[Openswan Users] Interoperability between openswan and HPUX-IPSEC.
Paul Wouters
paul at xelerance.com
Tue Sep 20 11:47:29 EDT 2011
On Tue, 20 Sep 2011, Chakravarthy, Chintagunta Murali Mohan (HPUX-Network Security) wrote:
Can you let the HP-UX initiate, and capture a plutodeug=all log of that,
and post it to a bug entry in bugs.openswan.org ?
Paul
> Date: Tue, 20 Sep 2011 14:30:23 +0000
> From: "Chakravarthy, Chintagunta Murali Mohan (HPUX-Network Security)"
> <murali-mohan.chakravarthy at hp.com>
> To: "Chakravarthy, Chintagunta Murali Mohan (HPUX-Network Security)"
> <murali-mohan.chakravarthy at hp.com>, Paul Wouters <paul at xelerance.com>,
> "users at openswan.org" <users at openswan.org>
> Subject: RE: [Openswan Users] Interoperability between openswan and
> HPUX-IPSEC.
>
> IKEV2 between HPUX and openswan still having a issue with the following configuration mentioned in the below mail.
>
> Please help me in figuring out, if it's a configuration issue.
>
> Thanks,
> Murali
>
>
> -----Original Message-----
> From: Chakravarthy, Chintagunta Murali Mohan (HPUX-Network Security)
> Sent: Wednesday, September 14, 2011 9:53 PM
> To: 'Paul Wouters'
> Cc: users at openswan.org
> Subject: RE: [Openswan Users] Interoperability between openswan and HPUX-IPSEC.
>
> Hi,
>
> Sorry for the delayed response.
>
> pfs=no worked !! Thank you very much Paul.
>
>
> I was able to interoperate between openswan and HPUX-IPSEC without any issues with IKEV1 only.
>
> I'm having issues with IKEV2 with MODP 1024 between openswan and HPUX-IPSEC.
>
> I tried debugging this until some extent.
>
> Here is my ipsec.conf file
>
> Openswan on RHEL
> =================
>> conn hpux
>> type=transport
>> authby=secret
>> keyexchange=ike
>> left=10.1.0.171
>> leftprotoport=tcp/telnet
>> leftnexthop=%defaultroute
>> right=192.168.0.197
>> rightprotoport=tcp/telnet
>> rightnexthop=%defaultroute
>> pfs=no
>> ikev2=insist
>> ike=3des-sha1-modp1024
>> phase2=esp
>> phase2alg=3des-sha1
>
>
> HPUX 11.31
> ===========
> ms10# ipsec_config show all
> startup
> -autoboot OFF
> -auditlvl ERROR
> -auditdir /var/adm/ipsec
> -maxsize 100
> -spi_min 0x12c
> -spi_max 0x2625a0
> -spd_soft 25
> -spd_hard 50
> -icmp_error_process OFF
>
> auth RHEL
> -remote 10.1.0.171/32
> -exchange MM
> -priority 30
> -rtype IPV4
> -rid 10.1.0.171/32
> -kmp ikev2
> -local_method PSK
> -remote_method PSK
> -preshared ipsec1234
>
> ikev1 default
> -group 2
> -hash MD5
> -encryption 3DES
> -life 28800
> -pfs OFF
>
> ikev2 default
> -group 2
> -hash HMAC-SHA1
> -encryption 3DES
> -prf HMAC-SHA1
> -life 28800
> -pfs OFF
>
> host TO_RHEL
> -source 192.168.0.197/32/0-65535
> -destination 10.1.0.171/32/23
> -protocol 6
> -priority 40
> -action ESP_3DES_HMAC_SHA1/28800/0
> -flags NONE
>
> host FROM_RHEL
> -source 192.168.0.197/32/23
> -destination 10.1.0.171/32/0-65535
> -protocol 6
> -priority 50
> -action ESP_3DES_HMAC_SHA1/28800/0
> -flags NONE
>
> host default
> -action PASS
>
>
>
> The error I'm getting in the HPUX log is "no proposal chosen" . I double checked my configuration with different transforms but no luck.
>
> When I tried to debug it further, looks like HPUX is trying to compare the incoming proposal from openswan and trying to find a matching one.
>
> While comparing it complains of "transforms didn't match"
>
>
> I tried to print some of the content of it while the HPUX is doing the comparison,
>
>
> Here is the follow of the problem:
> ===================================
>
> 1. It tried comparing the proto_id with its self and peer (openswan)
>
> my_proto->prop->proto_id : 1
> peer_proto->prop->proto_id : 1
>
> 2. Compared the transform types
>
> my_transform type: 1
> peer_transf->transform_type is : 1
>
> 2. Then it tried comparing the transform id
>
> my transform id : 3
> peer transform id : 3
>
> 3. Once it matches it moved on to the next transform type.
>
> my_transform type : 2
> peer transform type : 2
>
> 4. Again it compares the transform id's. And here is the problem !!!
>
> my transform id : 2
> peer transform id: 1
>
> The transform id's didn't match and it returns error saying that "transform didn't match" and IKE SA doesn't form.
>
>
> Openswan always gives the transform id's as only 1 and 3, but not 2. NOT sure why.
>
> HPUX start the transform id's from 1,2,3,4
>
> I checked what the transform id 2 is IKEV2TRANSFORM_TYPE_PRF in HPUX.
>
> Is there any configuration issue ?? Am I still missing something ?
>
>
>
>
> You can refer to the routine "ikev2_compare_transforms" routine for more details on code implementation as HPUX uses racoon2 for IKE.
