[Openswan Users] Interoperability between openswan and HPUX-IPSEC.

Chakravarthy, Chintagunta Murali Mohan (HPUX-Network Security) murali-mohan.chakravarthy at hp.com
Wed Sep 14 12:24:08 EDT 2011


Hi, 

Sorry for the delayed response.

pfs=no worked !! Thank you very much Paul.


I was able to interoperate between openswan and HPUX-IPSEC without any issues with IKEV1 only.

I'm having issues with IKEV2 with MODP 1024 between openswan and HPUX-IPSEC. 

I tried debugging this until some extent. 

Here is my ipsec.conf file

Openswan on RHEL
=================
> conn hpux
>         type=transport
>         authby=secret
>         keyexchange=ike
>         left=10.1.0.171
>         leftprotoport=tcp/telnet
>         leftnexthop=%defaultroute
>         right=192.168.0.197 
>         rightprotoport=tcp/telnet
>         rightnexthop=%defaultroute
>         pfs=no
>	    ikev2=insist	
>         ike=3des-sha1-modp1024
>         phase2=esp
>         phase2alg=3des-sha1


HPUX 11.31
===========
ms10# ipsec_config show all
             startup
           -autoboot  OFF
           -auditlvl  ERROR
           -auditdir  /var/adm/ipsec
            -maxsize  100
            -spi_min  0x12c
            -spi_max  0x2625a0
           -spd_soft  25
           -spd_hard  50
 -icmp_error_process  OFF

                auth  RHEL
            -remote   10.1.0.171/32
           -exchange  MM
           -priority  30
              -rtype  IPV4
                -rid  10.1.0.171/32
                -kmp  ikev2
       -local_method  PSK
      -remote_method  PSK
          -preshared  ipsec1234

               ikev1  default
              -group  2
               -hash  MD5
         -encryption  3DES
               -life  28800
                -pfs  OFF

               ikev2  default
              -group  2
               -hash  HMAC-SHA1
         -encryption  3DES
                -prf  HMAC-SHA1
               -life  28800
                -pfs  OFF

                host  TO_RHEL
             -source  192.168.0.197/32/0-65535
        -destination  10.1.0.171/32/23
           -protocol  6
           -priority  40
             -action  ESP_3DES_HMAC_SHA1/28800/0
              -flags  NONE

                host  FROM_RHEL
             -source  192.168.0.197/32/23
        -destination  10.1.0.171/32/0-65535
           -protocol  6
           -priority  50
             -action  ESP_3DES_HMAC_SHA1/28800/0
              -flags  NONE

                host  default
             -action  PASS



The error I'm getting in the HPUX log is "no proposal chosen" . I double checked my configuration with different transforms but no luck.

When I tried to debug it further, looks like HPUX is trying to compare the incoming proposal from openswan and trying to find a matching one.

While comparing it complains of "transforms didn't match" 


I tried to print some of the content of it while the HPUX is doing the comparison,


Here is the follow of the problem:
===================================

1. It tried comparing the proto_id with its self and peer (openswan)

my_proto->prop->proto_id : 1
peer_proto->prop->proto_id : 1

2. Compared the transform types 

my_transform type:  1
peer_transf->transform_type is : 1

2. Then it tried comparing the transform id 

my transform id : 3
peer transform id : 3

3. Once it matches it moved on to the next transform type. 

my_transform type : 2
peer transform type : 2

4. Again it compares the transform id's. And here is the problem !!!

my transform id : 2
peer transform id: 1

The transform id's didn't match and it returns error saying that "transform didn't match" and IKE SA doesn't form. 


Openswan always gives the transform id's as only 1 and 3, but not 2. NOT sure why.

HPUX start the transform id's from 1,2,3,4

I checked what the transform id 2 is IKEV2TRANSFORM_TYPE_PRF in HPUX.  

Is there any configuration issue ?? Am I still missing something ?




You can refer to the routine "ikev2_compare_transforms" routine for more details on code implementation as HPUX uses racoon2 for IKE.

http://www.racoon2.wide.ad.jp/ml/racoon2-users/200709/msg298.html or below is the code where it is failing. 


