From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S261499AbULCPmd (ORCPT ); Fri, 3 Dec 2004 10:42:33 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S262294AbULCPmd (ORCPT ); Fri, 3 Dec 2004 10:42:33 -0500 Received: from ns2.planet-work.com ([212.37.221.36]:8411 "EHLO feng.planet-work.com") by vger.kernel.org with ESMTP id S261499AbULCPmZ (ORCPT ); Fri, 3 Dec 2004 10:42:25 -0500 Message-ID: <1102088541.41b0895d0ad09@webmail.planet-work.com> Date: Fri, 3 Dec 2004 16:42:21 +0100 From: Jean SANSLUNE To: linux-kernel@vger.kernel.org Subject: IPSec: using both AH and ESP authentification in transport mode MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="-MOQ11020885419117bbae1b803d64c90badc40b7979f0" User-Agent: Internet Messaging Program (IMP) 3.1 X-Originating-IP: 193.49.124.107 Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org This message is in MIME format. ---MOQ11020885419117bbae1b803d64c90badc40b7979f0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Hi, I use linux 2.6.9 native ipsec with racoon as IKE. I need to communicate with a Windows machine in transport mode, which is using both AH (MD5) and ESP (md5 for authentification, 3DES for encryption). The problem is that I can't manage to communicate with it when it is configured to use both ESP and AH authentification. IKE part seems ok, I get ISAKMP-SA and IPsec-SA.. I use the following setkey: -- #!/sbin/setkey -f flush; spdflush; spdadd myip windowsip any -P out ipsec esp/transport//required ah/transport//required; spdadd windowsip myip any -P in ipsec esp/transport//required ah/transport//required; -- If I setup the windows machine and uncheck either the AH or the ESP checkbox (and remove the relevant line in my setkey.conf), everything works fine. But in this configuration, I get ISAKMP-SA ok, and when I try to make traffic I get a lot of IPSec-SA etablished, either for ESP or AH and then purged almost immediately. As a result, I can't even ping one host