From owner-freebsd-questions@FreeBSD.ORG Fri Jul 1 04:49:57 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 01A4A16A41C for ; Fri, 1 Jul 2005 04:49:57 +0000 (GMT) (envelope-from mohanchandra_01@yahoo.co.in) Received: from web8501.mail.in.yahoo.com (web8501.mail.in.yahoo.com [202.43.219.163]) by mx1.FreeBSD.org (Postfix) with SMTP id 0A43543D1F for ; Fri, 1 Jul 2005 04:49:55 +0000 (GMT) (envelope-from mohanchandra_01@yahoo.co.in) Received: (qmail 82133 invoked by uid 60001); 1 Jul 2005 04:49:53 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.co.in; h=Message-ID:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=HEXhUkhD/7TQ1/zasaY+KLYaODGMogFP+BryZkQviWdgxsb7jroZPW7TUsAb6ti/JkA6oBWWonqpCfmoySGcYCJx4qQodo8ZlvuT5QqccRvEDgrV+9a2+sn6FHcpRW6tV7gbHaDbgbBj6ATndvEH/evrrV7i7E18uNRZbtcwI44= ; Message-ID: <20050701044953.82131.qmail@web8501.mail.in.yahoo.com> Received: from [203.126.245.198] by web8501.mail.in.yahoo.com via HTTP; Fri, 01 Jul 2005 05:49:53 BST Date: Fri, 1 Jul 2005 05:49:53 +0100 (BST) From: mohan chandra To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="0-1302645420-1120193393=:82034" Content-Transfer-Encoding: 8bit X-Mailman-Approved-At: Fri, 01 Jul 2005 12:26:01 +0000 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Problem with IPSec tunnel, using IPv6 addresses, between Two FreeBSD systems..... X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Jul 2005 04:49:57 -0000 --0-1302645420-1120193393=:82034 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Content-Id: Content-Disposition: inline Hi All, I need to establish an IPSec tunnel between two FreeBSD systems, using IPv6 addresses.The connetcion is host-to-host between two FreeBSD( RELEASE 4.11) systems with KAME IPSec implementation. I tried to establish the connection, but it has some problems which are explained below. |----------------->| host1-[mohan]| |host2-[ram] |<-----------------| host1 IPv6 address : fe80::2b0:d0ff:fe6f:dfa0 host2 IPv6 address : fe80::2b0:d0ff:fe48:7ce7 The 'ipsec.conf' file at Host1 and Host2 are attached along with this email.(you can refer them) IPsec is started with the following commands at both systems:(ipsec SA & SPD are set according to ipsec.conf files at both sides) *******at Host1******* mohan# /usr/local/etc/rc.d/setkey.sh start Starting VPN tunnel encryption..Ok mohan# ******************* *******at Host2******* ram# /usr/local/etc/rc.d/setkey.sh start Starting VPN tunnel encryption..Ok ram# ******************* (File setkey.sh is also attached with the email below for ur reference) After that I executed 'ping6' and 'tcpdump' commands to test the ipsec connection(on my system i.e.,host1-mohan), but it seems, it is not working properly... ########### ping6 command output at host1############ mohan# ping6 -I xl0 fe80::2b0:d0ff:fe48:7ce7 PING6(56=40+8+8 bytes) fe80::2b0:d0ff:fe6f:dfa0%xl0 --> fe80::2b0:d0ff:fe48:7ce7 ^C --- fe80::2b0:d0ff:fe48:7ce7 ping6 statistics --- 6 packets transmitted, 0 packets received, 100% packet loss mohan# ############################################# But, with tcpdump command it seems like packets are moving from host1 to host2 without ESP(encryption) and reply packets from host2 to host1 with ESP(encryption) header. It is shown in the following output: ########## tcpdump at host1 ################### mohan# tcpdump -i xl0 host fe80::2b0:d0ff:fe6f:dfa0 tcpdump: listening on xl0 10:08:43.844723 fe80::2b0:d0ff:fe6f:dfa0[host1] > ff02::1:ff48:7ce7[host2]: icmp6: neighbor sol: who has fe80::2b0:d0ff:fe48:7ce7 10:08:43.845127 