Resend it as I didnt find it in Mail Archive of ipsec-tools-users

 

From: SUN Nideson
Sent: 2013
731 9:43
To: 'ipsec-tools-users@lists.sourceforge.net'
Subject: RE: [Ipsec-tools-users] Problem when setup SA with port manually using setkey

 

Mick,

 

Thanks a lot for your response.

 

Following your suggestion, I run CLI with -v option.

And the configure file is accepted without error.

 

But I found that, each SA is manipulated twice on PF_KEY socket. Please see blow verbose info.

 

For the first time, port number is consistent with the configure file.

But the second time, port number is reset to 0.

 

Do you know why?

 

sadb_msg{ version=2 type=3 errno=0 satype=3

  len=19 reserved=0 seq=0 pid=28201

sadb_ext{ len=4 type=9 }

sadb_key{ bits=192 reserved=0

  key= 00000203 40000000 02001300 00000000 00000000 00000000 }

sadb_ext{ len=3 type=8 }

sadb_key{ bits=128 reserved=0

  key= 02009dda 8702cfcb 00000000 00000000 }

sadb_ext{ len=2 type=1 }

sadb_sa{ spi=1445 replay=0 state=0

  auth=2 encrypt=3 flags=0x00000040 }

sadb_ext{ len=2 type=19 }

sadb_x_sa2{ mode=0 reqid=0

  reserved1=0 reserved2=0 sequence=0 }

sadb_ext{ len=3 type=5 }

sadb_address{ proto=255 prefixlen=32 reserved=0x0000 }

sockaddr{ len=16 family=2 port=40410

8702cfcb  }

sadb_ext{ len=3 type=6 }

sadb_address{ proto=255 prefixlen=32 reserved=0x0000 }

sockaddr{ len=16 family=2 port=60410

87025795  }

 

 

sadb_msg{ version=2 type=3 errno=0 satype=3

  len=34 reserved=0 seq=0 pid=28201

sadb_ext{ len=2 type=1 }

sadb_sa{ spi=1445 replay=0 state=1

  auth=2 encrypt=3 flags=0x00000000 }

sadb_ext{ len=4 type=3 }

sadb_lifetime{ alloc=0, bytes=0

  addtime=0, usetime=0 }

sadb_ext{ len=4 type=4 }

sadb_lifetime{ alloc=0, bytes=0

  addtime=0, usetime=0 }

sadb_ext{ len=4 type=2 }

sadb_lifetime{ alloc=0, bytes=0

  addtime=1375152843, usetime=0 }

sadb_ext{ len=3 type=5 }

sadb_address{ proto=0 prefixlen=32 reserved=0x0000 }

sockaddr{ len=16 family=2 port=0

8702cfcb  }

sadb_ext{ len=3 type=6 }

sadb_address{ proto=0 prefixlen=32 reserved=0x0000 }

sockaddr{ len=16 family=2 port=0

87025795  }

sadb_ext{ len=3 type=7 }

sadb_address{ proto=255 prefixlen=0 reserved=0x0000 }

sockaddr{ len=16 family=2 port=0

00000000  }

sadb_ext{ len=3 type=8 }

sadb_key{ bits=128 reserved=0

  key= 00000000 00000000 00000000 00000000 }

sadb_ext{ len=4 type=9 }

sadb_key{ bits=192 reserved=0

  key= 00000000 00000000 00000000 00000000 00000000 00000000 }

sadb_ext{ len=2 type=19 }

sadb_x_sa2{ mode=1 reqid=0

 

And regarding your question.

 

>           ## SP, in file spdb.conf

>           spdadd 135.2.87.149[60410] 135.2.207.203[40410] any -P out ipsec

> esp/transport//require ;

> spdadd 135.2.207.203 135.2.87.149[50411] any -P in ipsec

> esp/transport//require ;

 

>> Have you omitted the port for 135.2.207.203 on purpose in the above?

 

[NDS] Yes, I omitted the port for 203 on purpose. Does the SP configuration impact the SA?

I tried adding the port to 207.203, and got the same result.

 

 

> spdadd 135.2.87.149[50411]

> 135.2.207.203[30411] any -P out ipsec esp/transport//require ;

> spdadd 135.2.207.203 135.2.87.149[60410] any -P in ipsec

> esp/transport//require ;

 

>> [Mick]  Again, have you omitted the port for 135.2.207.203 on purpose here too?

[NDS] Yes, Same as above.

 

 

> After I run "sudo setkey -f sadb.conf" and "sudo setkey -f spdb.conf".

> And display the SAs using "sudo setkey -Dp", I found the port numbers are

> all 0 instead of what I configured.

 

>> [Mick] I think that if you run setkey with just -D it will show you what ports are

>> actually being used by the connection, rather than what the kernel is able to

>> set/accept connections from.  The 135.2.87.149[0] notation is a wildcard for

>> any ports.  Have you confirmed that the correct ports are being used with

>> tcpdump?

[NDS] Yes, the real socket connection uses the correct port. But the SA is not selected based on the port.

 

So after I set up two SAs on 135.2.87.149:

1) 135.2.87.149[50411] 135.2.207.203[30411]

2) 135.2.87.149[60410] 135.2.207.203[40410]

 

The #1 SA will always be selected no matter when I send message from port 50411 to 30411,

Or from port 60410 to 40410.

 

> Whenever message is sent from 87.149 to 207.203, the SA with spi 8445 will

> be used, as it is displayed as the first one from server 87.149 to server

> 207.203. But actually, the message is sent from 87.149[50411] to

> 207.203[30411], the SA with spi 8440 shall be used.

 

>> [Mick] See if this problem remains, after you enter ports consistently for both

>> endpoints in your spdb.conf and after you check that corresponding SA ports

>> and policies have been set up in the other server too.

[NDS] I have tried this several times between two Linux servers, or one Linux server and one solaris server.

The result is same. So I wonder if the port can be supported in SA setup. I will try it more.

 

Have a nice day,

Nideson