[Openswan Users] Interoperability between openswan and HPUX-IPSEC.
Chakravarthy, Chintagunta Murali Mohan (HPUX-Network Security)
murali-mohan.chakravarthy at hp.com
Tue Sep 20 10:30:23 EDT 2011
IKEV2 between HPUX and openswan still having a issue with the following configuration mentioned in the below mail.
Please help me in figuring out, if it's a configuration issue.
Thanks,
Murali
-----Original Message-----
From: Chakravarthy, Chintagunta Murali Mohan (HPUX-Network Security)
Sent: Wednesday, September 14, 2011 9:53 PM
To: 'Paul Wouters'
Cc: users at openswan.org
Subject: RE: [Openswan Users] Interoperability between openswan and HPUX-IPSEC.
Hi,
Sorry for the delayed response.
pfs=no worked !! Thank you very much Paul.
I was able to interoperate between openswan and HPUX-IPSEC without any issues with IKEV1 only.
I'm having issues with IKEV2 with MODP 1024 between openswan and HPUX-IPSEC.
I tried debugging this until some extent.
Here is my ipsec.conf file
Openswan on RHEL
=================
> conn hpux
> type=transport
> authby=secret
> keyexchange=ike
> left=10.1.0.171
> leftprotoport=tcp/telnet
> leftnexthop=%defaultroute
> right=192.168.0.197
> rightprotoport=tcp/telnet
> rightnexthop=%defaultroute
> pfs=no
> ikev2=insist
> ike=3des-sha1-modp1024
> phase2=esp
> phase2alg=3des-sha1
HPUX 11.31
===========
ms10# ipsec_config show all
startup
-autoboot OFF
-auditlvl ERROR
-auditdir /var/adm/ipsec
-maxsize 100
-spi_min 0x12c
-spi_max 0x2625a0
-spd_soft 25
-spd_hard 50
-icmp_error_process OFF
auth RHEL
-remote 10.1.0.171/32
-exchange MM
-priority 30
-rtype IPV4
-rid 10.1.0.171/32
-kmp ikev2
-local_method PSK
-remote_method PSK
-preshared ipsec1234
ikev1 default
-group 2
-hash MD5
-encryption 3DES
-life 28800
-pfs OFF
ikev2 default
-group 2
-hash HMAC-SHA1
-encryption 3DES
-prf HMAC-SHA1
-life 28800
-pfs OFF
host TO_RHEL
-source 192.168.0.197/32/0-65535
-destination 10.1.0.171/32/23
-protocol 6
-priority 40
-action ESP_3DES_HMAC_SHA1/28800/0
-flags NONE
host FROM_RHEL
-source 192.168.0.197/32/23
-destination 10.1.0.171/32/0-65535
-protocol 6
-priority 50
-action ESP_3DES_HMAC_SHA1/28800/0
-flags NONE
host default
-action PASS
The error I'm getting in the HPUX log is "no proposal chosen" . I double checked my configuration with different transforms but no luck.
When I tried to debug it further, looks like HPUX is trying to compare the incoming proposal from openswan and trying to find a matching one.
While comparing it complains of "transforms didn't match"
I tried to print some of the content of it while the HPUX is doing the comparison,
Here is the follow of the problem:
===================================
1. It tried comparing the proto_id with its self and peer (openswan)
my_proto->prop->proto_id : 1
peer_proto->prop->proto_id : 1
2. Compared the transform types
my_transform type: 1
peer_transf->transform_type is : 1
2. Then it tried comparing the transform id
my transform id : 3
peer transform id : 3
3. Once it matches it moved on to the next transform type.
my_transform type : 2
peer transform type : 2
4. Again it compares the transform id's. And here is the problem !!!
my transform id : 2
peer transform id: 1
The transform id's didn't match and it returns error saying that "transform didn't match" and IKE SA doesn't form.
Openswan always gives the transform id's as only 1 and 3, but not 2. NOT sure why.
HPUX start the transform id's from 1,2,3,4
I checked what the transform id 2 is IKEV2TRANSFORM_TYPE_PRF in HPUX.
Is there any configuration issue ?? Am I still missing something ?
You can refer to the routine "ikev2_compare_transforms" routine for more details on code implementation as HPUX uses racoon2 for IKE.
http://www.racoon2.wide.ad.jp/ml/racoon2-users/200709/msg298.html or below is the code where it is failing.
