IPSec: using both AH and ESP authentification in transport mode

All of lore.kernel.org
 help / color / mirror / Atom feed

* IPSec: using both AH and ESP authentification in transport mode
@ 2004-12-03 15:42 Jean SANSLUNE
  0 siblings, 0 replies; only message in thread
From: Jean SANSLUNE @ 2004-12-03 15:42 UTC (permalink / raw)
  To: linux-kernel

[-- Attachment #1: Type: text/plain, Size: 1224 bytes --]

Hi,  

I use linux 2.6.9 native ipsec with racoon as IKE.  
I need to communicate with a Windows machine in transport mode, which is using both  
AH (MD5) and  ESP (md5 for authentification, 3DES for encryption).  

The problem is that I can't manage to communicate with it when it is configured to  
use both ESP and AH authentification. IKE part seems ok, I get ISAKMP-SA and 
IPsec-SA.. 

I use the following setkey:   

--  
#!/sbin/setkey -f  
flush;  
spdflush;  

spdadd myip windowsip any -P out ipsec  
        esp/transport//required  
        ah/transport//required;  

spdadd windowsip myip any -P in ipsec  
        esp/transport//required  
        ah/transport//required;  
--  

If I setup the windows machine and uncheck either the AH or the ESP checkbox (and 
remove  
the relevant line in my setkey.conf), everything works fine. But in this 
configuration, I get ISAKMP-SA ok, and when I try to make traffic I get a lot of 
IPSec-SA etablished, either for ESP or AH and then purged almost immediately. 
As a result, I can't even ping one host from the other. 

I have tried "complex_bundle on" in racoon (I've not exactly understood what it was 
for). 

Thanks 

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: ipsec.log --]
[-- Type: text/x-log; name="ipsec.log", Size: 5613 bytes --]