from the other. I have tried "complex_bundle on" in racoon (I've not exactly understood what it was for). Thanks ---MOQ11020885419117bbae1b803d64c90badc40b7979f0 Content-Type: text/x-log; name="ipsec.log" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="ipsec.log" RGVjICAzIDE1OjM0OjIwIG15LW1hY2hpbmUgcmFjb29uOiBJTkZPOiBAKCMpaXBzZWMtdG9vbHMg MC4zLjMgKGh0dHA6Ly9pcHNlYy10b29scy5zb3VyY2Vmb3JnZS5uZXQpIApEZWMgIDMgMTU6MzQ6 MjAgbXktbWFjaGluZSByYWNvb246IElORk86IEAoIylUaGlzIHByb2R1Y3QgbGlua2VkIE9wZW5T U0wgMC45LjdlIDI1IE9jdCAyMDA0IChodHRwOi8vd3d3Lm9wZW5zc2wub3JnLykgCkRlYyAgMyAx NTozNDoyMCBteS1tYWNoaW5lIHJhY29vbjogSU5GTzogMTI3LjAuMC4xWzUwMF0gdXNlZCBhcyBp c2FrbXAgcG9ydCAoZmQ9NykgCkRlYyAgMyAxNTozNDoyMCBteS1tYWNoaW5lIHJhY29vbjogSU5G TzogMTAuNDYuMzMuNDRbNTAwXSB1c2VkIGFzIGlzYWttcCBwb3J0IChmZD04KSAKRGVjICAzIDE1 OjM0OjM2IG15LW1hY2hpbmUgcmFjb29uOiBJTkZPOiBJUHNlYy1TQSByZXF1ZXN0IGZvciAxMC40 Ni4zMC42NCBxdWV1ZWQgZHVlIHRvIG5vIHBoYXNlMSBmb3VuZC4gCkRlYyAgMyAxNTozNDozNiBt eS1tYWNoaW5lIHJhY29vbjogSU5GTzogaW5pdGlhdGUgbmV3IHBoYXNlIDEgbmVnb3RpYXRpb246 IDEwLjQ2LjMzLjQ0WzUwMF08PT4xMC40Ni4zMC42NFs1MDBdIApEZWMgIDMgMTU6MzQ6MzYgbXkt bWFjaGluZSByYWNvb246IElORk86IGJlZ2luIElkZW50aXR5IFByb3RlY3Rpb24gbW9kZS4gCkRl YyAgMyAxNTozNDozNiBteS1tYWNoaW5lIHJhY29vbjogSU5GTzogcmVjZWl2ZWQgVmVuZG9yIElE OiBNUyBOVDUgSVNBS01QT0FLTEVZIApEZWMgIDMgMTU6MzQ6NDEgbXktbWFjaGluZSByYWNvb246 IFdBUk5JTkc6IHVuYWJsZSB0byBnZXQgY2VydGlmaWNhdGUgQ1JMKDMpIGF0IGRlcHRoOjAgU3Vi amVjdE5hbWU6L089Q29tcGFnbnkvT1U9U1BMQy9DTj16b3BvdWV0IApEZWMgIDMgMTU6MzQ6NDEg bXktbWFjaGluZSByYWNvb246IFdBUk5JTkc6IHVuYWJsZSB0byBnZXQgY2VydGlmaWNhdGUgQ1JM KDMpIGF0IGRlcHRoOjEgU3ViamVjdE5hbWU6L089Q29tcGFnbnkvT1U9U1BMQy9DTj1TUExDIEFD IFJhY2luZSAKRGVjICAzIDE1OjM0OjQxIG15LW1hY2hpbmUgcmFjb29uOiBJTkZPOiBJU0FLTVAt U0EgZXN0YWJsaXNoZWQgMTAuNDYuMzMuNDRbNTAwXS0xMC40Ni4zMC42NFs1MDBdIHNwaTo3MWI3 ZGM0MTM0YjVmNDhiOjBiNzljZDQxM2M0YzFmZGEgCkRlYyAgMyAxNTozNDo0MiBteS1tYWNoaW5l IHJhY29vbjogSU5GTzogaW5pdGlhdGUgbmV3IHBoYXNlIDIgbmVnb3RpYXRpb246IDEwLjQ2LjMz