Menu
▾
▴
[Ipsec-tools-users] IPsec Bridge---Response Didn't decryption.(IPsec setup using setkey).
|
From: lun l. <lia...@gm...> - 2013-04-10 12:50:30
|
Hello all,
If I made a mistake on choose the mailing list, Pls ignore this mail.
But I really appreciated if anyone could help on the quesions.Thanks!
I have deal with an IPsec problem in almost one week. Finally I have
to send this mail to this list hope I could get some answer from you,
thanks in advance!
Background:
In our environment, we have one client, one IPsec Bridge and one
server. The target is:
Client(IPv6-1) <-----TCP-----> (IPv6-2)IPsec Bridge(IPv6-3)
<------ESP-----> (IPv6-4)Server.
IPsec Bridge is base on Red Hat Enterprise Linux ES release 4 with two
Network interface(with IP forwarding active) + setkey command.
However the result is not good.
Result of the test:
Client(port 10001)------TCP SYN------> IPsec Bridge ------ESP(TCP
SYN)------> (port 7777)Server
Client(port 10001)<----ESP(TCP SYN ACK)-------- IPsec Bridge
<----ESP(TCP SYN ACK)-------- (port 7777)Server
The response didn't de-encryption to TCP message.
Here is the setkey -D and -DP result for your reference:
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
setkey -DP on IPsec Bridge: ||||||
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
IPv6-4[7777] IPv6-1[10001] any
in ipsec
esp/transport//require
created: Apr 11 18:53:26 2013 lastused:
lifetime: 0(s) validtime: 0(s)
spid=3784 seq=3 pid=3146
refcnt=1
IPv6-1[10001] IPv6-4[7777] any
out ipsec
esp/transport//require
created: Apr 11 19:02:31 2013 lastused: Apr 11 19:02:40 2013
lifetime: 0(s) validtime: 0(s)
spid=3825 seq=2 pid=3146
refcnt=2
IPv6-1[10000] IPv6-4[7807] any
out ipsec
esp/transport//require
created: Apr 11 19:02:31 2013 lastused:
lifetime: 0(s) validtime: 0(s)
spid=3833 seq=1 pid=3146
refcnt=1
IPv6-4[7777] IPv6-1[10001] any
fwd ipsec
esp/transport//require
created: Apr 11 18:53:26 2013 lastused: Apr 11 18:56:54 2013
lifetime: 0(s) validtime: 0(s)
spid=3794 seq=0 pid=3146
refcnt=1
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
setkey -D on IPsec Bridge: ||||||
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
IPv6-1 IPv6-4
esp mode=transport spi=3300170646(0xc4b49b96) reqid=0(0x00000000)
E: aes-cbc eb0e4048 3f2c834b 0b7e5005 a5e96c33
A: hmac-sha1 ba0fe421 b69053fa 6a30cdb7 df8e61e0 00000000
seq=0x00000000 replay=0 flags=0x00000000 state=mature
created: Apr 11 19:02:31 2013 current: Apr 11 19:03:35 2013
diff: 64(s) hard: 0(s) soft: 0(s)
last: Apr 11 19:02:31 2013 hard: 0(s) soft: 0(s)
current: 324(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 3 hard: 0 soft: 0
sadb_seq=3 pid=3147 refcnt=0
IPv6-1 IPv6-4
esp mode=transport spi=2706885581(0xa157cbcd) reqid=0(0x00000000)
E: aes-cbc eb0e4048 3f2c834b 0b7e5005 a5e96c33
A: hmac-sha1 ba0fe421 b69053fa 6a30cdb7 df8e61e0 00000000
seq=0x00000000 replay=0 flags=0x00000000 state=mature
created: Apr 11 19:02:31 2013 current: Apr 11 19:03:35 2013
diff: 64(s) hard: 0(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=2 pid=3147 refcnt=0
IPv6-4 IPv6-1
esp mode=transport spi=30325576(0x01cebb48) reqid=0(0x00000000)
E: aes-cbc eb0e4048 3f2c834b 0b7e5005 a5e96c33
A: hmac-sha1 ba0fe421 b69053fa 6a30cdb7 df8e61e0 00000000
seq=0x00000000 replay=0 flags=0x00000000 state=mature
created: Apr 11 19:02:31 2013 current: Apr 11 19:03:35 2013
diff: 64(s) hard: 0(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=1 pid=3147 refcnt=0
IPv6-4 IPv6-1
esp mode=transport spi=38287151(0x0248372f) reqid=0(0x00000000)
E: aes-cbc eb0e4048 3f2c834b 0b7e5005 a5e96c33
A: hmac-sha1 ba0fe421 b69053fa 6a30cdb7 df8e61e0 00000000
seq=0x00000000 replay=0 flags=0x00000000 state=mature
created: Apr 11 19:02:31 2013 current: Apr 11 19:03:35 2013
diff: 64(s) hard: 0(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=0 pid=3147 refcnt=0
The E-Key and A-Key and related algorithm is consistent.
Now my questions is here, any answer or idea is appreciated!
(1)Is the setkey -DP and setkey -D result corresponding to what I am
look forward? IPsec setup between IPsec Bridge and Server only. And
IPsec Bridge can done encryption and decryption the package come and
to Server over the dedicated port 10001 on client and 7777 on
server.---Now the problem is the response didn't decryption.
If the SAD and SPD is not correct now, what modification I should
perform to make the IPsec Bridge solution work?
(2)When we will use "in", and when will use "out", especially when
will use"fwd" policy? More complex case is that, when the IPsec Bridge
is a two network card machine, how many times of "in" will check, and
how many times of "out" will check? Especially for "fwd", is any "fwd"
will check during the case in my environment?
For example:
_________________________________________
Client----------->|Network interface 1|------------>|Network
interface 2|---------->Server
(1) (2) (3)
(4)
One of my idea is, "in" will use on (1) and (3), "out" will use on (2)and(4).
another idea is, in will use on(1), out will use on(4).
Am I right? What is the correct answer for this question?
(3)I know from some words, NetBSD maybe the best choice for IPsec
setup? How about Redhat? Is there any possible I can use Redhat to
setup a IPsec Bridge work like what I am expected and describe in the
backgroud?
Thanks in advance! Since I am a beginner of IPsec, I am appreciated I
could get a help from you.
Best Regards
Talen
|