<div dir="ltr"><div><div>Hi,<br><br>I am trying to setup an IPsec between RHEL (Red Hat Release 6.4) and Solaris host (Sun OS 5.9) using manual keying in transport mode.<br>I have added rules on both RHEL and Solaris Host and trying to ping.<br>
<br>(1) Ping from RHEL host is successful. Solaris Host receives ping request, responds to ping. RHEL host receives ping response<br>(2) Ping from Solaris host is NOT successful. RHEL Host receives ping request, but does not respond to ping. <br>
<br>I am not able to figure out why Ping response is not sent from RHEL host. Probably the packet is getting dropped at RHEL. <br>Not sure why the packet is getting dropped. No logs (using netkey) are available to ascertain packet dropping.<br>
<br>--------------------------------------------------------------------------<br>RHEL Host IP: 172.33.18.242 (This is floating IP used in active/standby mode)<br><br>(ifconfig -a output)<br>eth4:0 Link encap:Ethernet HWaddr 00:11:3F:CB:89:17<br>
inet addr:172.33.18.242 Bcast:172.33.18.255 Mask:255.255.255.0<br> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br> Interrupt:16<br><br>>ipsec verify<br>Checking your system to see if IPsec got installed and started correctly:<br>
Version check and ipsec on-path [OK]<br>Linux Openswan U2.6.38dr2/K2.6.32-358.6.2.el6.x86_64 (netkey)<br>Checking for IPsec support in kernel [OK]<br> SAref kernel support [N/A]<br>
NETKEY: Testing XFRM related proc values [OK]<br> [OK]<br> [OK]<br>Checking that pluto is running [OK]<br> Pluto listening for IKE on udp 500 [OK]<br>
Pluto listening for NAT-T on udp 4500 [OK]<br>Two or more interfaces found, checking IP forwarding Checking NAT and MASQUERADEing [OK]<br>Checking for 'ip' command [OK]<br>
Checking /bin/sh is not /bin/dash [OK]<br>Checking for 'iptables' command [OK]<br>Opportunistic Encryption Support [DISABLED]<br>
ap1106:root ><br><br><br>ip xfrm commands used.<br><br>ip xfrm state add src 172.33.18.242 dst 172.23.192.2 proto esp spi 0x00000301 mode transport auth md5 0x5b2b1cef5466ace720f16bd50c436b72 enc des3_ede 0x62822da7d689ce4399423655a865ce4ada33955f137079bf<br>
ip xfrm state add src 172.23.192.2 dst 172.33.18.242 proto esp spi 0x00000301 mode transport auth md5 0x5b2b1cef5466ace720f16bd50c436b72 enc des3_ede 0x62822da7d689ce4399423655a865ce4ada33955f137079bf<br><br>ip xfrm policy add src 172.23.192.2 dst 172.33.18.242 dir in ptype main tmpl src 172.23.192.2 dst 172.33.18.242 proto esp mode transport<br>
ip xfrm policy add src 172.33.18.242 dst 172.23.192.2 dir out ptype main tmpl src 172.33.18.242 dst 172.23.192.2 proto esp mode transport<br><br><br>ip xfrm state ls<br><br>src 172.23.192.2 dst 172.33.18.242<br> proto esp spi 0x00000301 reqid 0 mode transport<br>
replay-window 0<br> auth hmac(md5) 0x5b2b1cef5466ace720f16bd50c436b72<br> enc cbc(des3_ede) 0x62822da7d689ce4399423655a865ce4ada33955f137079bf<br> sel src <a href="http://0.0.0.0/0">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0">0.0.0.0/0</a><br>
src 172.33.18.242 dst 172.23.192.2<br> proto esp spi 0x00000301 reqid 0 mode transport<br> replay-window 0<br> auth hmac(md5) 0x5b2b1cef5466ace720f16bd50c436b72<br> enc cbc(des3_ede) 0x62822da7d689ce4399423655a865ce4ada33955f137079bf<br>