Dec  3 15:34:20 my-machine racoon: INFO: @(#)ipsec-tools 0.3.3 (http://ipsec-tools.sourceforge.net) 
Dec  3 15:34:20 my-machine racoon: INFO: @(#)This product linked OpenSSL 0.9.7e 25 Oct 2004 (http://www.openssl.org/) 
Dec  3 15:34:20 my-machine racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=7) 
Dec  3 15:34:20 my-machine racoon: INFO: 10.46.33.44[500] used as isakmp port (fd=8) 
Dec  3 15:34:36 my-machine racoon: INFO: IPsec-SA request for 10.46.30.64 queued due to no phase1 found. 
Dec  3 15:34:36 my-machine racoon: INFO: initiate new phase 1 negotiation: 10.46.33.44[500]<=>10.46.30.64[500] 
Dec  3 15:34:36 my-machine racoon: INFO: begin Identity Protection mode. 
Dec  3 15:34:36 my-machine racoon: INFO: received Vendor ID: MS NT5 ISAKMPOAKLEY 
Dec  3 15:34:41 my-machine racoon: WARNING: unable to get certificate CRL(3) at depth:0 SubjectName:/O=Compagny/OU=SPLC/CN=zopouet 
Dec  3 15:34:41 my-machine racoon: WARNING: unable to get certificate CRL(3) at depth:1 SubjectName:/O=Compagny/OU=SPLC/CN=SPLC AC Racine 
Dec  3 15:34:41 my-machine racoon: INFO: ISAKMP-SA established 10.46.33.44[500]-10.46.30.64[500] spi:71b7dc4134b5f48b:0b79cd413c4c1fda 
Dec  3 15:34:42 my-machine racoon: INFO: initiate new phase 2 negotiation: 10.46.33.44[0]<=>10.46.30.64[0] 
Dec  3 15:34:42 my-machine racoon: WARNING: attribute has been modified. 
Dec  3 15:34:42 my-machine racoon: WARNING: attribute has been modified. 
Dec  3 15:34:42 my-machine racoon: WARNING: ignore CONNECTED notification. 
Dec  3 15:34:42 my-machine racoon: INFO: IPsec-SA established: AH/Transport 10.46.30.64->10.46.33.44 spi=136133843(0x81d3cd3) 
Dec  3 15:34:42 my-machine racoon: INFO: IPsec-SA established: ESP/Transport 10.46.30.64->10.46.33.44 spi=142069899(0x877d08b) 
Dec  3 15:34:42 my-machine racoon: INFO: IPsec-SA established: AH/Transport 10.46.33.44->10.46.30.64 spi=1930527972(0x731184e4) 
Dec  3 15:34:42 my-machine racoon: INFO: initiate new phase 2 negotiation: 10.46.33.44[0]<=>10.46.30.64[0] 
Dec  3 15:34:42 my-machine racoon: INFO: IPsec-SA established: ESP/Transport 10.46.33.44->10.46.30.64 spi=1655964028(0x62b4017c) 
Dec  3 15:34:42 my-machine racoon: WARNING: attribute has been modified. 
Dec  3 15:34:42 my-machine racoon: WARNING: attribute has been modified. 
Dec  3 15:34:42 my-machine racoon: WARNING: ignore CONNECTED notification. 
Dec  3 15:34:42 my-machine racoon: INFO: IPsec-SA established: AH/Transport 10.46.30.64->10.46.33.44 spi=165610192(0x9df02d0) 
Dec  3 15:34:42 my-machine racoon: INFO: purged IPsec-SA proto_id=ESP spi=1655964028. 
Dec  3 15:34:42 my-machine racoon: INFO: IPsec-SA established: ESP/Transport 10.46.30.64->10.46.33.44 spi=231360665(0xdca4899) 
Dec  3 15:34:42 my-machine racoon: INFO: IPsec-SA established: AH/Transport 10.46.33.44->10.46.30.64 spi=1168651890(0x45a83672) 
Dec  3 15:34:42 my-machine racoon: INFO: IPsec-SA established: ESP/Transport 10.46.33.44->10.46.30.64 spi=991529732(0x3b198b04) 
Dec  3 15:35:12 my-machine racoon: INFO: initiate new phase 2 negotiation: 10.46.33.44[0]<=>10.46.30.64[0] 
Dec  3 15:35:12 my-machine racoon: WARNING: attribute has been modified. 
Dec  3 15:35:12 my-machine racoon: WARNING: attribute has been modified. 
Dec  3 15:35:12 my-machine racoon: WARNING: ignore CONNECTED notification. 
Dec  3 15:35:12 my-machine racoon: INFO: IPsec-SA established: AH/Transport 10.46.30.64->10.46.33.44 spi=32020488(0x1e89808) 
Dec  3 15:35:12 my-machine racoon: INFO: purged IPsec-SA proto_id=ESP spi=991529732. 
Dec  3 15:35:12 my-machine racoon: INFO: IPsec-SA established: ESP/Transport 10.46.30.64->10.46.33.44 spi=169744978(0xa1e1a52) 
Dec  3 15:35:12 my-machine racoon: INFO: IPsec-SA established: AH/Transport 10.46.33.44->10.46.30.64 spi=2954026642(0xb012de92) 
Dec  3 15:35:12 my-machine racoon: INFO: IPsec-SA established: ESP/Transport 10.46.33.44->10.46.30.64 spi=1177987526(0x4636a9c6) 
Dec  3 15:35:16 my-machine racoon: INFO: initiate new phase 2 negotiation: 10.46.33.44[0]<=>10.46.30.64[0] 
Dec  3 15:35:16 my-machine racoon: WARNING: attribute has been modified. 
Dec  3 15:35:16 my-machine racoon: WARNING: attribute has been modified. 
Dec  3 15:35:16 my-machine racoon: WARNING: ignore CONNECTED notification. 
Dec  3 15:35:16 my-machine racoon: INFO: IPsec-SA established: AH/Transport 10.46.30.64->10.46.33.44 spi=87041810(0x5302712) 
Dec  3 15:35:16 my-machine racoon: INFO: purged IPsec-SA proto_id=ESP spi=1177987526. 
Dec  3 15:35:16 my-machine racoon: INFO: IPsec-SA established: ESP/Transport 10.46.30.64->10.46.33.44 spi=92069865(0x57cdfe9) 
Dec  3 15:35:16 my-machine racoon: INFO: IPsec-SA established: AH/Transport 10.46.33.44->10.46.30.64 spi=3698627843(0xdc749503) 
Dec  3 15:35:16 my-machine racoon: INFO: IPsec-SA established: ESP/Transport 10.46.33.44->10.46.30.64 spi=4158879399(0xf7e376a7) 
Dec  3 15:35:17 my-machine racoon: INFO: initiate new phase 2 negotiation: 10.46.33.44[0]<=>10.46.30.64[0] 
Dec  3 15:35:17 my-machine racoon: WARNING: attribute has been modified. 
Dec  3 15:35:17 my-machine racoon: WARNING: attribute has been modified. 
Dec  3 15:35:17 my-machine racoon: WARNING: ignore CONNECTED notification. 
Dec  3 15:35:17 my-machine racoon: INFO: IPsec-SA established: AH/Transport 10.46.30.64->10.46.33.44 spi=256166963(0xf44cc33) 
Dec  3 15:35:17 my-machine racoon: INFO: purged IPsec-SA proto_id=ESP spi=4158879399. 
Dec  3 15:35:17 my-machine racoon: INFO: IPsec-SA established: ESP/Transport 10.46.30.64->10.46.33.44 spi=14786193(0xe19e91) 
Dec  3 15:35:17 my-machine racoon: INFO: IPsec-SA established: AH/Transport 10.46.33.44->10.46.30.64 spi=1963501739(0x7508a8ab) 

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2004-12-03 15:42 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-12-03 15:42 IPSec: using both AH and ESP authentification in transport mode Jean SANSLUNE

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.