LjQ0WzBdPD0+MTAuNDYuMzAuNjRbMF0gCkRlYyAgMyAxNTozNDo0MiBteS1tYWNoaW5lIHJhY29v bjogV0FSTklORzogYXR0cmlidXRlIGhhcyBiZWVuIG1vZGlmaWVkLiAKRGVjICAzIDE1OjM0OjQy IG15LW1hY2hpbmUgcmFjb29uOiBXQVJOSU5HOiBhdHRyaWJ1dGUgaGFzIGJlZW4gbW9kaWZpZWQu IApEZWMgIDMgMTU6MzQ6NDIgbXktbWFjaGluZSByYWNvb246IFdBUk5JTkc6IGlnbm9yZSBDT05O RUNURUQgbm90aWZpY2F0aW9uLiAKRGVjICAzIDE1OjM0OjQyIG15LW1hY2hpbmUgcmFjb29uOiBJ TkZPOiBJUHNlYy1TQSBlc3RhYmxpc2hlZDogQUgvVHJhbnNwb3J0IDEwLjQ2LjMwLjY0LT4xMC40 Ni4zMy40NCBzcGk9MTM2MTMzODQzKDB4ODFkM2NkMykgCkRlYyAgMyAxNTozNDo0MiBteS1tYWNo aW5lIHJhY29vbjogSU5GTzogSVBzZWMtU0EgZXN0YWJsaXNoZWQ6IEVTUC9UcmFuc3BvcnQgMTAu NDYuMzAuNjQtPjEwLjQ2LjMzLjQ0IHNwaT0xNDIwNjk4OTkoMHg4NzdkMDhiKSAKRGVjICAzIDE1 OjM0OjQyIG15LW1hY2hpbmUgcmFjb29uOiBJTkZPOiBJUHNlYy1TQSBlc3RhYmxpc2hlZDogQUgv VHJhbnNwb3J0IDEwLjQ2LjMzLjQ0LT4xMC40Ni4zMC42NCBzcGk9MTkzMDUyNzk3MigweDczMTE4 NGU0KSAKRGVjICAzIDE1OjM0OjQyIG15LW1hY2hpbmUgcmFjb29uOiBJTkZPOiBpbml0aWF0ZSBu ZXcgcGhhc2UgMiBuZWdvdGlhdGlvbjogMTAuNDYuMzMuNDRbMF08PT4xMC40Ni4zMC42NFswXSAK RGVjICAzIDE1OjM0OjQyIG15LW1hY2hpbmUgcmFjb29uOiBJTkZPOiBJUHNlYy1TQSBlc3RhYmxp c2hlZDogRVNQL1RyYW5zcG9ydCAxMC40Ni4zMy40NC0+MTAuNDYuMzAuNjQgc3BpPTE2NTU5NjQw MjgoMHg2MmI0MDE3YykgCkRlYyAgMyAxNTozNDo0MiBteS1tYWNoaW5lIHJhY29vbjogV0FSTklO RzogYXR0cmlidXRlIGhhcyBiZWVuIG1vZGlmaWVkLiAKRGVjICAzIDE1OjM0OjQyIG15LW1hY2hp bmUgcmFjb29uOiBXQVJOSU5HOiBhdHRyaWJ1dGUgaGFzIGJlZW4gbW9kaWZpZWQuIApEZWMgIDMg MTU6MzQ6NDIgbXktbWFjaGluZSByYWNvb246IFdBUk5JTkc6IGlnbm9yZSBDT05ORUNURUQgbm90 aWZpY2F0aW9uLiAKRGVjICAzIDE1OjM0OjQyIG15LW1hY2hpbmUgcmFjb29uOiBJTkZPOiBJUHNl Yy1TQSBlc3RhYmxpc2hlZDogQUgvVHJhbnNwb3J0IDEwLjQ2LjMwLjY0LT4xMC40Ni4zMy40NCBz cGk9MTY1NjEwMTkyKDB4OWRmMDJkMCkgCkRlYyAgMyAxNTozNDo0MiBteS1tYWNoaW5lIHJhY29v bjogSU5GTzogcHVyZ2VkIElQc2VjLVNBIHByb3RvX2lkPUVTUCBzcGk9MTY1NTk2NDAyOC4gCkRl YyAgMyAxNTozNDo0MiBteS1tYWNoaW5lIHJhY29vbjogSU5GTzogSVBzZWMtU0EgZXN0YWJsaXNo ZWQ6IEVTUC9UcmFuc3BvcnQgMTAuNDYuMzAuNjQtPjEwLjQ2LjMzLjQ0IHNwaT0yMzEzNjA2NjUo MHhkY2E0ODk5KSAKRGVjICAzIDE1OjM0OjQyIG15LW1hY2hpbmUgcmFjb29uOiBJTkZPOiBJUHNl