Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 1 Jul 2005 05:49:53 +0100 (BST)
From:      mohan chandra <mohanchandra_01@yahoo.co.in>
To:        freebsd-security@freebsd.org
Subject:   Problem with IPSec tunnel, using IPv6 addresses, between Two FreeBSD systems.....
Message-ID:  <20050701044953.82131.qmail@web8501.mail.in.yahoo.com>

next in thread | raw e-mail | index | archive | help
--0-1302645420-1120193393=:82034
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Content-Id: 
Content-Disposition: inline

Hi All,

I need to establish an IPSec tunnel between two
FreeBSD systems, using IPv6 addresses.The connetcion
is
host-to-host between two FreeBSD( RELEASE 4.11)
systems with KAME IPSec implementation.
I tried to establish the connection, but it has some
problems which are explained below.

                |----------------->|
   host1-[mohan]|                  |host2-[ram]
                |<-----------------|

host1 IPv6 address : fe80::2b0:d0ff:fe6f:dfa0 
host2 IPv6 address : fe80::2b0:d0ff:fe48:7ce7

The 'ipsec.conf' file at Host1 and Host2 are attached
along with this email.(you can refer them)

IPsec is started with the following commands at both
systems:(ipsec SA & SPD are set according to
ipsec.conf files at both sides)
*******at Host1*******
mohan# /usr/local/etc/rc.d/setkey.sh start
Starting VPN tunnel encryption..Ok
mohan#
*******************
*******at Host2*******
ram# /usr/local/etc/rc.d/setkey.sh start
Starting VPN tunnel encryption..Ok
ram#
*******************
(File setkey.sh is also attached with the email below
for ur reference)

After that I executed 'ping6' and 'tcpdump' commands
to test the ipsec connection(on my system
i.e.,host1-mohan),
but it seems, it is not working properly...

########### ping6 command output at host1############
mohan# ping6 -I xl0 fe80::2b0:d0ff:fe48:7ce7
PING6(56=40+8+8 bytes) fe80::2b0:d0ff:fe6f:dfa0%xl0
--> fe80::2b0:d0ff:fe48:7ce7
^C
--- fe80::2b0:d0ff:fe48:7ce7 ping6 statistics ---
6 packets transmitted, 0 packets received, 100% packet
loss
mohan#
#############################################

But, with tcpdump command it seems like packets are
moving from host1 to host2 without ESP(encryption) and
reply packets from host2 to host1 with
ESP(encryption) header. It is shown in the following
output:

########## tcpdump at host1 ###################

mohan# tcpdump -i xl0 host fe80::2b0:d0ff:fe6f:dfa0
tcpdump: listening on xl0

10:08:43.844723 fe80::2b0:d0ff:fe6f:dfa0[host1] >
ff02::1:ff48:7ce7[host2]: icmp6: neighbor sol: who has
fe80::2b0:d0ff:fe48:7ce7

10:08:43.845127 fe80::2b0:d0ff:fe48:7ce7 >
fe80::2b0:d0ff:fe6f:dfa0: ESP(spi=0x0000fead,seq=0xf)

10:08:44.844736 fe80::2b0:d0ff:fe6f:dfa0 >
ff02::1:ff48:7ce7: icmp6: neighbor sol: who has 
fe80::2b0:d0ff:fe48:7ce7

10:08:44.845109 fe80::2b0:d0ff:fe48:7ce7 >
fe80::2b0:d0ff:fe6f:dfa0: ESP(spi=0x0000fead,seq=0x10)

10:08:48.844804 fe80::2b0:d0ff:fe6f:dfa0 >
ff02::1:ff48:7ce7: icmp6: neighbor sol: who has
fe80::2b0:d0ff:fe48:7ce7

10:08:48.845150 fe80::2b0:d0ff:fe48:7ce7 >
fe80::2b0:d0ff:fe6f:dfa0: ESP(spi=0x0000fead,seq=0x13)

10:08:49.085694 fe80::2b0:d0ff:fe48:7ce7 >
fe80::2b0:d0ff:fe6f:dfa0: ESP(spi=0x0000fead,seq=0x14)

10:08:49.844840 fe80::2b0:d0ff:fe6f:dfa0 >
ff02::1:ff48:7ce7: icmp6: neighbor sol: who has
fe80::2b0:d0ff:fe48:7ce7

