[Openswan Users] Interoperability between openswan and HPUX-IPSEC.

Chakravarthy, Chintagunta Murali Mohan (HPUX-Network Security) murali-mohan.chakravarthy at hp.com
Tue Aug 23 09:49:26 EDT 2011 

Hi,

I'm a newbie to Openswan, I'm trying see if Openswan and HPUX can interoperate with each other.

Though I'm successful until some extent but not completely.

Here is the issue I'm facing.

I'm able to form a IKEV1 SA successfully but not able to form a IPSEC SA. The IPSEC SA is formed in larval state but doesn't  get established.

The intension is to secure telnet between the two machines.

Can someone help?? If you need more information I would be happy to provide.

Here is the info.


[root at rtrbl2 ~]# setkey -D
192.168.0.197 10.1.0.171
        esp mode=transport spi=2787419998(0xa624a75e) reqid=16389(0x00004005)
        seq=0x00000000 replay=0 flags=0x00000000 state=larval
        created: Aug 23 18:47:47 2011   current: Aug 23 18:48:16 2011
        diff: 29(s)     hard: 30(s)     soft: 0(s)
        last:                           hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        sadb_seq=0 pid=5961 refcnt=0



Here is my /etc/ipsec.conf file

# /etc/ipsec.conf - Openswan IPsec configuration file

# This file:  /usr/local/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5


version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Do not set debug options to debug configuration issues!
        # plutodebug / klipsdebug = "all", "none" or a combation from below:
        # "raw crypt parsing emitting control klips pfkey natt x509 dpd private"
        # eg:
        # plutodebug="control parsing"
        # Again: only enable plutodebug or klipsdebug when asked by a developer
        #
        # enable to get logs per-peer
        # plutoopts="--perpeerlog"
        #
        # Enable core dumps (might require system changes, like ulimit -C)
        # This is required for abrtd to work properly
        # Note: incorrect SElinux policies might prevent pluto writing the core
        dumpdir=/var/run/pluto/
        #
        # NAT-TRAVERSAL support, see README.NAT-Traversal
#       nat_traversal=yes
        # exclude networks used on server side by adding %v4:!a.b.c.0/24
        # It seems that T-Mobile in the US and Rogers/Fido in Canada are
        # using %v4:25/8 as "private" address space on their 3G network.
        # This range has not been announced via BGP (at least upto 2010-12-21)
#       virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25/8
        # OE is now off by default. Uncomment and change to on, to enable.
        oe=off
        # which IPsec stack to use. auto will try netkey, then klips then mast
#       protostack=auto
        protostack=netkey

# Add connections here

# sample VPN connection
# for more examples, see /etc/ipsec.d/examples/
#conn sample
#               # Left security gateway, subnet behind it, nexthop toward right.
#               left=10.0.0.1
#               leftsubnet=172.16.0.0/24
#               leftnexthop=10.22.33.44
#               # Right security gateway, subnet behind it, nexthop toward left.
#               right=10.12.12.1
#               rightsubnet=192.168.0.0/24
#               rightnexthop=10.101.102.103
#               # To authorize this connection, but not actually start it,
#               # at startup, uncomment this.
#               #auto=add


conn hpux
        type=transport
        authby=secret
        keyexchange=ike
        left=10.1.0.171
        leftprotoport=tcp/telnet
        leftnexthop=%defaultroute
        right=192.168.0.197
        rightprotoport=tcp/telnet
        rightnexthop=%defaultroute
#        ikev2=insist
        pfs=yes
#       ike=aes128-sha1;dh24
        ike=3des-md5-modp1024
        phase2=esp
        phase2alg=3des-md5


Following is my configuration on HPUX


ms10# ipsec_config show all
             startup
           -autoboot  OFF
           -auditlvl  ERROR
           -auditdir  /var/adm/ipsec
            -maxsize  100
            -spi_min  0x12c
            -spi_max  0x2625a0
           -spd_soft  25
           -spd_hard  50
 -icmp_error_process  OFF

                auth  RHEL
            -remote   10.1.0.171/32
           -exchange  MM
           -priority  30
              -rtype  IPV4
                -rid  10.1.0.171/32
                -kmp  ikev1
       -local_method  PSK
      -remote_method  PSK
          -preshared  ipsec1234

               ikev1  default
              -group  2
               -hash  MD5
         -encryption  3DES
               -life  28800
                -pfs  OFF

               ikev2  default
              -group  2
               -hash  HMAC-SHA1
         -encryption  3DES
                -prf  HMAC-SHA1
               -life  28800
                -pfs  OFF

                host  TO_RHEL
             -source  192.168.0.197  /32/0-65535
        -destination  10.1.0.171/32/23
           -protocol  6
           -priority  40
             -action  ESP_3DES_HMAC_SHA1/28800/0
              -flags  NONE

                host  FROM_RHEL
             -source  192.168.0.197  /32/23
        -destination  10.1.0.171/32/0-65535
           -protocol  6
           -priority  50
             -action  ESP_3DES_HMAC_SHA1/28800/0
              -flags  NONE

                host  default
             -action  PASS


Thanks,
Murali
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110823/e456a403/attachment.html

More information about the Users mailing list