This way you can see what is the traffic on the wire level of encryption.<br>
<br>
Eliezer<div class="im"><br>
<br>
On 16/11/13 13:26, Ana wrote:<br>
</div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi everybody.<br>
<br>
<br>
I’m starting to learn *IPsec* and I'm having some problems.<div class="im"><br>
<br>
<br>
I’m running two virtual machines with CentOS that simulates the network<br>
depicted in the bellow picture.<br>
<br></div><div class="im">
Inline image 1<br>
<br>
<br>
I want to create an IPsec tunnel between machine A and machine B. The<br>
keys should be negotiated using IKE and the tunnel should enable total<br>
connectivity between the two machines.<br>
<br>
<br>
<br></div>
My *ipsec.conf* file on both machines is this:<div class="im"><br>
<br>
<br>
config setup<br>
<br>
protostack=netkey<br>
<br>
dumpdir=/var/run/pluto/<br>
<br>
nat_traversal=yes<br>
<br>
virtual_private=%v4:<a href="http://10.1.1.0/24,%v4:10.1.2.0/24" target="_blank">10.1.1.0/<u></u>24,%v4:10.1.2.0/24</a><br></div>
<<a href="http://10.1.1.0/24,%v4:10.1.2.0/24" target="_blank">http://10.1.1.0/24,%v4:10.1.<u></u>2.0/24</a>><br>
<br>
conn gw-to-gw<br>
<br>
authby=secret<br>
<br>
left=192.168.1.1<br>
<br>
leftsubnet=<a href="http://10.1.1.0/24" target="_blank">10.1.1.0/24</a> <<a href="http://10.1.1.0/24" target="_blank">http://10.1.1.0/24</a>><br>
<br>
leftnexthop=192.168.1.2<br>
<br>
right=192.168.1.2<br>
<br>
rightsubnet=<a href="http://10.1.2.0/24" target="_blank">10.1.2.0/24</a> <<a href="http://10.1.2.0/24" target="_blank">http://10.1.2.0/24</a>><br>
<br>
rightnexthop=192.168.1.1<br>
<br>
auto=start<br>
<br>
type=tunnel<br>
<br>
<br>
And *ipsec.secrets* on both machines is this:<br>
<br>
<br>
192.168.1.1 192.168.1.2 : PSK "test"<br>
<br>
I then do*service ipsec start* on machine A followed by the same command<br>
on machine B. Then, again on machine A, I do *ipsec auto –up gw-to-gw*<div><div class="h5"><br>
followed by the exact same command on machine B.<br>
<br>
Machine A output:<br>
<br>
[root@mainmachine etc]# service ipsec start<br>
<br>
ipsec_setup: Starting Openswan IPsec<br>
U2.6.32/K2.6.32-358.23.2.el6.<u></u>i686...<br>
<br>
ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in<br>
/proc/sys/crypto/fips_enabled<br>
<br>
[root@mainmachine etc]# ipsec auto --up gw-to-gw<br>
<br>
117 "gw-to-gw" #5: STATE_QUICK_I1: initiate<br>
<br>
004 "gw-to-gw" #5: STATE_QUICK_I2: sent QI2, IPsec SA established<br>
tunnel mode {ESP=>0xc17e5cb7 <0xefd31319 xfrm=AES_128-HMAC_SHA1<br>
NATOA=none NATD=none DPD=none}<br>
<br>
[root@mainmachine etc]#<br>
<br>
<br>
Machine B output:<br>
<br>
[root@mainmachine etc]# service ipsec start<br>
<br>
ipsec_setup: Starting Openswan IPsec<br>
U2.6.32/K2.6.32-358.23.2.el6.<u></u>i686...<br>
<br>
ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in<br>
/proc/sys/crypto/fips_enabled<br>
<br>
[root@mainmachine etc]# ipsec auto --up gw-to-gw<br>
<br>
117 "gw-to-gw" #6: STATE_QUICK_I1: initiate<br>
<br>
004 "gw-to-gw" #6: STATE_QUICK_I2: sent QI2, IPsec SA established<br>
tunnel mode {ESP=>0xf5fe7b43 <0x94c97925 xfrm=AES_128-HMAC_SHA1<br>
NATOA=none NATD=none DPD=none}<br>
<br>
[root@mainmachine etc]#<br>
<br>
I’m now using Wireshark to see how the traffic goes through the network<br>
from machine A to machine B.<br>
<br>
<br></div></div>
Listening on interface *eth5 *of machine B and pinging*10.1.2.254* or<br>
*10.1.2.2* from machine A, Wireshark does not capture any packet. If I<br>
do the exact same procedure but not listening on interface *eth6*<div class="im"><br>
Wireshark captures the following image.<br>
<br></div><div class="im">
Inline image 2<br>
<br>
I believe that the packet should somehow be encrypted but Wireshark is<br>
telling me that it is not, so probably I have some kind of error on my<br></div>
*ipsec.conf* configuration.<div class="im"><br>
<br>
Can someone point me in some direction?<br>
<br>
Thanks,<br>
<br>
Kent Davies<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br></div><div class="im">
______________________________<u></u>_________________<br>
<a href="mailto:Users@lists.openswan.org" target="_blank">Users@lists.openswan.org</a><br>
<a href="https://lists.openswan.org/mailman/listinfo/users" target="_blank">https://lists.openswan.org/<u></u>mailman/listinfo/users</a><br>
Micropayments: <a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy" target="_blank">https://flattr.com/thing/<u></u>38387/IPsec-for-Linux-made-<u></u>easy</a><br>
Building and Integrating Virtual Private Networks with Openswan:<br>
<a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" target="_blank">http://www.amazon.com/gp/<u></u>product/1904811256/104-<u></u>3099591-2946327?n=283155</a><br>
<br>
</div></blockquote><div class="HOEnZb"><div class="h5">
<br>
______________________________<u></u>_________________<br>
<a href="mailto:Users@lists.openswan.org" target="_blank">Users@lists.openswan.org</a><br>
<a href="https://lists.openswan.org/mailman/listinfo/users" target="_blank">https://lists.openswan.org/<u></u>mailman/listinfo/users</a><br>
Micropayments: <a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy" target="_blank">https://flattr.com/thing/<u></u>38387/IPsec-for-Linux-made-<u></u>easy</a><br>
Building and Integrating Virtual Private Networks with Openswan:<br>
<a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" target="_blank">http://www.amazon.com/gp/<u></u>product/1904811256/104-<u></u>3099591-2946327?n=283155</a><br>
</div></div></blockquote></div><br></div>