IPSec: using both AH and ESP authentification in transport mode

From: Jean SANSLUNE
Date: Fri Dec 03 2004 - 10:43:19 EST

Next message: Erik Jacobson: "Where should virutal filesystems live?"
Previous message: Bagalkote, Sreenivas: "RE: How to add/drop SCSI drives from within the driver?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

I use linux 2.6.9 native ipsec with racoon as IKE.
I need to communicate with a Windows machine in transport mode, which is using both
AH (MD5) and ESP (md5 for authentification, 3DES for encryption).

The problem is that I can't manage to communicate with it when it is configured to
use both ESP and AH authentification. IKE part seems ok, I get ISAKMP-SA and
IPsec-SA..

I use the following setkey:

--
#!/sbin/setkey -f
flush;
spdflush;

spdadd myip windowsip any -P out ipsec
esp/transport//required
ah/transport//required;

spdadd windowsip myip any -P in ipsec
esp/transport//required
ah/transport//required;
--

If I setup the windows machine and uncheck either the AH or the ESP checkbox (and
remove
the relevant line in my setkey.conf), everything works fine. But in this
configuration, I get ISAKMP-SA ok, and when I try to make traffic I get a lot of
IPSec-SA etablished, either for ESP or AH and then purged almost immediately.
As a result, I can't even ping one host from the other.

I have tried "complex_bundle on" in racoon (I've not exactly understood what it was
for).

