[Openswan Users] IPsec issue between RHEL and Solaris (Manual keying/Transport mode)

Anuroop R raj.anuroop at gmail.com
Mon Feb 10 08:30:20 EST 2014 

Hi,

I am trying to setup an IPsec between RHEL (Red Hat Release 6.4)  and
Solaris host (Sun OS 5.9) using manual keying in transport mode.
I have added rules on both RHEL and Solaris Host and trying to ping.

(1) Ping from RHEL host is successful. Solaris Host receives ping request,
responds to ping. RHEL host receives ping response
(2) Ping from Solaris host is NOT successful. RHEL Host receives ping
request, but does not respond to ping.

I am not able to figure out why Ping response is not sent from RHEL host.
Probably the packet is getting dropped at RHEL.
Not sure why the packet is getting dropped. No logs (using netkey) are
available to ascertain packet dropping.

--------------------------------------------------------------------------
RHEL Host IP: 172.33.18.242   (This is floating IP used in active/standby
mode)

(ifconfig -a output)
eth4:0    Link encap:Ethernet  HWaddr 00:11:3F:CB:89:17
          inet addr:172.33.18.242  Bcast:172.33.18.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:16

>ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.6.38dr2/K2.6.32-358.6.2.el6.x86_64 (netkey)
Checking for IPsec support in kernel                            [OK]
 SAref kernel support                                           [N/A]
 NETKEY:  Testing XFRM related proc values                      [OK]
        [OK]
        [OK]
Checking that pluto is running                                  [OK]
 Pluto listening for IKE on udp 500                             [OK]
 Pluto listening for NAT-T on udp 4500                          [OK]
Two or more interfaces found, checking IP forwarding        Checking NAT
and MASQUERADEing                                      [OK]
Checking for 'ip' command                                       [OK]
Checking /bin/sh is not /bin/dash                               [OK]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]
ap1106:root >


ip xfrm commands used.

ip xfrm state add src 172.33.18.242 dst 172.23.192.2 proto esp spi
0x00000301 mode transport auth md5 0x5b2b1cef5466ace720f16bd50c436b72 enc
des3_ede 0x62822da7d689ce4399423655a865ce4ada33955f137079bf
ip xfrm state add src 172.23.192.2 dst 172.33.18.242 proto esp spi
0x00000301 mode transport auth md5 0x5b2b1cef5466ace720f16bd50c436b72 enc
des3_ede 0x62822da7d689ce4399423655a865ce4ada33955f137079bf

ip xfrm policy add src 172.23.192.2  dst 172.33.18.242 dir in ptype main
tmpl src 172.23.192.2 dst 172.33.18.242 proto esp mode transport
ip xfrm policy add src 172.33.18.242 dst 172.23.192.2 dir out ptype main
tmpl src 172.33.18.242 dst 172.23.192.2 proto esp mode transport


ip xfrm state ls

src 172.23.192.2 dst 172.33.18.242
        proto esp spi 0x00000301 reqid 0 mode transport
        replay-window 0
        auth hmac(md5) 0x5b2b1cef5466ace720f16bd50c436b72
        enc cbc(des3_ede) 0x62822da7d689ce4399423655a865ce4ada33955f137079bf
        sel src 0.0.0.0/0 dst 0.0.0.0/0
src 172.33.18.242 dst 172.23.192.2
        proto esp spi 0x00000301 reqid 0 mode transport
        replay-window 0
        auth hmac(md5) 0x5b2b1cef5466ace720f16bd50c436b72
        enc cbc(des3_ede) 0x62822da7d689ce4399423655a865ce4ada33955f137079bf
        sel src 0.0.0.0/0 dst 0.0.0.0/0

ip xfrm policy ls
src 172.23.192.2/32 dst 172.33.18.242/32
        dir in priority 0 ptype main
        tmpl src 172.23.192.2 dst 172.33.18.242
                proto esp reqid 0 mode transport
src 172.33.18.242/32 dst 172.23.192.2/32
        dir out priority 0 ptype main
        tmpl src 172.33.18.242 dst 172.23.192.2
                proto esp reqid 0 mode transport
...
---------------------------------------------------------------------------------
Solaris Host IP: 172.23.192.2
(ifconfig -a outout)

qfe0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3
        inet 172.23.192.2 netmask ffffff00 broadcast 172.23.192.255
        ether 0:3:ba:68:75:4


psaplg02# cat /etc/inet/secret/ipseckeys
add ah spi 0x00359 src 172.33.18.242 dst 172.23.192.2 authalg md5 authkey
5b2b1cef5466ace720f16bd50c436b72
add ah spi 0x00359 src 172.23.192.2 dst 172.33.18.242 authalg md5 authkey
5b2b1cef5466ace720f16bd50c436b72
add esp spi 0x14442 src 172.33.18.242 dst 172.23.192.2 encralg 3des-cbc
encrkey 62822da7d689ce4399423655a865ce4ada33955f137079bf
add esp spi 0x14442 src 172.23.192.2 dst 172.33.18.242 encralg 3des-cbc
encrkey 62822da7d689ce4399423655a865ce4ada33955f137079bf

psaplg02# cat /etc/inet/ipsecinit.conf
{laddr 172.23.192.2 raddr 172.33.18.242} ipsec {encr_algs 3des-cbc
encr_auth_algs hmac-md5}