fe80::2b0:d0ff:fe48:7ce7 > fe80::2b0:d0ff:fe6f:dfa0: ESP(spi=0x0000fead,seq=0xf) 10:08:44.844736 fe80::2b0:d0ff:fe6f:dfa0 > ff02::1:ff48:7ce7: icmp6: neighbor sol: who has fe80::2b0:d0ff:fe48:7ce7 10:08:44.845109 fe80::2b0:d0ff:fe48:7ce7 > fe80::2b0:d0ff:fe6f:dfa0: ESP(spi=0x0000fead,seq=0x10) 10:08:48.844804 fe80::2b0:d0ff:fe6f:dfa0 > ff02::1:ff48:7ce7: icmp6: neighbor sol: who has fe80::2b0:d0ff:fe48:7ce7 10:08:48.845150 fe80::2b0:d0ff:fe48:7ce7 > fe80::2b0:d0ff:fe6f:dfa0: ESP(spi=0x0000fead,seq=0x13) 10:08:49.085694 fe80::2b0:d0ff:fe48:7ce7 > fe80::2b0:d0ff:fe6f:dfa0: ESP(spi=0x0000fead,seq=0x14) 10:08:49.844840 fe80::2b0:d0ff:fe6f:dfa0 > ff02::1:ff48:7ce7: icmp6: neighbor sol: who has fe80::2b0:d0ff:fe48:7ce7 10:08:49.845232 fe80::2b0:d0ff:fe48:7ce7 > fe80::2b0:d0ff:fe6f:dfa0: ESP(spi=0x0000fead,seq=0x15) 10:08:50.085696 fe80::2b0:d0ff:fe48:7ce7 > fe80::2b0:d0ff:fe6f:dfa0: ESP(spi=0x0000fead,seq=0x16) 10:08:51.085741 fe80::2b0:d0ff:fe48:7ce7 > fe80::2b0:d0ff:fe6f:dfa0: ESP(spi=0x0000fead,seq=0x17) ###################################### Please, reply me what is the problem with the connection setup.Inform me is there any mistakes with the ipsec.conf files attached with this email or policy setup..? Reply as soon as possible.. The connection works with IPv4 addresses without any problems. If you need any detail regarding the setup, I will send you the details.. Please, give me proper suggestions..any help will be greatly appreciated .. Thanx, with Regards Mohan. _______________________________________________________ Too much spam in your inbox? Yahoo! Mail gives you the best spam protection for FREE! http://in.mail.yahoo.com --0-1302645420-1120193393=:82034 Content-Type: text/plain; name="ipsec-host1.conf" Content-Description: 1396178509-ipsec-host1.conf Content-Disposition: inline; filename="ipsec-host1.conf" ########The 'ipsec.conf' file at Host1 ######### # flush configs flush ; spdflush ; # add a SAD entry add fe80::2b0:d0ff:fe6f:dfa0 fe80::2b0:d0ff:fe48:7ce7 esp 0xFEED -m transport -E 3des-cbc "host1tohost2host1tohost2" -A hmac-sha1 "host1tohost2hmacsha1"; add fe80::2b0:d0ff:fe48:7ce7 fe80::2b0:d0ff:fe6f:dfa0 esp 0xFEAD -m transport -E 3des-cbc "host2tohost1host2tohost1" -A hmac-sha1 "host2tohost1hmacsha1"; # and specify what has to be encrypted spdadd fe80::2b0:d0ff:fe6f:dfa0 fe80::2b0:d0ff:fe48:7ce7 any -P out ipsec esp/transport/fe80::2b0:d0ff:fe6f:dfa0-fe80::2b0:d0ff:fe48:7ce7/require ; spdadd fe80::2b0:d0ff:fe48:7ce7 fe80::2b0:d0ff:fe6f:dfa0 any -P in ipsec esp/transport/fe80::2b0:d0ff:fe48:7ce7-fe80::2b0:d0ff:fe6f:dfa0/require ; --0-1302645420-1120193393=:82034 Content-Type: text/plain; name="ipsec-host2.conf" Content-Description: 3256422772-ipsec-host2.conf Content-Disposition: inline; filename="ipsec-host2.conf" ########The 'ipsec.conf' file at Host2 ######### # flush configs flush ; spdflush ; # add a SAD entry add fe80::2b0:d0ff:fe48:7ce7 fe80::2b0:d0ff:fe6f:dfa0 esp 0xFEAD -m transport -E 3des-cbc "host2tohost1host2tohost1" -A hmac-sha1 "host2tohost1hmacsha1"; add fe80::2b0:d0ff:fe6f:dfa0 fe80::2b0:d0ff:fe48:7ce7 esp 0xFEED -m transport -E 3des-cbc "host1tohost2host1tohost2" -A hmac-sha1 "host1tohost2hmacsha1"; # and specify what has to be encrypted spdadd fe80::2b0:d0ff:fe48:7ce7 fe80::2b0:d0ff:fe6f:dfa0 any -P out ipsec esp/transport/fe80::2b0:d0ff:fe48:7ce7-fe80::2b0:d0ff:fe6f:dfa0/require ; spdadd fe80::2b0:d0ff:fe6f:dfa0 fe80::2b0:d0ff:fe48:7ce7 any -P in ipsec esp/transport/fe80::2b0:d0ff:fe6f:dfa0-fe80::2b0:d0ff:fe48:7ce7/require ; --0-1302645420-1120193393=:82034--