Hi All,
 
I have specified the SPI value in the policy file wrongly.
Now, I am able to establish the IPSEC with Manual Keying.
 
Thanks,
Gangadharan.
-----Original Message-----
From: ipsec-tools-users-bounces@lists.sourceforge.net [mailto:ipsec-tools-users-bounces@lists.sourceforge.net]On Behalf Of Gangadharan G - TLS,Chennai
Sent: Saturday, December 16, 2006 5:54 PM
To: ipsec-tools-users@lists.sourceforge.net
Subject: [Ipsec-tools-users] Problem in Manual keying thru' SETKEY

Hi All,
 
I am novice to IPSEC. Please help me by solving my below query.
 
When I am tried to establish the Manual Keyed IPSEC between two Linux machine using setkey command, I am facing some issues.
Also I have explained the steps that I have done to enable Manual Keyed IPSEC below.
Please let me know if I have done anything wrong.
 
         *******************************                                                 ********************************
         *      Host A                    *                                                 *          HOST B                *
         *    ( Fedora Core 4)        * <-------------------------------------------->*        (SUSE Linux 9.2)     *
         *                                    *      Manually keyed IPSEC         *                                      *
         *   10.101.210.219           *                                                 *          10.101.210.16       *
         *******************************                                                 ********************************       
 
Host -A:
Linux Kernel version  : 2.6
[root@localhost usr]# uname -a
Linux localhost.localdomain 2.6.11-1.1369_FC4 #1 Thu Jun 2 22:55:56 EDT 2005 i686 i686 i386 GNU/Linux
[root@localhost usr]# setkey -V
setkey @(#) ipsec-tools 0.5 (http://ipsec-tools.sourceforge.net)
 
Host -B:
Linux Kernel version  : 2.6
linux:/home/gganga # uname -a
Linux linux 2.6.8-24-default #1 Wed Oct 6 09:16:23 UTC 2004 i686 i686 i386 GNU/Linux
linux:/home/gganga # setkey -V
setkey @(#) ipsec-tools 0.4rc1 (http://ipsec-tools.sourceforge.net)

STEP 1) 
                I have created policy file in both the hosts
 
Host-A:
[root@localhost ipsec]# cat policy
spdadd 10.101.210.219[8000] 10.101.210.16[8000] any -P out ipsec esp/transport//use;
spdadd 10.101.210.16[8000] 10.101.210.219[8000] any -P in ipsec esp/transport//use;
 
add 10.101.210.219 10.101.210.16 esp 0x10001 -m transport -E des-cbc 0x3ffe05014819ffff -A hmac-md5 0x3ffe05014819ffff3ffe05014819ffff;
add 10.101.210.16 10.101.210.219 esp 0x10002 -m transport -E des-cbc 0x3ffe05014819ffff -A hmac-md5 0x3ffe05014819ffff3ffe05014819ffff;
 
Host-B:
linux:/home/gganga/ipsec # cat policy
spdadd 10.101.210.16[8000] 10.101.210.219[8000] any -P out ipsec esp/transport//use;
spdadd 10.101.210.219[8000] 10.101.210.16[8000] any -P in  ipsec esp/transport//use;
 
add 10.101.210.16 10.101.210.219 esp 0x10001 -m transport -E des-cbc 0x3ffe05014819ffff -A hmac-md5 0x3ffe05014819ffff3ffe05014819ffff;
add 10.101.210.219 10.101.210.16 esp 0x10002 -m transport -E des-cbc 0x3ffe05014819ffff -A hmac-md5 0x3ffe05014819ffff3ffe05014819ffff;
 
 
STEP 2)
                I have set the policy using setkey command and start racoon.
[root@localhost ipsec]# setket -f policy
[root@localhost ipsec]# racoon -F
Foreground mode.
2006-12-15 18:30:43: INFO: @(#)ipsec-tools 0.5 (http://ipsec-tools.sourceforge.net)
2006-12-15 18:30:43: INFO: @(#)This product linked OpenSSL 0.9.7f 22 Mar 2005 (http://www.openssl.org/)
2006-12-15 18:30:43: INFO: 127.0.0.1[500] used as isakmp port (fd=7)
2006-12-15 18:30:43: INFO: 127.0.0.1[500] used for NAT-T
2006-12-15 18:30:43: INFO: 10.101.210.219[500] used as isakmp port (fd=8)
2006-12-15 18:30:43: INFO: 10.101.210.219[500] used for NAT-T
2006-12-15 18:30:43: INFO: ::1[500] used as isakmp port (fd=9)
2006-12-15 18:30:43: INFO: fe80::250:baff:fec4:ed99%eth0[500] used as isakmp port (fd=10)
 
STEP 3)
                I have sent udp packet from HOST-A to HOST-B.
 
Problem is :
                     I am able to see the IPSEC massage in the tcpdump in the HOST-B. But I am not getting the data to my Application, running in Host-B.
                     Also, I am not seeing any error log messages in the racoon.
 
Host-B:
linux:/home/gganga/ipsec # tcpdump -v host 10.101.210.219
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
16:14:38.446106 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], length: 64) 10.101.210.219 > 10.101.210.16: ESP(spi=0x00010001,seq=0x2)
 
Please help me regarding this.
 
NOTE:
When I am executing setkey command, I am getting the below message in the racoon console.
2006-12-15 19:02:13: INFO: unsupported PF_KEY message REGISTER
 
Thanks in Advance,
Gangadharan.

DISCLAIMER:
The contents of this e-mail and any attachment(s) are confidential and intended for the named recipient(s) only. It shall not attach any liability on the originator or HCL or its affiliates. Any views or opinions presented in this email are solely those of the author and may not necessarily reflect the opinions of HCL or its affiliates. Any form of reproduction, dissemination, copying, disclosure, modification, distribution and / or publication of this message without the prior written consent of the author of this e-mail is strictly prohibited. If you have received this email in error please delete it and notify the sender immediately. Before opening any mail and attachments please check them for viruses and defect.