*
 * for each of my transform types,
 * see whether there's a matching peer's transform
 * return 0 if success, non-0 otherwise
 */
int
ikev2_compare_transforms(struct isakmp_domain *doi, struct prop_pair *mine,
                         struct prop_pair *peers)
{
        struct prop_pair *my_transforms;
        struct ikev2transform *my_transf;
        struct prop_pair *peer_transforms;
        struct prop_pair *p;
        struct ikev2transform *peer_transf;
        int type;
        struct prop_pair *m;
        u_int my_id;
        struct prop_pair *pp;
        u_int peer_id;

        TRACE((PLOGLOC, "ikev2_compare_transforms\n"));

        my_transforms = mine->tnext;
        peer_transforms = peers->tnext;
        /* for each type in my proposal */
        for (; my_transforms; my_transforms = my_transforms->next) {
                my_transf = (struct ikev2transform *)my_transforms->trns;
                assert(my_transf != 0);
                type = my_transf->transform_type;
                TRACE((PLOGLOC, "my_transform %p type %d\n", my_transforms,
                       type));
                /* find same type from peer proposal list */
                for (p = peer_transforms; p; p = p->next) {
                        peer_transf = (struct ikev2transform *)p->trns;
                        if (type == peer_transf->transform_type)
                                break;
                }
                if (!p) {
                        TRACE((PLOGLOC,
                               "there weren't same type of transform in peer transforms list\n"));
                        return -1;
                }
                TRACE((PLOGLOC, "peer transform %p\n", p));

                TRACE((PLOGLOC, "see whether there's matching transform\n"));
                for (m = my_transforms; m; m = m->tnext) {
                        my_id = get_uint16(&((struct ikev2transform *)m->trns)->transform_id);
                        TRACE((PLOGLOC, "my_id %d\n", my_id));

#ifdef notyet
                        /* (draft-17)
                         * If the
                         * initiator wishes to make use of the transform optional to
                         * the responder, it includes a transform substructure with
                         * transform ID = 0 as one of the options.
                         */
#endif
                        for (pp = p; pp; pp = pp->tnext) {
                                peer_id = get_uint16(&((struct ikev2transform *)pp->trns)->transform_id);
                                TRACE((PLOGLOC, "pp %p id %d\n", pp, peer_id));
                                if (my_id != peer_id)
                                        continue;
                                TRACE((PLOGLOC,
                                       "found same ID. compare attributes\n"));
                                if (ikev2_compare_attributes(doi, m->trns, pp->trns) == 0) {
                                        TRACE((PLOGLOC,
                                               "OK; advance to next of my transform type\n"));
                                        goto next_type;
                                }

                                TRACE((PLOGLOC,
                                       "attributes do not match; try next peer transform\n"));
                        }
                        TRACE((PLOGLOC,
                               "no peer transform matched; try next my transform proposal\n"));
                }
                TRACE((PLOGLOC, "none of my proposal matched\n"));
                return -1; =====> returns here 

              next_type:
                ;
        }
        /* there were matching transform for all of my transform types */
        TRACE((PLOGLOC, "success\n"));
        return 0;               /* success */
}



Thanks,
Murali


-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com] 
Sent: Tuesday, August 23, 2011 10:43 PM
To: Chakravarthy, Chintagunta Murali Mohan (HPUX-Network Security)
Cc: users at openswan.org
Subject: Re: [Openswan Users] Interoperability between openswan and HPUX-IPSEC.

On Tue, 23 Aug 2011, Chakravarthy, Chintagunta Murali Mohan (HPUX-Network Security) wrote:

> I’m a newbie to Openswan, I’m trying see if Openswan and HPUX can interoperate with each other.

> conn hpux
>         type=transport
>         authby=secret
>         keyexchange=ike
>         left=10.1.0.171
>         leftprotoport=tcp/telnet
>         leftnexthop=%defaultroute
>         right=192.168.0.197 
>         rightprotoport=tcp/telnet
>         rightnexthop=%defaultroute
>         pfs=yes
>         ike=3des-md5-modp1024
>         phase2=esp
>         phase2alg=3des-md5

>                 auth  RHEL
>             -remote   10.1.0.171/32
>            -exchange  MM
>               -rtype  IPV4
>                 -rid  10.1.0.171/32
>                 -kmp  ikev1
>        -local_method  PSK
>       -remote_method  PSK
>           -preshared  ipsec1234
>                ikev1  default
>               -group  2
>                -hash  MD5
>          -encryption  3DES
>                 -pfs  OFF

You have a mismatch in ofs it seems. Try pfs=no ?

>              -source  192.168.0.197  /32/0-65535
>         -destination  10.1.0.171/32/23
>            -protocol  6
>              -action  ESP_3DES_HMAC_SHA1/28800/0
>               -flags  NONE
>                 host  FROM_RHEL
>              -source  192.168.0.197  /32/23
>         -destination  10.1.0.171/32/0-65535
>            -protocol  6

I am not sure I understand the the source/destination combos
You have port 23 to 23 for openswan, but 0-65535 entries on HPUX.

You probably want to have something with leftprotoport=6/%any and
rightprotoport=6/23 (or visa versa depending on which end is the
telnet client and which end is the daemon)

Paul


More information about the Users mailing list