From: Jean SANSLUNE <jean.sanslune@cr0.org>
To: linux-kernel@vger.kernel.org
Subject: IPSec: using both AH and ESP authentification in transport mode
Date: Fri, 3 Dec 2004 16:42:21 +0100 [thread overview]
Message-ID: <1102088541.41b0895d0ad09@webmail.planet-work.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 1224 bytes --]
Hi,
I use linux 2.6.9 native ipsec with racoon as IKE.
I need to communicate with a Windows machine in transport mode, which is using both
AH (MD5) and ESP (md5 for authentification, 3DES for encryption).
The problem is that I can't manage to communicate with it when it is configured to
use both ESP and AH authentification. IKE part seems ok, I get ISAKMP-SA and
IPsec-SA..
I use the following setkey:
--
#!/sbin/setkey -f
flush;
spdflush;
spdadd myip windowsip any -P out ipsec
esp/transport//required
ah/transport//required;
spdadd windowsip myip any -P in ipsec
esp/transport//required
ah/transport//required;
--
If I setup the windows machine and uncheck either the AH or the ESP checkbox (and
remove
the relevant line in my setkey.conf), everything works fine. But in this
configuration, I get ISAKMP-SA ok, and when I try to make traffic I get a lot of
IPSec-SA etablished, either for ESP or AH and then purged almost immediately.
As a result, I can't even ping one host from the other.
I have tried "complex_bundle on" in racoon (I've not exactly understood what it was
for).
Thanks
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: ipsec.log --]
[-- Type: text/x-log; name="ipsec.log", Size: 5613 bytes --]
Dec 3 15:34:20 my-machine racoon: INFO: @(#)ipsec-tools 0.3.3 (http://ipsec-tools.sourceforge.net)
Dec 3 15:34:20 my-machine racoon: INFO: @(#)This product linked OpenSSL 0.9.7e 25 Oct 2004 (http://www.openssl.org/)
Dec 3 15:34:20 my-machine racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=7)
Dec 3 15:34:20 my-machine racoon: INFO: 10.46.33.44[500] used as isakmp port (fd=8)
Dec 3 15:34:36 my-machine racoon: INFO: IPsec-SA request for 10.46.30.64 queued due to no phase1 found.
Dec 3 15:34:36 my-machine racoon: INFO: initiate new phase 1 negotiation: 10.46.33.44[500]<=>10.46.30.64[500]
Dec 3 15:34:36 my-machine racoon: INFO: begin Identity Protection mode.
Dec 3 15:34:36 my-machine racoon: INFO: received Vendor ID: MS NT5 ISAKMPOAKLEY
Dec 3 15:34:41 my-machine racoon: WARNING: unable to get certificate CRL(3) at depth:0 SubjectName:/O=Compagny/OU=SPLC/CN=zopouet
Dec 3 15:34:41 my-machine racoon: WARNING: unable to get certificate CRL(3) at depth:1 SubjectName:/O=Compagny/OU=SPLC/CN=SPLC AC Racine
Dec 3 15:34:41 my-machine racoon: INFO: ISAKMP-SA established 10.46.33.44[500]-10.46.30.64[500] spi:71b7dc4134b5f48b:0b79cd413c4c1fda
Dec 3 15:34:42 my-machine racoon: INFO: initiate new phase 2 negotiation: 10.46.33.44[0]<=>10.46.30.64[0]
Dec 3 15:34:42 my-machine racoon: WARNING: attribute has been modified.
Dec 3 15:34:42 my-machine racoon: WARNING: attribute has been modified.
Dec 3 15:34:42 my-machine racoon: WARNING: ignore CONNECTED notification.
Dec 3 15:34:42 my-machine racoon: INFO: IPsec-SA established: AH/Transport 10.46.30.64->10.46.33.44 spi=136133843(0x81d3cd3)
Dec 3 15:34:42 my-machine racoon: INFO: IPsec-SA established: ESP/Transport 10.46.30.64->10.46.33.44 spi=142069899(0x877d08b)
Dec 3 15:34:42 my-machine racoon: INFO: IPsec-SA established: AH/Transport 10.46.33.44->10.46.30.64 spi=1930527972(0x731184e4)
Dec 3 15:34:42 my-machine racoon: INFO: initiate new phase 2 negotiation: 10.46.33.44[0]<=>10.46.30.64[0]
Dec 3 15:34:42 my-machine racoon: INFO: IPsec-SA established: ESP/Transport 10.46.33.44->10.46.30.64 spi=1655964028(0x62b4017c)
Dec 3 15:34:42 my-machine racoon: WARNING: attribute has been modified.
Dec 3 15:34:42 my-machine racoon: WARNING: attribute has been modified.
