Hosting Provided By

linux-ipsec: More questions

From: Kai Martius <admin(at)imib.med.tu-dresden.de>
Date: Fri Nov 27 1998 - 09:58:47 EST

Hi,

I'm still working to get transport mode running... Now with a *new* snapshot (Nov27) ;-), btw. on a SUSE-system. (Because SUSE has a somewhat different filesystem structure, the scripts (basicalls "setup") produce some errors, but they don't seem to be critical.)

However, there are problems after ipsec setup which I can't assign to be dependend on some scripting errors or bugs in implementation. My setup: TM between 10.1.1.1 and 10.1.1.2, after "setup start" and "manual tm up" on both ends, I can ping and telnet (and probably anything else). "look" shows the following:

10.1.1.1 Fri Nov 27 16:42:37 MET 1998

10.1.1.1/32 -> 10.1.1.2/32 => esp0x1000@10.1.1.2 ah0x1002@10.1.1.2

ah0x1003@10.1.1.1 HMAC_MD5_Authentication: dir=in alen=16 win=0 ah0x1002@10.1.1.2 HMAC_MD5_Authentication: dir=out alen=16 win=0 esp0x1001@10.1.1.1 3DES_Encryption: dir=in iv=0x1be21813e914d019 seq=0 bit=0x00000000 win=0 flags=0x0<> esp0x1000@10.1.1.2 3DES_Encryption: dir=out iv=0x64c5fb30517e1267 seq=80 bit=0x00000000 win=0 flags=0x0<>

Dest     Gateway    Genmask         Flags   MSS Window  irtt Iface 
10.1.1.2 10.1.1.2   255.255.255.255 UGH    1404 0       0    ipsec0 
10.1.2.0 10.1.1.2   255.255.255.0   UG     1500 0       0    eth0

10.1.1.2 Fri Nov 27 16:58:21 MET 1998

10.1.1.2/32 -> 10.1.1.1/32 => esp0x1001@10.1.1.1 ah0x1003@10.1.1.1

ah0x1002@10.1.1.2 HMAC_MD5_Authentication:dir=in alen=16 win=0 ah0x1003@10.1.1.1 HMAC_MD5_Authentication: dir=out alen=16 win=0 esp0x1000@10.1.1.2 3DES_Encryption: dir=in iv=0x1be21813e914d019 seq=0 bit=0x00000000 win=0 flags=0x0<> esp0x1001@10.1.1.1 3DES_Encryption: dir=out iv=0x3de004d6bf721d0f seq=90 bit=0x00000000 win=0 flags=0x0<>

Dest       Gateway   Genmask         Flags   MSS Window  irtt Iface 
10.1.1.1   10.1.1.1  255.255.255.255 UGH    1404 0       0    ipsec0 
10.1.1.0   0.0.0.0   255.255.255.0   U      1500 0       0    eth0

PING works, but produces the following kernel log messages (on both ends) for every processed packet:

Nov 27 15:26:30 authserv kernel: klips_error May not have SA for decoding. Is IPSEC traffic expected on this I/F? Check routing. Nov 27 15:26:31 authserv kernel: klips_error:ah_rcv: packet received from physical I/F (eth0) not connected to ipsec I/F. Cannot record stats.

Further, I wonder why packets in the one direction are of proto 51 (ESP), but in the other I get two packets with AH first...

16:44:49.035776 10.1.1.1 > 10.1.1.2: ip-proto-51 112
16:44:49.035776 10.1.1.2 > 10.1.1.1: ip-proto-50 88
16:44:49.035776 10.1.1.2 > 10.1.1.1: ip-proto-50 88
16:44:50.035776 10.1.1.1 > 10.1.1.2: ip-proto-51 112
16:44:50.035776 10.1.1.2 > 10.1.1.1: ip-proto-50 88
16:44:50.035776 10.1.1.2 > 10.1.1.1: ip-proto-50 88

Do you need help?

(Hopefully, it's not because I don't RTFM ;-) ) Thanks for help.

Btw: The terms "left" and "right" are really not very well chosen. I'd suggest to use "local" and "remote" instead (althrough this would need some changes in the scripts, because "left is left" and "right is right", but "local" and "remote" differs from one machine to the other...)

Greetings
Kai

# Kai Martius #
Received on Fri Nov 27 11:02:29 1998

This message: [ Message body ]
Next message: Richard Guy Briggs: "Re: linux-ipsec: Notes from _trying_ to install & configure Linux FreeS/WAN..."
Previous message: Henry Spencer: "Re: linux-ipsec: Building freeSwan on DEC Alpha pt 3 :-)"
In reply to Kai Martius: "linux-ipsec: IKE Analysis / New E-IKE draft"
Next in thread: Henry Spencer: "Re: linux-ipsec: More questions"
Reply: Henry Spencer: "Re: linux-ipsec: More questions"
Reply: Kai Martius: "Re: linux-ipsec: More questions"
Reply: Peter Onion: "Re: linux-ipsec: More questions"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 12:59:08 EDT