From: lun l. <lia...@gm...> - 2013-04-10 12:50:30
|
Hello all, If I made a mistake on choose the mailing list, Pls ignore this mail. But I really appreciated if anyone could help on the quesions.Thanks! I have deal with an IPsec problem in almost one week. Finally I have to send this mail to this list hope I could get some answer from you, thanks in advance! Background: In our environment, we have one client, one IPsec Bridge and one server. The target is: Client(IPv6-1) <-----TCP-----> (IPv6-2)IPsec Bridge(IPv6-3) <------ESP-----> (IPv6-4)Server. IPsec Bridge is base on Red Hat Enterprise Linux ES release 4 with two Network interface(with IP forwarding active) + setkey command. However the result is not good. Result of the test: Client(port 10001)------TCP SYN------> IPsec Bridge ------ESP(TCP SYN)------> (port 7777)Server Client(port 10001)<----ESP(TCP SYN ACK)-------- IPsec Bridge <----ESP(TCP SYN ACK)-------- (port 7777)Server The response didn't de-encryption to TCP message. Here is the setkey -D and -DP result for your reference: |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| setkey -DP on IPsec Bridge: |||||| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| IPv6-4[7777] IPv6-1[10001] any in ipsec esp/transport//require created: Apr 11 18:53:26 2013 lastused: lifetime: 0(s) validtime: 0(s) spid=3784 seq=3 pid=3146 refcnt=1 IPv6-1[10001] IPv6-4[7777] any out ipsec esp/transport//require created: Apr 11 19:02:31 2013 lastused: Apr 11 19:02:40 2013 lifetime: 0(s) validtime: 0(s) spid=3825 seq=2 pid=3146 refcnt=2 IPv6-1[10000] IPv6-4[7807] any out ipsec esp/transport//require created: Apr 11 19:02:31 2013 lastused: lifetime: 0(s) validtime: 0(s) spid=3833 seq=1 pid=3146 refcnt=1 IPv6-4[7777] IPv6-1[10001] any fwd ipsec esp/transport//require created: Apr 11 18:53:26 2013 lastused: Apr 11 18:56:54 2013 lifetime: 0(s) validtime: 0(s) spid=3794 seq=0 pid=3146 refcnt=1 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| setkey -D on IPsec Bridge: |||||| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| IPv6-1 IPv6-4 esp mode=transport spi=3300170646(0xc4b49b96) reqid=0(0x00000000) E: aes-cbc eb0e4048 3f2c834b 0b7e5005 a5e96c33 A: hmac-sha1 ba0fe421 b69053fa 6a30cdb7 df8e61e0 00000000 seq=0x00000000 replay=0 flags=0x00000000 state=mature created: Apr 11 19:02:31 2013 current: Apr 11 19:03:35 2013 diff: 64(s) hard: 0(s) soft: 0(s) last: Apr 11 19:02:31 2013 hard: 0(s) soft: 0(s) current: 324(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 3 hard: 0 soft: 0 sadb_seq=3 pid=3147 refcnt=0 IPv6-1 IPv6-4 esp mode=transport spi=2706885581(0xa157cbcd) reqid=0(0x00000000) E: aes-cbc eb0e4048 3f2c834b 0b7e5005 a5e96c33 A: hmac-sha1 ba0fe421 b69053fa 6a30cdb7 df8e61e0 00000000 seq=0x00000000 replay=0 flags=0x00000000 state=mature created: Apr 11 19:02:31 2013 current: Apr 11 19:03:35 2013 diff: 64(s) hard: 0(s) soft: 0(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=2 pid=3147 refcnt=0 IPv6-4 IPv6-1 esp mode=transport spi=30325576(0x01cebb48) reqid=0(0x00000000) E: aes-cbc eb0e4048 3f2c834b 0b7e5005 a5e96c33 A: hmac-sha1 ba0fe421 b69053fa 6a30cdb7 df8e61e0 00000000 seq=0x00000000 replay=0 flags=0x00000000 state=mature created: Apr 11 19:02:31 2013 current: Apr 11 19:03:35 2013 diff: 64(s) hard: 0(s) soft: 0(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=1 pid=3147 refcnt=0 IPv6-4 IPv6-1 esp mode=transport spi=38287151(0x0248372f) reqid=0(0x00000000) E: aes-cbc eb0e4048 3f2c834b 0b7e5005 a5e96c33 A: hmac-sha1 ba0fe421 b69053fa 6a30cdb7 df8e61e0 00000000 seq=0x00000000 replay=0 flags=0x00000000 state=mature created: Apr 11 19:02:31 2013 current: Apr 11 19:03:35 2013 diff: 64(s) hard: 0(s) soft: 0(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=0 pid=3147 refcnt=0 The E-Key and A-Key and related algorithm is consistent. Now my questions is here, any answer or idea is appreciated! (1)Is the setkey -DP and setkey -D result corresponding to what I am look forward? IPsec setup between IPsec Bridge and Server only. And IPsec Bridge can done encryption and decryption the package come and to Server over the dedicated port 10001 on client and 7777 on server.---Now the problem is the response didn't decryption. If the SAD and SPD is not correct now, what modification I should perform to make the IPsec Bridge solution work? (2)When we will use "in", and when will use "out", especially when will use"fwd" policy? More complex case is that, when the IPsec Bridge is a two network card machine, how many times of "in" will check, and how many times of "out" will check? Especially for "fwd", is any "fwd" will check during the case in my environment? For example: _________________________________________ Client----------->|Network interface 1|------------>|Network interface 2|---------->Server (1) (2) (3) (4) One of my idea is, "in" will use on (1) and (3), "out" will use on (2)and(4). another idea is, in will use on(1), out will use on(4). Am I right? What is the correct answer for this question? (3)I know from some words, NetBSD maybe the best choice for IPsec setup? How about Redhat? Is there any possible I can use Redhat to setup a IPsec Bridge work like what I am expected and describe in the backgroud? Thanks in advance! Since I am a beginner of IPsec, I am appreciated I could get a help from you. Best Regards Talen |