Dec 3 15:34:42 my-machine racoon: WARNING: ignore CONNECTED notification.
Dec 3 15:34:42 my-machine racoon: INFO: IPsec-SA established: AH/Transport 10.46.30.64->10.46.33.44 spi=165610192(0x9df02d0)
Dec 3 15:34:42 my-machine racoon: INFO: purged IPsec-SA proto_id=ESP spi=1655964028.
Dec 3 15:34:42 my-machine racoon: INFO: IPsec-SA established: ESP/Transport 10.46.30.64->10.46.33.44 spi=231360665(0xdca4899)
Dec 3 15:34:42 my-machine racoon: INFO: IPsec-SA established: AH/Transport 10.46.33.44->10.46.30.64 spi=1168651890(0x45a83672)
Dec 3 15:34:42 my-machine racoon: INFO: IPsec-SA established: ESP/Transport 10.46.33.44->10.46.30.64 spi=991529732(0x3b198b04)
Dec 3 15:35:12 my-machine racoon: INFO: initiate new phase 2 negotiation: 10.46.33.44[0]<=>10.46.30.64[0]
Dec 3 15:35:12 my-machine racoon: WARNING: attribute has been modified.
Dec 3 15:35:12 my-machine racoon: WARNING: attribute has been modified.
Dec 3 15:35:12 my-machine racoon: WARNING: ignore CONNECTED notification.
Dec 3 15:35:12 my-machine racoon: INFO: IPsec-SA established: AH/Transport 10.46.30.64->10.46.33.44 spi=32020488(0x1e89808)
Dec 3 15:35:12 my-machine racoon: INFO: purged IPsec-SA proto_id=ESP spi=991529732.
Dec 3 15:35:12 my-machine racoon: INFO: IPsec-SA established: ESP/Transport 10.46.30.64->10.46.33.44 spi=169744978(0xa1e1a52)
Dec 3 15:35:12 my-machine racoon: INFO: IPsec-SA established: AH/Transport 10.46.33.44->10.46.30.64 spi=2954026642(0xb012de92)
Dec 3 15:35:12 my-machine racoon: INFO: IPsec-SA established: ESP/Transport 10.46.33.44->10.46.30.64 spi=1177987526(0x4636a9c6)
Dec 3 15:35:16 my-machine racoon: INFO: initiate new phase 2 negotiation: 10.46.33.44[0]<=>10.46.30.64[0]
Dec 3 15:35:16 my-machine racoon: WARNING: attribute has been modified.
Dec 3 15:35:16 my-machine racoon: WARNING: attribute has been modified.
Dec 3 15:35:16 my-machine racoon: WARNING: ignore CONNECTED notification.
Dec 3 15:35:16 my-machine racoon: INFO: IPsec-SA established: AH/Transport 10.46.30.64->10.46.33.44 spi=87041810(0x5302712)
Dec 3 15:35:16 my-machine racoon: INFO: purged IPsec-SA proto_id=ESP spi=1177987526.
Dec 3 15:35:16 my-machine racoon: INFO: IPsec-SA established: ESP/Transport 10.46.30.64->10.46.33.44 spi=92069865(0x57cdfe9)
Dec 3 15:35:16 my-machine racoon: INFO: IPsec-SA established: AH/Transport 10.46.33.44->10.46.30.64 spi=3698627843(0xdc749503)
Dec 3 15:35:16 my-machine racoon: INFO: IPsec-SA established: ESP/Transport 10.46.33.44->10.46.30.64 spi=4158879399(0xf7e376a7)
Dec 3 15:35:17 my-machine racoon: INFO: initiate new phase 2 negotiation: 10.46.33.44[0]<=>10.46.30.64[0]
Dec 3 15:35:17 my-machine racoon: WARNING: attribute has been modified.
Dec 3 15:35:17 my-machine racoon: WARNING: attribute has been modified.
Dec 3 15:35:17 my-machine racoon: WARNING: ignore CONNECTED notification.
Dec 3 15:35:17 my-machine racoon: INFO: IPsec-SA established: AH/Transport 10.46.30.64->10.46.33.44 spi=256166963(0xf44cc33)
Dec 3 15:35:17 my-machine racoon: INFO: purged IPsec-SA proto_id=ESP spi=4158879399.
Dec 3 15:35:17 my-machine racoon: INFO: IPsec-SA established: ESP/Transport 10.46.30.64->10.46.33.44 spi=14786193(0xe19e91)
Dec 3 15:35:17 my-machine racoon: INFO: IPsec-SA established: AH/Transport 10.46.33.44->10.46.30.64 spi=1963501739(0x7508a8ab)
reply other threads:[~2004-12-03 15:42 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1102088541.41b0895d0ad09@webmail.planet-work.com \
--to=jean.sanslune@cr0.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.