[Openswan Users] IPSec with simple setting on Linux kernel 2.6.21

JALINDAR jalindergat at gmail.com
Tue Jul 16 05:11:37 UTC 2013 

I have some other way for key exchange so i do not need IKE and i will not
be able to afford for that.


I just need simplest IPSec and then i can update this key once i get new
key every time.

I see packets coming both ways at gateway,  Host A is connected to. I think
at gateway to which host A is connected packet should be IPSec.




On Tue, Jul 16, 2013 at 12:18 PM, Leto <letoams at gmail.com> wrote:

> with netkey don't see encryption for packets one way. but of you run tcp
> dump on both sides you should see packets. people with klips can see
> packets easier.
>
> you ipsec without Ike will be less secure as you likely will not roll
> session key every hour for perfect forward secrecy. what you are doing with
> manual keying is unwise.
>
>
> sent from a tiny device
>
> On 2013-07-15, at 22:26, JALINDAR <jalindergat at gmail.com> wrote:
>
> I can not afford for IKE daemon, I do not even afford for setkey in terms
> of memory and computation.
>
> I just want to have simplest IPSec.
>
> I have tabbed packets using wireshark, at Host A, and also at gateway it
> connected to, as i get to know from somewhere
> that tcpdum get packets which may not be encrypted as IPSec is implemented
> inside the kernel.
> But still i have seen people showing tcpdump log for verifying IPSec work.
>
> What that i have observed is communication is as usual without any kind of
> IPSec when i tab packets at host A and its gateway.
>
> Am i missing some more setting or what else ??
>
>
>
>
> On Mon, Jul 15, 2013 at 9:30 PM, Leto <letoams at gmail.com> wrote:
>
>> why use manual keying? you should use the IKE daemon and let it handle
>> SPD an SAD.
>>
>>  netkey is bad at showing encrypted packets with tcp dump. are you sure
>> it is not encrypting?
>>
>> sent from a tiny device
>>
>> On 2013-07-15, at 0:07, JALINDAR <jalindergat at gmail.com> wrote:
>>
>> Hi All,
>>
>> I am trying to set up simplest IPSec on my linux box, which has kernel
>> 2.6.21.
>> I have configured kernel for IPSec.
>>
>> I use iproute2 for setting SA and SP for the IPSec using:
>>
>>
>> *#HOST A:192.168.77.24*
>> ip xfrm state add src 192.168.77.23 dst 192.168.77.24 proto esp spi
>> 0x53fa0fdd mode transport reqid 16386 replay-window 32 auth “hmac(sha1)”
>> 0x55f01ac07e15e437115dde0aedd18a822ba9f81e enc “cbc(aes)”
>> 0x6aed4975adf006d65c76f63923a6265b sel src 0.0.0.0/0 dst 0.0.0.0/0
>>
>> ip xfrm state add src 192.168.77.24 dst 192.168.77.23 proto esp spi
>> 0x53fa0fdd mode transport reqid 16386 replay-window 32 auth “hmac(sha1)”
>> 0x55f01ac07e15e437115dde0aedd18a822ba9f81e enc “cbc(aes)”
>> 0x6aed4975adf006d65c76f63923a6265b sel src 0.0.0.0/0 dst 0.0.0.0/0
>>
>> ip xfrm policy add dir out src 192.168.77.23 dst 192.168.77.24 ptype main
>> action allow priority 2080 tmpl src 192.168.77.23 dst 192.168.77.24 proto
>> esp reqid 16385 mode transport
>>
>> ip xfrm policy add dir in src 192.168.77.24 dst 192.168.77.23 ptype main
>> action allow priority 2080 tmpl src 192.168.77.24 dst 192.168.77.23 proto
>> esp reqid 16385 mode transport
>>
>>
>> *#HOST B:192.168.77.23*
>> ip xfrm state add src 192.168.77.24 dst 192.168.77.23 proto esp spi
>> 0x53fa0fdd mode transport reqid 16386 replay-window 32 auth “hmac(sha1)”
>> 0x55f01ac07e15e437115dde0aedd18a822ba9f81e enc “cbc(aes)”
>> 0x6aed4975adf006d65c76f63923a6265b sel src 0.0.0.0/0 dst 0.0.0.0/0
>>
>> ip xfrm state add src 192.168.77.23 dst 192.168.77.24 proto esp spi
>> 0x53fa0fdd mode transport reqid 16386 replay-window 32 auth “hmac(sha1)”
>> 0x55f01ac07e15e437115dde0aedd18a822ba9f81e enc “cbc(aes)”
>> 0x6aed4975adf006d65c76f63923a6265b sel src 0.0.0.0/0 dst 0.0.0.0/0
>>
>> ip xfrm policy add dir out src 192.168.77.24 dst 192.168.77.23 ptype main
>> action allow priority 2080 tmpl src 192.168.77.24 dst 192.168.77.23 proto
>> esp reqid 16385 mode transport
>>
>> ip xfrm policy add dir in src 192.168.77.23 dst 192.168.77.24 ptype main
>> action allow priority 2080 tmpl src 192.168.77.23 dst 192.168.77.24 proto
>> esp reqid 16385 mode transport
>>
>>
>> here HOST A is my linux box.
>>
>> I can check set values of SA and SP using
>>
>>
>> *#ip x s*
>>
>> *#ip xfrm policy show*
>>
>> and it shows correct values which i have set.
>>
>> With this setting i expect IPSec should work and i should see ESP
>> protocol packet on wireshark at host A when i ping host B.
>>
>>
>> But it shows simple icmp packet, instead of ESP. Ping work as usual
>> without ESP.
>>
>>
>> *I have checked same setting on my laptop with ubantu 12.04LTS with
>> kernel 3.2 but shows the same result. On laptop i have checked
>> configuration of kernel using #ipsec verify and it say all OK.
>> *
>>
>>
>> i do not know what else setting is missing. Any clue will be helpful.
>>
>>
>> Thanks in Advance.
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> Users at lists.openswan.org
>> https://lists.openswan.org/mailman/listinfo/users
>> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>> Building and Integrating Virtual Private Networks with Openswan:
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>
>>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20130716/ca79cccb/attachment-0001.html>

More information about the Users mailing list