sel src <a href="http://0.0.0.0/0">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0">0.0.0.0/0</a><br><br>ip xfrm policy ls<br>src <a href="http://172.23.192.2/32">172.23.192.2/32</a> dst <a href="http://172.33.18.242/32">172.33.18.242/32</a><br>
dir in priority 0 ptype main<br> tmpl src 172.23.192.2 dst 172.33.18.242<br> proto esp reqid 0 mode transport<br>src <a href="http://172.33.18.242/32">172.33.18.242/32</a> dst <a href="http://172.23.192.2/32">172.23.192.2/32</a><br>
dir out priority 0 ptype main<br> tmpl src 172.33.18.242 dst 172.23.192.2<br> proto esp reqid 0 mode transport<br>...<br>---------------------------------------------------------------------------------<br>
Solaris Host IP: 172.23.192.2<br>(ifconfig -a outout)<br><br>qfe0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3<br> inet 172.23.192.2 netmask ffffff00 broadcast 172.23.192.255<br> ether 0:3:ba:68:75:4<br>
<br><br>psaplg02# cat /etc/inet/secret/ipseckeys<br>add ah spi 0x00359 src 172.33.18.242 dst 172.23.192.2 authalg md5 authkey 5b2b1cef5466ace720f16bd50c436b72<br>add ah spi 0x00359 src 172.23.192.2 dst 172.33.18.242 authalg md5 authkey 5b2b1cef5466ace720f16bd50c436b72<br>
add esp spi 0x14442 src 172.33.18.242 dst 172.23.192.2 encralg 3des-cbc encrkey 62822da7d689ce4399423655a865ce4ada33955f137079bf<br>add esp spi 0x14442 src 172.23.192.2 dst 172.33.18.242 encralg 3des-cbc encrkey 62822da7d689ce4399423655a865ce4ada33955f137079bf<br>
<br>psaplg02# cat /etc/inet/ipsecinit.conf<br>{laddr 172.23.192.2 raddr 172.33.18.242} ipsec {encr_algs 3des-cbc encr_auth_algs hmac-md5}<br><br>{laddr 172.33.18.242 raddr 172.23.192.2} ipsec {encr_algs 3des-cbc encr_auth_algs hmac-md5}<br>
<br>psaplg02# ipseckey dump<br>Base message (version 2) type DUMP, SA type AH.<br>Message length 136 bytes, seq=1, pid=11384.<br>SA: SADB_ASSOC spi=0x359, replay=0, state=MATURE<br>SA: Authentication algorithm = HMAC-MD5<br>
SA: flags=0x0 < ><br>SRC: Source address (proto=0/<unspecified>)<br>SRC: AF_INET: port 0, 172.23.192.2 (psaplg-02).<br>DST: Destination address (proto=0/<unspecified>)<br>DST: AF_INET: port 0, 172.33.18.242 <unknown>.<br>
AKY: Authentication key.<br>AKY: 5b2b1cef5466ace720f16bd50c436b72/128<br> LT: Lifetime information<br>CLT: 0 bytes protected, 0 allocations used.<br>CLT: SA added at time Mon Feb 10 18:25:02 2014<br>CLT: Time now is Mon Feb 10 18:40:05 2014<br>
<br>Base message (version 2) type DUMP, SA type AH.<br>Message length 136 bytes, seq=1, pid=11384.<br>SA: SADB_ASSOC spi=0x359, replay=0, state=MATURE<br>SA: Authentication algorithm = HMAC-MD5<br>SA: flags=0x0 < ><br>
SRC: Source address (proto=0/<unspecified>)<br>SRC: AF_INET: port 0, 172.33.18.242 <unknown>.<br>DST: Destination address (proto=0/<unspecified>)<br>DST: AF_INET: port 0, 172.23.192.2 (psaplg-02).<br>AKY: Authentication key.<br>
AKY: 5b2b1cef5466ace720f16bd50c436b72/128<br> LT: Lifetime information<br>CLT: 0 bytes protected, 0 allocations used.<br>CLT: SA added at time Mon Feb 10 18:25:02 2014<br>CLT: Time now is Mon Feb 10 18:40:05 2014<br><br>Base message (version 2) type DUMP, SA type ESP.<br>