Thanks

Dec 3 15:34:20 my-machine racoon: INFO: @(#)ipsec-tools 0.3.3 (http://ipsec-tools.sourceforge.net)
Dec 3 15:34:20 my-machine racoon: INFO: @(#)This product linked OpenSSL 0.9.7e 25 Oct 2004 (http://www.openssl.org/)
Dec 3 15:34:20 my-machine racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=7)
Dec 3 15:34:20 my-machine racoon: INFO: 10.46.33.44[500] used as isakmp port (fd=8)
Dec 3 15:34:36 my-machine racoon: INFO: IPsec-SA request for 10.46.30.64 queued due to no phase1 found.
Dec 3 15:34:36 my-machine racoon: INFO: initiate new phase 1 negotiation: 10.46.33.44[500]<=>10.46.30.64[500]
Dec 3 15:34:36 my-machine racoon: INFO: begin Identity Protection mode.
Dec 3 15:34:36 my-machine racoon: INFO: received Vendor ID: MS NT5 ISAKMPOAKLEY
Dec 3 15:34:41 my-machine racoon: WARNING: unable to get certificate CRL(3) at depth:0 SubjectName:/O=Compagny/OU=SPLC/CN=zopouet
Dec 3 15:34:41 my-machine racoon: WARNING: unable to get certificate CRL(3) at depth:1 SubjectName:/O=Compagny/OU=SPLC/CN=SPLC AC Racine
Dec 3 15:34:41 my-machine racoon: INFO: ISAKMP-SA established 10.46.33.44[500]-10.46.30.64[500] spi:71b7dc4134b5f48b:0b79cd413c4c1fda
Dec 3 15:34:42 my-machine racoon: INFO: initiate new phase 2 negotiation: 10.46.33.44[0]<=>10.46.30.64[0]
Dec 3 15:34:42 my-machine racoon: WARNING: attribute has been modified.
Dec 3 15:34:42 my-machine racoon: WARNING: attribute has been modified.
Dec 3 15:34:42 my-machine racoon: WARNING: ignore CONNECTED notification.
Dec 3 15:34:42 my-machine racoon: INFO: IPsec-SA established: AH/Transport 10.46.30.64->10.46.33.44 spi=136133843(0x81d3cd3)
Dec 3 15:34:42 my-machine racoon: INFO: IPsec-SA established: ESP/Transport 10.46.30.64->10.46.33.44 spi=142069899(0x877d08b)
Dec 3 15:34:42 my-machine racoon: INFO: IPsec-SA established: AH/Transport 10.46.33.44->10.46.30.64 spi=1930527972(0x731184e4)
Dec 3 15:34:42 my-machine racoon: INFO: initiate new phase 2 negotiation: 10.46.33.44[0]<=>10.46.30.64[0]
Dec 3 15:34:42 my-machine racoon: INFO: IPsec-SA established: ESP/Transport 10.46.33.44->10.46.30.64 spi=1655964028(0x62b4017c)
Dec 3 15:34:42 my-machine racoon: WARNING: attribute has been modified.
Dec 3 15:34:42 my-machine racoon: WARNING: attribute has been modified.
Dec 3 15:34:42 my-machine racoon: WARNING: ignore CONNECTED notification.
Dec 3 15:34:42 my-machine racoon: INFO: IPsec-SA established: AH/Transport 10.46.30.64->10.46.33.44 spi=165610192(0x9df02d0)
Dec 3 15:34:42 my-machine racoon: INFO: purged IPsec-SA proto_id=ESP spi=1655964028.
Dec 3 15:34:42 my-machine racoon: INFO: IPsec-SA established: ESP/Transport 10.46.30.64->10.46.33.44 spi=231360665(0xdca4899)
Dec 3 15:34:42 my-machine racoon: INFO: IPsec-SA established: AH/Transport 10.46.33.44->10.46.30.64 spi=1168651890(0x45a83672)
Dec 3 15:34:42 my-machine racoon: INFO: IPsec-SA established: ESP/Transport 10.46.33.44->10.46.30.64 spi=991529732(0x3b198b04)
Dec 3 15:35:12 my-machine racoon: INFO: initiate new phase 2 negotiation: 10.46.33.44[0]<=>10.46.30.64[0]
Dec 3 15:35:12 my-machine racoon: WARNING: attribute has been modified.
Dec 3 15:35:12 my-machine racoon: WARNING: attribute has been modified.
Dec 3 15:35:12 my-machine racoon: WARNING: ignore CONNECTED notification.
Dec 3 15:35:12 my-machine racoon: INFO: IPsec-SA established: AH/Transport 10.46.30.64->10.46.33.44 spi=32020488(0x1e89808)
Dec 3 15:35:12 my-machine racoon: INFO: purged IPsec-SA proto_id=ESP spi=991529732.
Dec 3 15:35:12 my-machine racoon: INFO: IPsec-SA established: ESP/Transport 10.46.30.64->10.46.33.44 spi=169744978(0xa1e1a52)
Dec 3 15:35:12 my-machine racoon: INFO: IPsec-SA established: AH/Transport 10.46.33.44->10.46.30.64 spi=2954026642(0xb012de92)
Dec 3 15:35:12 my-machine racoon: INFO: IPsec-SA established: ESP/Transport 10.46.33.44->10.46.30.64 spi=1177987526(0x4636a9c6)
Dec 3 15:35:16 my-machine racoon: INFO: initiate new phase 2 negotiation: 10.46.33.44[0]<=>10.46.30.64[0]
Dec 3 15:35:16 my-machine racoon: WARNING: attribute has been modified.
Dec 3 15:35:16 my-machine racoon: WARNING: attribute has been modified.
Dec 3 15:35:16 my-machine racoon: WARNING: ignore CONNECTED notification.
Dec 3 15:35:16 my-machine racoon: INFO: IPsec-SA established: AH/Transport 10.46.30.64->10.46.33.44 spi=87041810(0x5302712)
Dec 3 15:35:16 my-machine racoon: INFO: purged IPsec-SA proto_id=ESP spi=1177987526.
Dec 3 15:35:16 my-machine racoon: INFO: IPsec-SA established: ESP/Transport 10.46.30.64->10.46.33.44 spi=92069865(0x57cdfe9)
Dec 3 15:35:16 my-machine racoon: INFO: IPsec-SA established: AH/Transport 10.46.33.44->10.46.30.64 spi=3698627843(0xdc749503)
Dec 3 15:35:16 my-machine racoon: INFO: IPsec-SA established: ESP/Transport 10.46.33.44->10.46.30.64 spi=4158879399(0xf7e376a7)
Dec 3 15:35:17 my-machine racoon: INFO: initiate new phase 2 negotiation: 10.46.33.44[0]<=>10.46.30.64[0]
Dec 3 15:35:17 my-machine racoon: WARNING: attribute has been modified.
Dec 3 15:35:17 my-machine racoon: WARNING: attribute has been modified.
Dec 3 15:35:17 my-machine racoon: WARNING: ignore CONNECTED notification.
Dec 3 15:35:17 my-machine racoon: INFO: IPsec-SA established: AH/Transport 10.46.30.64->10.46.33.44 spi=256166963(0xf44cc33)
Dec 3 15:35:17 my-machine racoon: INFO: purged IPsec-SA proto_id=ESP spi=4158879399.
Dec 3 15:35:17 my-machine racoon: INFO: IPsec-SA established: ESP/Transport 10.46.30.64->10.46.33.44 spi=14786193(0xe19e91)
Dec 3 15:35:17 my-machine racoon: INFO: IPsec-SA established: AH/Transport 10.46.33.44->10.46.30.64 spi=1963501739(0x7508a8ab)

Next message: Erik Jacobson: "Where should virutal filesystems live?"
Previous message: Bagalkote, Sreenivas: "RE: How to add/drop SCSI drives from within the driver?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]