{laddr 172.33.18.242 raddr 172.23.192.2} ipsec {encr_algs 3des-cbc
encr_auth_algs hmac-md5}

psaplg02# ipseckey dump
Base message (version 2) type DUMP, SA type AH.
Message length 136 bytes, seq=1, pid=11384.
SA: SADB_ASSOC spi=0x359, replay=0, state=MATURE
SA: Authentication algorithm = HMAC-MD5
SA: flags=0x0 < >
SRC: Source address (proto=0/<unspecified>)
SRC: AF_INET: port 0, 172.23.192.2 (psaplg-02).
DST: Destination address (proto=0/<unspecified>)
DST: AF_INET: port 0, 172.33.18.242 <unknown>.
AKY: Authentication key.
AKY: 5b2b1cef5466ace720f16bd50c436b72/128
 LT: Lifetime information
CLT: 0 bytes protected, 0 allocations used.
CLT: SA added at time Mon Feb 10 18:25:02 2014
CLT: Time now is Mon Feb 10 18:40:05 2014

Base message (version 2) type DUMP, SA type AH.
Message length 136 bytes, seq=1, pid=11384.
SA: SADB_ASSOC spi=0x359, replay=0, state=MATURE
SA: Authentication algorithm = HMAC-MD5
SA: flags=0x0 < >
SRC: Source address (proto=0/<unspecified>)
SRC: AF_INET: port 0, 172.33.18.242 <unknown>.
DST: Destination address (proto=0/<unspecified>)
DST: AF_INET: port 0, 172.23.192.2 (psaplg-02).
AKY: Authentication key.
AKY: 5b2b1cef5466ace720f16bd50c436b72/128
 LT: Lifetime information
CLT: 0 bytes protected, 0 allocations used.
CLT: SA added at time Mon Feb 10 18:25:02 2014
CLT: Time now is Mon Feb 10 18:40:05 2014

Base message (version 2) type DUMP, SA type ESP.
Message length 144 bytes, seq=1, pid=11384.
SA: SADB_ASSOC spi=0x14442, replay=0, state=MATURE
SA: Encryption algorithm = 3DES-CBC
SA: flags=0x0 < >
SRC: Source address (proto=0/<unspecified>)
SRC: AF_INET: port 0, 172.23.192.2 (psaplg-02).
DST: Destination address (proto=0/<unspecified>)
DST: AF_INET: port 0, 172.33.18.242 <unknown>.
EKY: Encryption key.
EKY: 62832ca7d689ce4398433754a864ce4ada32945e137079bf/192
 LT: Lifetime information
CLT: 0 bytes protected, 0 allocations used.
CLT: SA added at time Mon Feb 10 18:25:02 2014
CLT: Time now is Mon Feb 10 18:40:05 2014

Base message (version 2) type DUMP, SA type ESP.
Message length 144 bytes, seq=1, pid=11384.
SA: SADB_ASSOC spi=0x14442, replay=0, state=MATURE
SA: Encryption algorithm = 3DES-CBC
SA: flags=0x0 < >
SRC: Source address (proto=0/<unspecified>)
SRC: AF_INET: port 0, 172.33.18.242 <unknown>.
DST: Destination address (proto=0/<unspecified>)
DST: AF_INET: port 0, 172.23.192.2 (psaplg-02).
EKY: Encryption key.
EKY: 62832ca7d689ce4398433754a864ce4ada32945e137079bf/192
 LT: Lifetime information
CLT: 0 bytes protected, 0 allocations used.
CLT: SA added at time Mon Feb 10 18:25:02 2014
CLT: Time now is Mon Feb 10 18:40:05 2014

Dump succeeded for SA type 0.
psaplg02#

psaplg02# ipsecconf
#INDEX 139
{laddr 172.23.192.2 raddr 172.33.18.242} ipsec {encr_algs 3des-cbc
encr_auth_algs hmac-md5}

#INDEX 141
{laddr 172.33.18.242 raddr 172.23.192.2} ipsec {encr_algs 3des-cbc
encr_auth_algs hmac-md5}

-------------------------------------------------------
Ping from RHEL host

 ping 172.23.192.2
PING 172.23.192.2 (172.23.192.2) 56(84) bytes of data.
64 bytes from 172.23.192.2: icmp_seq=1 ttl=252 time=1.72 ms
64 bytes from 172.23.192.2: icmp_seq=2 ttl=252 time=1.16 ms
64 bytes from 172.23.192.2: icmp_seq=3 ttl=252 time=1.00 ms
64 bytes from 172.23.192.2: icmp_seq=4 ttl=252 time=0.983 ms
64 bytes from 172.23.192.2: icmp_seq=5 ttl=252 time=1.08 ms
64 bytes from 172.23.192.2: icmp_seq=6 ttl=252 time=1.29 ms
64 bytes from 172.23.192.2: icmp_seq=7 ttl=252 time=1.34 ms
64 bytes from 172.23.192.2: icmp_seq=8 ttl=252 time=1.08 ms
64 bytes from 172.23.192.2: icmp_seq=9 ttl=252 time=1.45 ms
^C
--- 172.23.192.2 ping statistics ---
9 packets transmitted, 9 received, 0% packet loss, time 8592ms
rtt min/avg/max/mdev = 0.983/1.237/1.726/0.231 ms


Ping from Solaris host

 ping -s 172.33.18.242
PING 172.33.18.242: 56 data bytes
^C
----172.33.18.242 PING Statistics----
4 packets transmitted, 0 packets received, 100% packet loss

Could someone please help me why RHEL host is not responding for Ping.
Also, is it possible to check the IPsec (netkey) stack trace.


Thanks a lot in anticpation.

AR.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20140210/3212db43/attachment.html>

More information about the Users mailing list