[Openswan Users] IPsec configuration

Eliezer Croitoru eliezer at ngtech.co.il
Sun Nov 17 14:05:39 UTC 2013 

Hey,

I was reading the thread and didn't got it yet.
Wanted to understand:
On the machine that is the "END" either A or B you are trying to use 
wireshark\tcpdump?

In this case it is reasonable that all IP stack level should be 
transparent to the OS since for example it should recognize in some 
level that there an IP level to respond to.
If it's 100% encrypted and the OS will not be able to read it's own 
encryption it will be weird.

To make sure this is indeed encrypted session you need to "tap" the 
cable between that machine and there do wireshark\tcpdump.
For this case you can use for example Tinycore(CorePlus) linux that has 
two interfaces and acts as a bridge.
This way you can see what is the traffic on the wire level of encryption.

Eliezer

On 16/11/13 13:26, Ana wrote:
> Hi everybody.
>
>
> I’m starting to learn *IPsec* and I'm having some problems.
>
>
> I’m running two virtual machines with CentOS that simulates the network
> depicted in the bellow picture.
>
> Inline image 1
>
>
> I want to create an IPsec tunnel between machine A and machine B. The
> keys should be negotiated using IKE and the tunnel should enable total
> connectivity between the two machines.
>
>
>
> My *ipsec.conf* file on both machines is this:
>
>
>     config setup
>
>                  protostack=netkey
>
>                  dumpdir=/var/run/pluto/
>
>                  nat_traversal=yes
>
>                  virtual_private=%v4:10.1.1.0/24,%v4:10.1.2.0/24
>     <http://10.1.1.0/24,%v4:10.1.2.0/24>
>
>     conn gw-to-gw
>
>                  authby=secret
>
>                  left=192.168.1.1
>
>                  leftsubnet=10.1.1.0/24 <http://10.1.1.0/24>
>
>                  leftnexthop=192.168.1.2
>
>                  right=192.168.1.2
>
>                  rightsubnet=10.1.2.0/24 <http://10.1.2.0/24>
>
>                  rightnexthop=192.168.1.1
>
>                  auto=start
>
>                  type=tunnel
>
>
> And *ipsec.secrets* on both machines is this:
>
>
>     192.168.1.1 192.168.1.2 : PSK "test"
>
> I then do*service ipsec start* on machine A followed by the same command
> on machine B. Then, again on machine A, I do *ipsec auto –up gw-to-gw*
> followed by the exact same command on machine B.
>
> Machine A output:
>
>     [root at mainmachine etc]# service ipsec start
>
>     ipsec_setup: Starting Openswan IPsec
>     U2.6.32/K2.6.32-358.23.2.el6.i686...
>
>     ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in
>     /proc/sys/crypto/fips_enabled
>
>     [root at mainmachine etc]# ipsec auto --up gw-to-gw
>
>     117 "gw-to-gw" #5: STATE_QUICK_I1: initiate
>
>     004 "gw-to-gw" #5: STATE_QUICK_I2: sent QI2, IPsec SA established
>     tunnel mode {ESP=>0xc17e5cb7 <0xefd31319 xfrm=AES_128-HMAC_SHA1
>     NATOA=none NATD=none DPD=none}
>
>     [root at mainmachine etc]#
>
>
> Machine B output:
>
>     [root at mainmachine etc]# service ipsec start
>
>     ipsec_setup: Starting Openswan IPsec
>     U2.6.32/K2.6.32-358.23.2.el6.i686...
>
>     ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in
>     /proc/sys/crypto/fips_enabled
>
>     [root at mainmachine etc]# ipsec auto --up gw-to-gw
>
>     117 "gw-to-gw" #6: STATE_QUICK_I1: initiate
>
>     004 "gw-to-gw" #6: STATE_QUICK_I2: sent QI2, IPsec SA established
>     tunnel mode {ESP=>0xf5fe7b43 <0x94c97925 xfrm=AES_128-HMAC_SHA1
>     NATOA=none NATD=none DPD=none}
>
>     [root at mainmachine etc]#
>
> I’m now using Wireshark to see how the traffic goes through the network
> from machine A to machine B.
>
>
> Listening on interface *eth5 *of machine B and pinging*10.1.2.254* or
> *10.1.2.2* from machine A, Wireshark does not capture any packet. If I
> do the exact same procedure but not listening on interface *eth6*
> Wireshark captures the following image.
>
> Inline image 2
>
> I believe that the packet should somehow be encrypted but Wireshark is
> telling me that it is not, so probably I have some kind of error on my
> *ipsec.conf* configuration.
>
> Can someone point me in some direction?
>
> Thanks,
>
> Kent Davies
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>

More information about the Users mailing list