[Openswan Users] Ping fail after flushing SPD/SAD
satpal parmar
systems.satpal at gmail.com
Thu Feb 2 07:56:03 EST 2012
Hi All;
I am trying to make ping work btn two boxes running IPSec. I am using
manual keying. I am facing strange problem. Ping works without IPsec.
Then I apply setkey.config. Ping fails due to some hw/driver/error. I
flush the config and try ping again. But now ping is not working . I
have to reboot machine to make it work again.
Below is the log attached.
Appreciate any help to understand the issue.
-SP
+++++++++++++++
LOG
+++++++++++++++
Please press Enter to activate this console.
Linux version 2.6.37-svn5271 (satpal.parmar at ubuntu) (gcc version 4.3.3
(Sourcery G++ Lite 2009q1-203) ) #1 Thu Feb 2 11:17:25 IST 2012
root at R3BTS-CP-PFS1.0#
root at R3BTS-CP-PFS1.0#
root at R3BTS-CP-PFS1.0# ifconfig eth0 1.1.1.2 up
root at R3BTS-CP-PFS1.0# ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1): 56 data bytes
64 bytes from 1.1.1.1: seq=0 ttl=64 time=8.617 ms
64 bytes from 1.1.1.1: seq=1 ttl=64 time=0.367 ms
^C
--- 1.1.1.1 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.367/4.492/8.617 ms
root at R3BTS-CP-PFS1.0# clear
root at R3BTS-CP-PFS1.0# ls
bin home linuxrc opt sbin usr
dev init lost+found proc sys var
etc lib mnt root tmp
root at R3BTS-CP-PFS1.0# vi /home/setkey.conf
#!/usr/sbin/setkey -f
# Configuration for 1.1.1.2
# Flush the SAD and SPD
flush;
spdflush;
# Attention: Use this keys only for testing purposes!
# Generate your own keys!
# AH SAs using 128 bit long keys
add 1.1.1.2 1.1.1.1 ah 0x200 -A hmac-md5
0xc0291ff014dccdd03874d9e8e4cdf3e6;
add 1.1.1.1 1.1.1.2 ah 0x300 -A hmac-md5
0x96358c90783bbfa3d7b196ceabe0536b;
# ESP SAs using 192 bit long keys (168 + 24 parity)
add 1.1.1.2 1.1.1.1 esp 0x201 -E 3des-cbc
0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831;
add 1.1.1.1 1.1.1.2 esp 0x301 -E 3des-cbc
0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df;
# Security policies
spdadd 1.1.1.2 1.1.1.1 any -P out ipsec
esp/transport//require
ah/transport//require;
spdadd 1.1.1.1 1.1.1.2 any -P in ipsec
esp/transport//require
ah/transport//require;
~
~
root at R3BTS-CP-PFS1.0# ls
bin home linuxrc opt sbin usr
dev init lost+found proc sys var
etc lib mnt root tmp
r
root at R3BTS-CP-PFS1.0#
root at R3BTS-CP-PFS1.0# setkey -f /home/setkey.conf
alg: No test for authenc(digest_null,cbc(des3_ede))
(authenc(digest_null-generic,cbc(des3_ede-generic)))
root at R3BTS-CP-PFS1.0#
root at R3BTS-CP-PFS1.0#
root at R3BTS-CP-PFS1.0#
root at R3BTS-CP-PFS1.0# setkey -D
1.1.1.1 1.1.1.2
esp mode=transport spi=769(0x00000301) reqid=0(0x00000000)
E: 3des-cbc f6ddb555 acfd9d77 b03ea384 3f265325 5afe8eb5 573965df
seq=0x00000000 replay=0 flags=0x00000000 state=mature
created: Jan 1 00:16:15 1970 current: Jan 1 00:16:42 1970
diff: 27(s) hard: 0(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=1 pid=297 refcnt=0
1.1.1.2 1.1.1.1
esp mode=transport spi=513(0x00000201) reqid=0(0x00000000)
E: 3des-cbc 7aeaca3f 87d060a1 2f4a4487 d5a5c335 5920fae6 9a96c831
seq=0x00000000 replay=0 flags=0x00000000 state=mature
created: Jan 1 00:16:15 1970 current: Jan 1 00:16:42 1970
diff: 27(s) hard: 0(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=2 pid=297 refcnt=0
1.1.1.1 1.1.1.2
ah mode=transport spi=768(0x00000300) reqid=0(0x00000000)
A: hmac-md5 96358c90 783bbfa3 d7b196ce abe0536b
seq=0x00000000 replay=0 flags=0x00000000 state=mature
created: Jan 1 00:16:15 1970 current: Jan 1 00:16:42 1970
diff: 27(s) hard: 0(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=3 pid=297 refcnt=0
1.1.1.2 1.1.1.1
ah mode=transport spi=512(0x00000200) reqid=0(0x00000000)
A: hmac-md5 c0291ff0 14dccdd0 3874d9e8 e4cdf3e6
seq=0x00000000 replay=0 flags=0x00000000 state=mature
created: Jan 1 00:16:15 1970 current: Jan 1 00:16:42 1970
diff: 27(s) hard: 0(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=0 pid=297 refcnt=0
root at R3BTS-CP-PFS1.0#
root at R3BTS-CP-PFS1.0#
root at R3BTS-CP-PFS1.0#
root at R3BTS-CP-PFS1.0# ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1): 56 data bytes
^C
--- 1.1.1.1 ping statistics ---
21 packets transmitted, 0 packets received, 100% packet loss
root at R3BTS-CP-PFS1.0# setkey -F
root at R3BTS-CP-PFS1.0# ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1): 56 data bytes
ping: sendto: Invalid argument
More information about the Users
mailing list