Message length 144 bytes, seq=1, pid=11384.<br>SA: SADB_ASSOC spi=0x14442, replay=0, state=MATURE<br>SA: Encryption algorithm = 3DES-CBC<br>SA: flags=0x0 < ><br>SRC: Source address (proto=0/<unspecified>)<br>SRC: AF_INET: port 0, 172.23.192.2 (psaplg-02).<br>
DST: Destination address (proto=0/<unspecified>)<br>DST: AF_INET: port 0, 172.33.18.242 <unknown>.<br>EKY: Encryption key.<br>EKY: 62832ca7d689ce4398433754a864ce4ada32945e137079bf/192<br> LT: Lifetime information<br>
CLT: 0 bytes protected, 0 allocations used.<br>CLT: SA added at time Mon Feb 10 18:25:02 2014<br>CLT: Time now is Mon Feb 10 18:40:05 2014<br><br>Base message (version 2) type DUMP, SA type ESP.<br>Message length 144 bytes, seq=1, pid=11384.<br>
SA: SADB_ASSOC spi=0x14442, replay=0, state=MATURE<br>SA: Encryption algorithm = 3DES-CBC<br>SA: flags=0x0 < ><br>SRC: Source address (proto=0/<unspecified>)<br>SRC: AF_INET: port 0, 172.33.18.242 <unknown>.<br>
DST: Destination address (proto=0/<unspecified>)<br>DST: AF_INET: port 0, 172.23.192.2 (psaplg-02).<br>EKY: Encryption key.<br>EKY: 62832ca7d689ce4398433754a864ce4ada32945e137079bf/192<br> LT: Lifetime information<br>
CLT: 0 bytes protected, 0 allocations used.<br>CLT: SA added at time Mon Feb 10 18:25:02 2014<br>CLT: Time now is Mon Feb 10 18:40:05 2014<br><br>Dump succeeded for SA type 0.<br>psaplg02#<br><br>psaplg02# ipsecconf<br>#INDEX 139<br>
{laddr 172.23.192.2 raddr 172.33.18.242} ipsec {encr_algs 3des-cbc encr_auth_algs hmac-md5}<br><br>#INDEX 141<br>{laddr 172.33.18.242 raddr 172.23.192.2} ipsec {encr_algs 3des-cbc encr_auth_algs hmac-md5}<br><br>-------------------------------------------------------<br>
Ping from RHEL host<br><br> ping 172.23.192.2<br>PING 172.23.192.2 (172.23.192.2) 56(84) bytes of data.<br>64 bytes from <a href="http://172.23.192.2">172.23.192.2</a>: icmp_seq=1 ttl=252 time=1.72 ms<br>64 bytes from <a href="http://172.23.192.2">172.23.192.2</a>: icmp_seq=2 ttl=252 time=1.16 ms<br>
64 bytes from <a href="http://172.23.192.2">172.23.192.2</a>: icmp_seq=3 ttl=252 time=1.00 ms<br>64 bytes from <a href="http://172.23.192.2">172.23.192.2</a>: icmp_seq=4 ttl=252 time=0.983 ms<br>64 bytes from <a href="http://172.23.192.2">172.23.192.2</a>: icmp_seq=5 ttl=252 time=1.08 ms<br>
64 bytes from <a href="http://172.23.192.2">172.23.192.2</a>: icmp_seq=6 ttl=252 time=1.29 ms<br>64 bytes from <a href="http://172.23.192.2">172.23.192.2</a>: icmp_seq=7 ttl=252 time=1.34 ms<br>64 bytes from <a href="http://172.23.192.2">172.23.192.2</a>: icmp_seq=8 ttl=252 time=1.08 ms<br>
64 bytes from <a href="http://172.23.192.2">172.23.192.2</a>: icmp_seq=9 ttl=252 time=1.45 ms<br>^C<br>--- 172.23.192.2 ping statistics ---<br>9 packets transmitted, 9 received, 0% packet loss, time 8592ms<br>rtt min/avg/max/mdev = 0.983/1.237/1.726/0.231 ms<br>
<br><br>Ping from Solaris host<br><br> ping -s 172.33.18.242<br>PING <a href="http://172.33.18.242">172.33.18.242</a>: 56 data bytes<br>^C<br>----172.33.18.242 PING Statistics----<br>4 packets transmitted, 0 packets received, 100% packet loss<br>
<br>Could someone please help me why RHEL host is not responding for Ping.<br>Also, is it possible to check the IPsec (netkey) stack trace.<br><br><br></div>Thanks a lot in anticpation.<br><br></div>AR.<br></div>