10:08:49.845232 fe80::2b0:d0ff:fe48:7ce7 >
fe80::2b0:d0ff:fe6f:dfa0: ESP(spi=0x0000fead,seq=0x15)

10:08:50.085696 fe80::2b0:d0ff:fe48:7ce7 >
fe80::2b0:d0ff:fe6f:dfa0: ESP(spi=0x0000fead,seq=0x16)

10:08:51.085741 fe80::2b0:d0ff:fe48:7ce7 >
fe80::2b0:d0ff:fe6f:dfa0: ESP(spi=0x0000fead,seq=0x17)

######################################

Please, reply me what is the problem with the
connection setup.Inform me is there any mistakes with
the ipsec.conf files attached with this email or
policy setup..? Reply as soon as
possible..

The connection works with IPv4 addresses without any
problems. If you need any detail regarding the setup,
I will send you the details..

Please, give me proper suggestions..any help will be
greatly appreciated ..

Thanx,

with Regards
Mohan.


		
_______________________________________________________
Too much spam in your inbox? Yahoo! Mail gives you the best spam protection for FREE! http://in.mail.yahoo.com
--0-1302645420-1120193393=:82034
Content-Type: text/plain; name="ipsec-host1.conf"
Content-Description: 1396178509-ipsec-host1.conf
Content-Disposition: inline; filename="ipsec-host1.conf"

########The 'ipsec.conf' file at Host1 #########

# flush configs
flush ;
spdflush ;

# add a SAD entry
add fe80::2b0:d0ff:fe6f:dfa0 fe80::2b0:d0ff:fe48:7ce7 esp 0xFEED -m transport -E 3des-cbc
"host1tohost2host1tohost2" -A hmac-sha1 "host1tohost2hmacsha1";
add fe80::2b0:d0ff:fe48:7ce7 fe80::2b0:d0ff:fe6f:dfa0 esp 0xFEAD -m transport -E 3des-cbc
"host2tohost1host2tohost1" -A hmac-sha1 "host2tohost1hmacsha1";

# and specify what has to be encrypted
spdadd fe80::2b0:d0ff:fe6f:dfa0 fe80::2b0:d0ff:fe48:7ce7 any -P out ipsec
esp/transport/fe80::2b0:d0ff:fe6f:dfa0-fe80::2b0:d0ff:fe48:7ce7/require ;

spdadd fe80::2b0:d0ff:fe48:7ce7 fe80::2b0:d0ff:fe6f:dfa0 any -P in ipsec
esp/transport/fe80::2b0:d0ff:fe48:7ce7-fe80::2b0:d0ff:fe6f:dfa0/require ;
--0-1302645420-1120193393=:82034
Content-Type: text/plain; name="ipsec-host2.conf"
Content-Description: 3256422772-ipsec-host2.conf
Content-Disposition: inline; filename="ipsec-host2.conf"

########The 'ipsec.conf' file at Host2 #########

# flush configs
flush ;
spdflush ;

# add a SAD entry
add fe80::2b0:d0ff:fe48:7ce7 fe80::2b0:d0ff:fe6f:dfa0 esp 0xFEAD -m transport -E 3des-cbc
"host2tohost1host2tohost1" -A hmac-sha1 "host2tohost1hmacsha1";
add fe80::2b0:d0ff:fe6f:dfa0 fe80::2b0:d0ff:fe48:7ce7 esp 0xFEED -m transport -E 3des-cbc
"host1tohost2host1tohost2" -A hmac-sha1 "host1tohost2hmacsha1";


# and specify what has to be encrypted
spdadd fe80::2b0:d0ff:fe48:7ce7 fe80::2b0:d0ff:fe6f:dfa0 any -P out ipsec
esp/transport/fe80::2b0:d0ff:fe48:7ce7-fe80::2b0:d0ff:fe6f:dfa0/require ;

spdadd fe80::2b0:d0ff:fe6f:dfa0 fe80::2b0:d0ff:fe48:7ce7 any -P in ipsec
esp/transport/fe80::2b0:d0ff:fe6f:dfa0-fe80::2b0:d0ff:fe48:7ce7/require ;

--0-1302645420-1120193393=:82034--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050701044953.82131.qmail>