[Openswan Users] IPSec with simple setting on Linux kernel 2.6.21

JALINDAR jalindergat at gmail.com
Tue Jul 16 02:26:00 UTC 2013


I can not afford for IKE daemon, I do not even afford for setkey in terms
of memory and computation.

I just want to have simplest IPSec.

I have tabbed packets using wireshark, at Host A, and also at gateway it
connected to, as i get to know from somewhere
that tcpdum get packets which may not be encrypted as IPSec is implemented
inside the kernel.
But still i have seen people showing tcpdump log for verifying IPSec work.

What that i have observed is communication is as usual without any kind of
IPSec when i tab packets at host A and its gateway.

Am i missing some more setting or what else ??




On Mon, Jul 15, 2013 at 9:30 PM, Leto <letoams at gmail.com> wrote:

> why use manual keying? you should use the IKE daemon and let it handle SPD
> an SAD.
>
>  netkey is bad at showing encrypted packets with tcp dump. are you sure
> it is not encrypting?
>
> sent from a tiny device
>
> On 2013-07-15, at 0:07, JALINDAR <jalindergat at gmail.com> wrote:
>
> Hi All,
>
> I am trying to set up simplest IPSec on my linux box, which has kernel
> 2.6.21.
> I have configured kernel for IPSec.
>
> I use iproute2 for setting SA and SP for the IPSec using:
>
>
> *#HOST A:192.168.77.24*
> ip xfrm state add src 192.168.77.23 dst 192.168.77.24 proto esp spi
> 0x53fa0fdd mode transport reqid 16386 replay-window 32 auth “hmac(sha1)”
> 0x55f01ac07e15e437115dde0aedd18a822ba9f81e enc “cbc(aes)”
> 0x6aed4975adf006d65c76f63923a6265b sel src 0.0.0.0/0 dst 0.0.0.0/0
>
> ip xfrm state add src 192.168.77.24 dst 192.168.77.23 proto esp spi
> 0x53fa0fdd mode transport reqid 16386 replay-window 32 auth “hmac(sha1)”
> 0x55f01ac07e15e437115dde0aedd18a822ba9f81e enc “cbc(aes)”
> 0x6aed4975adf006d65c76f63923a6265b sel src 0.0.0.0/0 dst 0.0.0.0/0
>
> ip xfrm policy add dir out src 192.168.77.23 dst 192.168.77.24 ptype main
> action allow priority 2080 tmpl src 192.168.77.23 dst 192.168.77.24 proto
> esp reqid 16385 mode transport
>
> ip xfrm policy add dir in src 192.168.77.24 dst 192.168.77.23 ptype main
> action allow priority 2080 tmpl src 192.168.77.24 dst 192.168.77.23 proto
> esp reqid 16385 mode transport
>
>
> *#HOST B:192.168.77.23*
> ip xfrm state add src 192.168.77.24 dst 192.168.77.23 proto esp spi
> 0x53fa0fdd mode transport reqid 16386 replay-window 32 auth “hmac(sha1)”
> 0x55f01ac07e15e437115dde0aedd18a822ba9f81e enc “cbc(aes)”
> 0x6aed4975adf006d65c76f63923a6265b sel src 0.0.0.0/0 dst 0.0.0.0/0
>
> ip xfrm state add src 192.168.77.23 dst 192.168.77.24 proto esp spi
> 0x53fa0fdd mode transport reqid 16386 replay-window 32 auth “hmac(sha1)”
> 0x55f01ac07e15e437115dde0aedd18a822ba9f81e enc “cbc(aes)”
> 0x6aed4975adf006d65c76f63923a6265b sel src 0.0.0.0/0 dst 0.0.0.0/0
>
> ip xfrm policy add dir out src 192.168.77.24 dst 192.168.77.23 ptype main
> action allow priority 2080 tmpl src 192.168.77.24 dst 192.168.77.23 proto
> esp reqid 16385 mode transport
>
> ip xfrm policy add dir in src 192.168.77.23 dst 192.168.77.24 ptype main
> action allow priority 2080 tmpl src 192.168.77.23 dst 192.168.77.24 proto
> esp reqid 16385 mode transport
>
>
> here HOST A is my linux box.
>
> I can check set values of SA and SP using
>
>
> *#ip x s*
>
> *#ip xfrm policy show*
>
> and it shows correct values which i have set.
>
> With this setting i expect IPSec should work and i should see ESP protocol
> packet on wireshark at host A when i ping host B.
>
>
> But it shows simple icmp packet, instead of ESP. Ping work as usual
> without ESP.
>
>
> *I have checked same setting on my laptop with ubantu 12.04LTS with
> kernel 3.2 but shows the same result. On laptop i have checked
> configuration of kernel using #ipsec verify and it say all OK.
> *
>
>
> i do not know what else setting is missing. Any clue will be helpful.
>
>
> Thanks in Advance.
>
>
>
>
>
>
>
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20130716/705b4fda/attachment-0001.html>


More information about the Users mailing list