Yy1TQSBlc3RhYmxpc2hlZDogQUgvVHJhbnNwb3J0IDEwLjQ2LjMzLjQ0LT4xMC40Ni4zMC42NCBz cGk9MTE2ODY1MTg5MCgweDQ1YTgzNjcyKSAKRGVjICAzIDE1OjM0OjQyIG15LW1hY2hpbmUgcmFj b29uOiBJTkZPOiBJUHNlYy1TQSBlc3RhYmxpc2hlZDogRVNQL1RyYW5zcG9ydCAxMC40Ni4zMy40 NC0+MTAuNDYuMzAuNjQgc3BpPTk5MTUyOTczMigweDNiMTk4YjA0KSAKRGVjICAzIDE1OjM1OjEy IG15LW1hY2hpbmUgcmFjb29uOiBJTkZPOiBpbml0aWF0ZSBuZXcgcGhhc2UgMiBuZWdvdGlhdGlv bjogMTAuNDYuMzMuNDRbMF08PT4xMC40Ni4zMC42NFswXSAKRGVjICAzIDE1OjM1OjEyIG15LW1h Y2hpbmUgcmFjb29uOiBXQVJOSU5HOiBhdHRyaWJ1dGUgaGFzIGJlZW4gbW9kaWZpZWQuIApEZWMg IDMgMTU6MzU6MTIgbXktbWFjaGluZSByYWNvb246IFdBUk5JTkc6IGF0dHJpYnV0ZSBoYXMgYmVl biBtb2RpZmllZC4gCkRlYyAgMyAxNTozNToxMiBteS1tYWNoaW5lIHJhY29vbjogV0FSTklORzog aWdub3JlIENPTk5FQ1RFRCBub3RpZmljYXRpb24uIApEZWMgIDMgMTU6MzU6MTIgbXktbWFjaGlu ZSByYWNvb246IElORk86IElQc2VjLVNBIGVzdGFibGlzaGVkOiBBSC9UcmFuc3BvcnQgMTAuNDYu MzAuNjQtPjEwLjQ2LjMzLjQ0IHNwaT0zMjAyMDQ4OCgweDFlODk4MDgpIApEZWMgIDMgMTU6MzU6 MTIgbXktbWFjaGluZSByYWNvb246IElORk86IHB1cmdlZCBJUHNlYy1TQSBwcm90b19pZD1FU1Ag c3BpPTk5MTUyOTczMi4gCkRlYyAgMyAxNTozNToxMiBteS1tYWNoaW5lIHJhY29vbjogSU5GTzog SVBzZWMtU0EgZXN0YWJsaXNoZWQ6IEVTUC9UcmFuc3BvcnQgMTAuNDYuMzAuNjQtPjEwLjQ2LjMz LjQ0IHNwaT0xNjk3NDQ5NzgoMHhhMWUxYTUyKSAKRGVjICAzIDE1OjM1OjEyIG15LW1hY2hpbmUg cmFjb29uOiBJTkZPOiBJUHNlYy1TQSBlc3RhYmxpc2hlZDogQUgvVHJhbnNwb3J0IDEwLjQ2LjMz LjQ0LT4xMC40Ni4zMC42NCBzcGk9Mjk1NDAyNjY0MigweGIwMTJkZTkyKSAKRGVjICAzIDE1OjM1 OjEyIG15LW1hY2hpbmUgcmFjb29uOiBJTkZPOiBJUHNlYy1TQSBlc3RhYmxpc2hlZDogRVNQL1Ry YW5zcG9ydCAxMC40Ni4zMy40NC0+MTAuNDYuMzAuNjQgc3BpPTExNzc5ODc1MjYoMHg0NjM2YTlj NikgCkRlYyAgMyAxNTozNToxNiBteS1tYWNoaW5lIHJhY29vbjogSU5GTzogaW5pdGlhdGUgbmV3 IHBoYXNlIDIgbmVnb3RpYXRpb246IDEwLjQ2LjMzLjQ0WzBdPD0+MTAuNDYuMzAuNjRbMF0gCkRl YyAgMyAxNTozNToxNiBteS1tYWNoaW5lIHJhY29vbjogV0FSTklORzogYXR0cmlidXRlIGhhcyBi ZWVuIG1vZGlmaWVkLiAKRGVjICAzIDE1OjM1OjE2IG15LW1hY2hpbmUgcmFjb29uOiBXQVJOSU5H OiBhdHRyaWJ1dGUgaGFzIGJlZW4gbW9kaWZpZWQuIApEZWMgIDMgMTU6MzU6MTYgbXktbWFjaGlu