>
> http://www.racoon2.wide.ad.jp/ml/racoon2-users/200709/msg298.html or below is the code where it is failing.
>
>
> *
> * for each of my transform types,
> * see whether there's a matching peer's transform
> * return 0 if success, non-0 otherwise
> */
> int
> ikev2_compare_transforms(struct isakmp_domain *doi, struct prop_pair *mine,
> struct prop_pair *peers)
> {
> struct prop_pair *my_transforms;
> struct ikev2transform *my_transf;
> struct prop_pair *peer_transforms;
> struct prop_pair *p;
> struct ikev2transform *peer_transf;
> int type;
> struct prop_pair *m;
> u_int my_id;
> struct prop_pair *pp;
> u_int peer_id;
>
> TRACE((PLOGLOC, "ikev2_compare_transforms\n"));
>
> my_transforms = mine->tnext;
> peer_transforms = peers->tnext;
> /* for each type in my proposal */
> for (; my_transforms; my_transforms = my_transforms->next) {
> my_transf = (struct ikev2transform *)my_transforms->trns;
> assert(my_transf != 0);
> type = my_transf->transform_type;
> TRACE((PLOGLOC, "my_transform %p type %d\n", my_transforms,
> type));
> /* find same type from peer proposal list */
> for (p = peer_transforms; p; p = p->next) {
> peer_transf = (struct ikev2transform *)p->trns;
> if (type == peer_transf->transform_type)
> break;
> }
> if (!p) {
> TRACE((PLOGLOC,
> "there weren't same type of transform in peer transforms list\n"));
> return -1;
> }
> TRACE((PLOGLOC, "peer transform %p\n", p));
>
> TRACE((PLOGLOC, "see whether there's matching transform\n"));
> for (m = my_transforms; m; m = m->tnext) {
> my_id = get_uint16(&((struct ikev2transform *)m->trns)->transform_id);
> TRACE((PLOGLOC, "my_id %d\n", my_id));
>
> #ifdef notyet
> /* (draft-17)
> * If the
> * initiator wishes to make use of the transform optional to
> * the responder, it includes a transform substructure with
> * transform ID = 0 as one of the options.
> */
> #endif
> for (pp = p; pp; pp = pp->tnext) {
> peer_id = get_uint16(&((struct ikev2transform *)pp->trns)->transform_id);
> TRACE((PLOGLOC, "pp %p id %d\n", pp, peer_id));
> if (my_id != peer_id)
> continue;
> TRACE((PLOGLOC,
> "found same ID. compare attributes\n"));
> if (ikev2_compare_attributes(doi, m->trns, pp->trns) == 0) {
> TRACE((PLOGLOC,
> "OK; advance to next of my transform type\n"));
> goto next_type;
> }
>
> TRACE((PLOGLOC,
> "attributes do not match; try next peer transform\n"));
> }
> TRACE((PLOGLOC,
> "no peer transform matched; try next my transform proposal\n"));
> }
> TRACE((PLOGLOC, "none of my proposal matched\n"));
> return -1; =====> returns here
>
> next_type:
> ;
> }
> /* there were matching transform for all of my transform types */
> TRACE((PLOGLOC, "success\n"));
> return 0; /* success */
> }
>
>
>
> Thanks,
> Murali
>
>
> -----Original Message-----
> From: Paul Wouters [mailto:paul at xelerance.com]
> Sent: Tuesday, August 23, 2011 10:43 PM
> To: Chakravarthy, Chintagunta Murali Mohan (HPUX-Network Security)
> Cc: users at openswan.org
> Subject: Re: [Openswan Users] Interoperability between openswan and HPUX-IPSEC.
>
> On Tue, 23 Aug 2011, Chakravarthy, Chintagunta Murali Mohan (HPUX-Network Security) wrote:
>
>> I’m a newbie to Openswan, I’m trying see if Openswan and HPUX can interoperate with each other.
>
>> conn hpux
>> type=transport
>> authby=secret
>> keyexchange=ike
>> left=10.1.0.171
>> leftprotoport=tcp/telnet
>> leftnexthop=%defaultroute
>> right=192.168.0.197
>> rightprotoport=tcp/telnet
>> rightnexthop=%defaultroute
>> pfs=yes
>> ike=3des-md5-modp1024
>> phase2=esp
>> phase2alg=3des-md5
>
>> auth RHEL
>> -remote 10.1.0.171/32
>> -exchange MM
>> -rtype IPV4
>> -rid 10.1.0.171/32
>> -kmp ikev1
>> -local_method PSK
>> -remote_method PSK
>> -preshared ipsec1234
>> ikev1 default
>> -group 2
>> -hash MD5
>> -encryption 3DES
>> -pfs OFF
>
> You have a mismatch in ofs it seems. Try pfs=no ?
>
>> -source 192.168.0.197 /32/0-65535
>> -destination 10.1.0.171/32/23
>> -protocol 6
>> -action ESP_3DES_HMAC_SHA1/28800/0
>> -flags NONE
>> host FROM_RHEL
>> -source 192.168.0.197 /32/23
>> -destination 10.1.0.171/32/0-65535
>> -protocol 6
>
> I am not sure I understand the the source/destination combos
> You have port 23 to 23 for openswan, but 0-65535 entries on HPUX.
>
> You probably want to have something with leftprotoport=6/%any and
> rightprotoport=6/23 (or visa versa depending on which end is the
> telnet client and which end is the daemon)
>
> Paul
>
More information about the Users
mailing list