Hosting Provided By

Re: Behaviour of IPsec when there are two flow-pairs between same gateways?

From: Christopher Biggs <listjunkie(at)pobox.com>
Date: Thu Jan 23 2003 - 22:59:44 EST

"Angelos D. Keromytis" <angelos@cs.columbia.edu> moved upon the face of the 'Net and spake thusly:

> Actually, that problem was supposed to have been fixed in revision 1.147 of > /sys/netinet/ip_ipsp.c, back in May (3.2 shipped with revision 1.149).

I just installed OpenBSD v3.2 on two test systems and repeated my test.

I *still* see the same problem.

Here's my test configuration.

Box 1: "tardyon".  (Nominally "server" side.)
       "Outside" IP address:  192.168.6.17
       "Inside" IP address: 192.168.17.1

Box 2: "bogon"  ("client" side)
       "Outside" IP address:  192.168.6.10
       "Inside" IP address:  192.168.1.1

Here's the isakmpd.conf for bogon (client). Server side is identical, but with the names changed around in the phase-2 sections.

Example session showing what I see follows the config file. See you there.

#------------------------- start of isakmpd.conf ------------------------
# (this file indented for email transmission to aid in skipping over it)


        [General]


        #Default-phase1-lifetime=	30,30:300


        [Phase 1]


        192.168.6.17=		tardyon


        [Phase 2]


        Passive-connections=	vpn1, vpn2


        [bogon-ID]


        ID-type=                IPV4_ADDR
        Address=		192.168.6.10


        [bogon-eth1-ID]


        ID-type=                IPV4_ADDR
        Address=		192.168.1.1


        [bogon-eth1-NET]


        ID-type=                IPV4_ADDR_SUBNET
        Network=		192.168.1.0
        Netmask=		255.255.255.0


        [tardyon-ID]


        ID-type=                IPV4_ADDR
        Address=		192.168.6.17


        [tardyon-lo1-ID]


        ID-type=                IPV4_ADDR
        Address=		192.168.17.1


        [tardyon-lo1-NET]


        ID-type=                IPV4_ADDR_SUBNET
        Network=		192.168.17.0
        Netmask=		255.255.255.0


        [tardyon-rl0-ID]


        ID-type=                IPV4_ADDR
        Address=		192.168.67.2


        [tardyon]


        Phase=			1
        Configuration=		Default-main-mode
        Address=		192.168.6.17
        Authentication=		mekmitasdigoat


        [bogon]


        Phase=			1
        Configuration=		Default-main-mode
        Address=		192.168.6.10
        Authentication=		mekmitasdigoat


        [vpn1]


        Phase=                  2
        ISAKMP-peer=            tardyon
        Configuration=          Default-quick-mode
        Local-ID=		bogon-ID
Do you need more help? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related openbsd.org Links
advocacy
announce
bugs
ipv6
misc
ports
ports-changes
security-announce
smp
source-changes
tech
Request more information about Pantek
        Remote-ID=		tardyon-ID


        [vpn2]


        Phase=                  2
        ISAKMP-peer=            tardyon
        Configuration=          Default-quick-mode
        Local-ID=		bogon-eth1-NET
        Remote-ID=		tardyon-lo1-NET

        ###################################################3
        #
        # Shared crypto config
        #
        #


        [Default-main-mode]


        DOI=                    IPSEC
        EXCHANGE_TYPE=          ID_PROT
        Transforms=             BLF-SHA,3DES-SHA,BLF-MD5,3DES-MD5
        #Transforms=             BLF-MD5,3DES-MD5


        [Default-aggressive-mode]


        DOI=                    IPSEC
        EXCHANGE_TYPE=          AGGRESSIVE
        Transforms=             BLF-SHA,3DES-SHA


        [Default-quick-mode]


        DOI=                    IPSEC
        EXCHANGE_TYPE=          QUICK_MODE
        Suites=                 QM-ESP-BLF-SHA-SUITE,QM-ESP-3DES-MD5-SUITE
#------------------------------- end of isakmpd.conf ------------------------

Do you need help?

OK, so lets bring the tunnels up one at a time and watch what happens...

Example session:

0. Start tcpdump on tardyon (server end)

tardyon# sudo tcpdump -n -i rl1 esp or udp port 500 or \( icmp and not host 192.168.6.67 \)

Run isakmpd at both ends tardyon# isakmpd -d -DA=20 bogon# isakmpd -d -DA=20
Connect "vpn1" from client end. bogon# echo "c vpn1" >/var/run/isakmpd.fifo
Send some traffic over vpn1 bogon# ping 192.168.6.17

TCPdump reports:

        11:37:56.699715 esp 192.168.6.10 > 192.168.6.17 spi 0x866DA73A seq 1 len 116
        11:37:56.700587 esp 192.168.6.17 > 192.168.6.10 spi 0xAC62A4E4 seq 1 len 116
        11:37:57.706412 esp 192.168.6.10 > 192.168.6.17 spi 0x866DA73A seq 2 len 116
        11:37:57.706728 esp 192.168.6.17 > 192.168.6.10 spi 0xAC62A4E4 seq 2 len 116

4. Connect "vpn2" from client end.

bogon# echo "c vpn2" >/var/run/isakmpd.fifo

5. Send some traffic over vpn2

Can we help you?

bogon# ping -I 192.168.1.1 192.168.17.1

TCPdump reports (note WRONG SPI values. Those are values for vpn1!):

        11:38:57.313321 esp 192.168.6.10 > 192.168.6.17 spi 0x866DA73A seq 8 len 172
        11:38:57.314069 esp 192.168.6.17 > 192.168.6.10 spi 0xAC62A4E4 seq 8 len 172
        11:38:58.321051 esp 192.168.6.10 > 192.168.6.17 spi 0x866DA73A seq 9 len 172
        11:38:58.321651 esp 192.168.6.17 > 192.168.6.10 spi 0xAC62A4E4 seq 9 len 172

6. Disconnect "vpn1" from client end.

bogon# echo "t vpn1" >/var/run/isakmpd.fifo

7. Send some more traffic over vpn2

bogon# ping -I 192.168.1.1 192.168.17.1

TCPdump reports (now correct SPI values for vpn2):

        11:39:16.367364 esp 192.168.6.10 > 192.168.6.17 spi 0xCDF897D5 seq 12 len 116
Can't find what you're looking for? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related openbsd.org Links
advocacy
announce
bugs
ipv6
misc
ports
ports-changes
security-announce
smp
source-changes
tech
Request more information about Pantek
        11:39:16.367720 esp 192.168.6.17 > 192.168.6.10 spi 0xBEBAD36D seq 12 len 116
        11:39:17.369385 esp 192.168.6.10 > 192.168.6.17 spi 0xCDF897D5 seq 13 len 116
        11:39:17.369735 esp 192.168.6.17 > 192.168.6.10 spi 0xBEBAD36D seq 13 len 116

Received on Thu Jan 23 22:58:21 2003

This message: [ Message body ]
Next message: arief_mulya: "Technical Differences of *BSD and Linux"
Previous message: Michael Shalayeff: "Re: changing baud rate"
In reply to: Angelos D. Keromytis: "Re: Behaviour of IPsec when there are two flow-pairs between same gateways?"
Next in thread: Markus Friedl: "Re: Behaviour of IPsec when there are two flow-pairs between same gateways?"
Reply: Markus Friedl: "Re: Behaviour of IPsec when there are two flow-pairs between same gateways?"
Reply: Angelos D. Keromytis: "Re: Behaviour of IPsec when there are two flow-pairs between same gateways?"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 13:48:29 EDT

Don't know where to look next?