[Openswan Users] Ping fail after flushing SPD/SAD

satpal parmar systems.satpal at gmail.com
Thu Feb 2 07:56:03 EST 2012 

Hi All;

I am trying to make ping work btn two boxes running IPSec. I am using
manual keying.  I am facing strange problem. Ping works without IPsec.
Then I apply setkey.config. Ping fails due to some hw/driver/error. I
flush the config and try ping again. But now ping is not working . I
have to reboot machine to make it work again.

Below is the log attached.

Appreciate any help to understand the issue.


-SP
+++++++++++++++
LOG
+++++++++++++++
Please press Enter to activate this console.
Linux version 2.6.37-svn5271 (satpal.parmar at ubuntu) (gcc version 4.3.3
(Sourcery G++ Lite 2009q1-203) ) #1 Thu Feb 2 11:17:25 IST 2012
root at R3BTS-CP-PFS1.0#
root at R3BTS-CP-PFS1.0#
root at R3BTS-CP-PFS1.0# ifconfig eth0 1.1.1.2 up
root at R3BTS-CP-PFS1.0# ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1): 56 data bytes
64 bytes from 1.1.1.1: seq=0 ttl=64 time=8.617 ms
64 bytes from 1.1.1.1: seq=1 ttl=64 time=0.367 ms
^C
--- 1.1.1.1 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.367/4.492/8.617 ms
root at R3BTS-CP-PFS1.0# clear

root at R3BTS-CP-PFS1.0# ls
bin         home        linuxrc     opt         sbin        usr
dev         init        lost+found  proc        sys         var
etc         lib         mnt         root        tmp
root at R3BTS-CP-PFS1.0# vi /home/setkey.conf

#!/usr/sbin/setkey -f

# Configuration for 1.1.1.2

# Flush the SAD and SPD
flush;
spdflush;

# Attention: Use this keys only for testing purposes!
# Generate your own keys!

# AH SAs using 128 bit long keys
add 1.1.1.2 1.1.1.1  ah 0x200 -A hmac-md5
0xc0291ff014dccdd03874d9e8e4cdf3e6;
add 1.1.1.1 1.1.1.2 ah 0x300 -A hmac-md5
0x96358c90783bbfa3d7b196ceabe0536b;

# ESP SAs using 192 bit long keys (168 + 24 parity)
add 1.1.1.2  1.1.1.1 esp 0x201 -E 3des-cbc
0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831;
add 1.1.1.1 1.1.1.2 esp 0x301 -E 3des-cbc
0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df;

# Security policies
spdadd 1.1.1.2 1.1.1.1 any -P out ipsec
esp/transport//require
ah/transport//require;

spdadd 1.1.1.1 1.1.1.2 any -P in ipsec
esp/transport//require
ah/transport//require;
~
~


root at R3BTS-CP-PFS1.0# ls
bin         home        linuxrc     opt         sbin        usr
dev         init        lost+found  proc        sys         var
etc         lib         mnt         root        tmp

r
root at R3BTS-CP-PFS1.0#
root at R3BTS-CP-PFS1.0# setkey -f /home/setkey.conf
alg: No test for authenc(digest_null,cbc(des3_ede))
(authenc(digest_null-generic,cbc(des3_ede-generic)))
root at R3BTS-CP-PFS1.0#
root at R3BTS-CP-PFS1.0#
root at R3BTS-CP-PFS1.0#
root at R3BTS-CP-PFS1.0# setkey -D
1.1.1.1 1.1.1.2
        esp mode=transport spi=769(0x00000301) reqid=0(0x00000000)
        E: 3des-cbc  f6ddb555 acfd9d77 b03ea384 3f265325 5afe8eb5 573965df
        seq=0x00000000 replay=0 flags=0x00000000 state=mature
        created: Jan  1 00:16:15 1970   current: Jan  1 00:16:42 1970
        diff: 27(s)     hard: 0(s)      soft: 0(s)
        last:                           hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        sadb_seq=1 pid=297 refcnt=0
1.1.1.2 1.1.1.1
        esp mode=transport spi=513(0x00000201) reqid=0(0x00000000)
        E: 3des-cbc  7aeaca3f 87d060a1 2f4a4487 d5a5c335 5920fae6 9a96c831
        seq=0x00000000 replay=0 flags=0x00000000 state=mature
        created: Jan  1 00:16:15 1970   current: Jan  1 00:16:42 1970
        diff: 27(s)     hard: 0(s)      soft: 0(s)
        last:                           hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        sadb_seq=2 pid=297 refcnt=0
1.1.1.1 1.1.1.2
        ah mode=transport spi=768(0x00000300) reqid=0(0x00000000)
        A: hmac-md5  96358c90 783bbfa3 d7b196ce abe0536b
        seq=0x00000000 replay=0 flags=0x00000000 state=mature
        created: Jan  1 00:16:15 1970   current: Jan  1 00:16:42 1970
        diff: 27(s)     hard: 0(s)      soft: 0(s)
        last:                           hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        sadb_seq=3 pid=297 refcnt=0
1.1.1.2 1.1.1.1
        ah mode=transport spi=512(0x00000200) reqid=0(0x00000000)
        A: hmac-md5  c0291ff0 14dccdd0 3874d9e8 e4cdf3e6
        seq=0x00000000 replay=0 flags=0x00000000 state=mature
        created: Jan  1 00:16:15 1970   current: Jan  1 00:16:42 1970
        diff: 27(s)     hard: 0(s)      soft: 0(s)
        last:                           hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        sadb_seq=0 pid=297 refcnt=0
root at R3BTS-CP-PFS1.0#
root at R3BTS-CP-PFS1.0#
root at R3BTS-CP-PFS1.0#
root at R3BTS-CP-PFS1.0# ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1): 56 data bytes
^C
--- 1.1.1.1 ping statistics ---
21 packets transmitted, 0 packets received, 100% packet loss
root at R3BTS-CP-PFS1.0# setkey -F
root at R3BTS-CP-PFS1.0# ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1): 56 data bytes
ping: sendto: Invalid argument

More information about the Users mailing list