*
* for each of my transform types,
* see whether there's a matching peer's transform
* return 0 if success, non-0 otherwise
*/
int
ikev2_compare_transforms(struct isakmp_domain *doi, struct prop_pair *mine,
struct prop_pair *peers)
{
struct prop_pair *my_transforms;
struct ikev2transform *my_transf;
struct prop_pair *peer_transforms;
struct prop_pair *p;
struct ikev2transform *peer_transf;
int type;
struct prop_pair *m;
u_int my_id;
struct prop_pair *pp;
u_int peer_id;
TRACE((PLOGLOC, "ikev2_compare_transforms\n"));
my_transforms = mine->tnext;
peer_transforms = peers->tnext;
/* for each type in my proposal */
for (; my_transforms; my_transforms = my_transforms->next) {
my_transf = (struct ikev2transform *)my_transforms->trns;
assert(my_transf != 0);
type = my_transf->transform_type;
TRACE((PLOGLOC, "my_transform %p type %d\n", my_transforms,
type));
/* find same type from peer proposal list */
for (p = peer_transforms; p; p = p->next) {
peer_transf = (struct ikev2transform *)p->trns;
if (type == peer_transf->transform_type)
break;
}
if (!p) {
TRACE((PLOGLOC,
"there weren't same type of transform in peer transforms list\n"));
return -1;
}
TRACE((PLOGLOC, "peer transform %p\n", p));
TRACE((PLOGLOC, "see whether there's matching transform\n"));
for (m = my_transforms; m; m = m->tnext) {
my_id = get_uint16(&((struct ikev2transform *)m->trns)->transform_id);
TRACE((PLOGLOC, "my_id %d\n", my_id));
#ifdef notyet
/* (draft-17)
* If the
* initiator wishes to make use of the transform optional to
* the responder, it includes a transform substructure with
* transform ID = 0 as one of the options.
*/
#endif
for (pp = p; pp; pp = pp->tnext) {
peer_id = get_uint16(&((struct ikev2transform *)pp->trns)->transform_id);
TRACE((PLOGLOC, "pp %p id %d\n", pp, peer_id));
if (my_id != peer_id)
continue;
TRACE((PLOGLOC,
"found same ID. compare attributes\n"));
if (ikev2_compare_attributes(doi, m->trns, pp->trns) == 0) {
TRACE((PLOGLOC,
"OK; advance to next of my transform type\n"));
goto next_type;
}
TRACE((PLOGLOC,
"attributes do not match; try next peer transform\n"));
}
TRACE((PLOGLOC,
"no peer transform matched; try next my transform proposal\n"));
}
TRACE((PLOGLOC, "none of my proposal matched\n"));
return -1; =====> returns here
next_type:
;
}
/* there were matching transform for all of my transform types */
TRACE((PLOGLOC, "success\n"));
return 0; /* success */
}
Thanks,
Murali
-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com]
Sent: Tuesday, August 23, 2011 10:43 PM
To: Chakravarthy, Chintagunta Murali Mohan (HPUX-Network Security)
Cc: users at openswan.org
Subject: Re: [Openswan Users] Interoperability between openswan and HPUX-IPSEC.
On Tue, 23 Aug 2011, Chakravarthy, Chintagunta Murali Mohan (HPUX-Network Security) wrote:
> I’m a newbie to Openswan, I’m trying see if Openswan and HPUX can interoperate with each other.
> conn hpux
> type=transport
> authby=secret
> keyexchange=ike
> left=10.1.0.171
> leftprotoport=tcp/telnet
> leftnexthop=%defaultroute
> right=192.168.0.197
> rightprotoport=tcp/telnet
> rightnexthop=%defaultroute
> pfs=yes
> ike=3des-md5-modp1024
> phase2=esp
> phase2alg=3des-md5
> auth RHEL
> -remote 10.1.0.171/32
> -exchange MM
> -rtype IPV4
> -rid 10.1.0.171/32
> -kmp ikev1
> -local_method PSK
> -remote_method PSK
> -preshared ipsec1234
> ikev1 default
> -group 2
> -hash MD5
> -encryption 3DES
> -pfs OFF
You have a mismatch in ofs it seems. Try pfs=no ?
> -source 192.168.0.197 /32/0-65535
> -destination 10.1.0.171/32/23
> -protocol 6
> -action ESP_3DES_HMAC_SHA1/28800/0
> -flags NONE
> host FROM_RHEL
> -source 192.168.0.197 /32/23
> -destination 10.1.0.171/32/0-65535
> -protocol 6
I am not sure I understand the the source/destination combos
You have port 23 to 23 for openswan, but 0-65535 entries on HPUX.
You probably want to have something with leftprotoport=6/%any and
rightprotoport=6/23 (or visa versa depending on which end is the
telnet client and which end is the daemon)
Paul
More information about the Users
mailing list