ZSByYWNvb246IFdBUk5JTkc6IGlnbm9yZSBDT05ORUNURUQgbm90aWZpY2F0aW9uLiAKRGVjICAz IDE1OjM1OjE2IG15LW1hY2hpbmUgcmFjb29uOiBJTkZPOiBJUHNlYy1TQSBlc3RhYmxpc2hlZDog QUgvVHJhbnNwb3J0IDEwLjQ2LjMwLjY0LT4xMC40Ni4zMy40NCBzcGk9ODcwNDE4MTAoMHg1MzAy NzEyKSAKRGVjICAzIDE1OjM1OjE2IG15LW1hY2hpbmUgcmFjb29uOiBJTkZPOiBwdXJnZWQgSVBz ZWMtU0EgcHJvdG9faWQ9RVNQIHNwaT0xMTc3OTg3NTI2LiAKRGVjICAzIDE1OjM1OjE2IG15LW1h Y2hpbmUgcmFjb29uOiBJTkZPOiBJUHNlYy1TQSBlc3RhYmxpc2hlZDogRVNQL1RyYW5zcG9ydCAx MC40Ni4zMC42NC0+MTAuNDYuMzMuNDQgc3BpPTkyMDY5ODY1KDB4NTdjZGZlOSkgCkRlYyAgMyAx NTozNToxNiBteS1tYWNoaW5lIHJhY29vbjogSU5GTzogSVBzZWMtU0EgZXN0YWJsaXNoZWQ6IEFI L1RyYW5zcG9ydCAxMC40Ni4zMy40NC0+MTAuNDYuMzAuNjQgc3BpPTM2OTg2Mjc4NDMoMHhkYzc0 OTUwMykgCkRlYyAgMyAxNTozNToxNiBteS1tYWNoaW5lIHJhY29vbjogSU5GTzogSVBzZWMtU0Eg ZXN0YWJsaXNoZWQ6IEVTUC9UcmFuc3BvcnQgMTAuNDYuMzMuNDQtPjEwLjQ2LjMwLjY0IHNwaT00 MTU4ODc5Mzk5KDB4ZjdlMzc2YTcpIApEZWMgIDMgMTU6MzU6MTcgbXktbWFjaGluZSByYWNvb246 IElORk86IGluaXRpYXRlIG5ldyBwaGFzZSAyIG5lZ290aWF0aW9uOiAxMC40Ni4zMy40NFswXTw9 PjEwLjQ2LjMwLjY0WzBdIApEZWMgIDMgMTU6MzU6MTcgbXktbWFjaGluZSByYWNvb246IFdBUk5J Tkc6IGF0dHJpYnV0ZSBoYXMgYmVlbiBtb2RpZmllZC4gCkRlYyAgMyAxNTozNToxNyBteS1tYWNo aW5lIHJhY29vbjogV0FSTklORzogYXR0cmlidXRlIGhhcyBiZWVuIG1vZGlmaWVkLiAKRGVjICAz IDE1OjM1OjE3IG15LW1hY2hpbmUgcmFjb29uOiBXQVJOSU5HOiBpZ25vcmUgQ09OTkVDVEVEIG5v dGlmaWNhdGlvbi4gCkRlYyAgMyAxNTozNToxNyBteS1tYWNoaW5lIHJhY29vbjogSU5GTzogSVBz ZWMtU0EgZXN0YWJsaXNoZWQ6IEFIL1RyYW5zcG9ydCAxMC40Ni4zMC42NC0+MTAuNDYuMzMuNDQg c3BpPTI1NjE2Njk2MygweGY0NGNjMzMpIApEZWMgIDMgMTU6MzU6MTcgbXktbWFjaGluZSByYWNv b246IElORk86IHB1cmdlZCBJUHNlYy1TQSBwcm90b19pZD1FU1Agc3BpPTQxNTg4NzkzOTkuIApE ZWMgIDMgMTU6MzU6MTcgbXktbWFjaGluZSByYWNvb246IElORk86IElQc2VjLVNBIGVzdGFibGlz aGVkOiBFU1AvVHJhbnNwb3J0IDEwLjQ2LjMwLjY0LT4xMC40Ni4zMy40NCBzcGk9MTQ3ODYxOTMo MHhlMTllOTEpIApEZWMgIDMgMTU6MzU6MTcgbXktbWFjaGluZSByYWNvb246IElORk86IElQc2Vj LVNBIGVzdGFibGlzaGVkOiBBSC9UcmFuc3BvcnQgMTAuNDYuMzMuNDQtPjEwLjQ2LjMwLjY0IHNw aT0xOTYzNTAxNzM5KDB4NzUwOGE4YWIpIAoK ---MOQ11020885419117bbae1b803d64c90badc40b7979f0--