From: Timo T. <tim...@ik...> - 2008-06-10 05:33:19
|
Philip Bellino wrote: > I am running racoon from ipsec-tools-0.7 on 2 linux hosts running > 2.6.22. > > Does racoon support ESP Authentication in transport mode? Yes, with several different authentication functions. > Whatever configuration I try, the resulting Wireshark packet trace shows > the "ESP SPI", the "ESP Sequence", and the encrypted IP payload only. > It does not show the ESP Trailer, or the "ESP Authentication Trailer", > which is supposed to be present if doing ESP Authentication. Yes, but it is not shown in wireshark unless it knows the SA (ESP packet does not contain length of authentication data block; it is known by the receiver implicitly from the source ip, dest. ip, SPI triplet as using that info it knows which authentication function was negotiated earlier). You must either a) run on the computer with the SA or b) manually add the SA details to wireshark. You should also enable ESP decoding from Edit -> Preferences -> Protocol -> ESP. > The following is the racoon.conf files used on both hosts: > > ## > sainfo anonymous > { > pfs_group 2; > lifetime time 12 hour; > encryption_algorithm 3des, aes; > authentication_algorithm hmac_md5, hmac_sha1, hmac_sha256; > compression_algorithm deflate; > } This enables use of MD5, SHA1 and SHA256 as authenticator functions. Initiator proposes the first in the list, so you end up using MD5. This means that the 12 last bytes of ESP packet are the authentication data part. But wireshark does not know that unless you configure the SA details. > Is there a parameter that I am missing to get the results I am looking > for? Yes, in wireshark, not racoon. Cheers, Timo |