[Ipsec-tools-devel] IPSEC SA not established in transport mode

[Diego Woitasen <diegows@xt...>]

Hi,
 I'm setting up an escenario where I have two ipsec boxes with Ubuntu
and Redhat (ipsec 0.6.7 and 0.3.3). The first have a policy to protect
one port:

spdadd 0.0.0.0/0 0.0.0.0/0[4104] tcp -P in ipsec esp/transport//require;
spdadd 0.0.0.0/0[4104] 0.0.0.0/0 tcp -P out ipsec esp/transport//require;

and the second to protect all ports:

spdadd 0.0.0.0/0[500] 0.0.0.0/0[500] any -P in none;
spdadd 0.0.0.0/0[500] 0.0.0.0/0[500] any -P out none;
spdadd 0.0.0.0/0 0.0.0.0/0[53] any -P out none;
spdadd 0.0.0.0/0[53] 0.0.0.0/0 any -P in none;
spdadd 0.0.0.0/0 0.0.0.0/0 any -P in ipsec esp/transport//require;
spdadd 0.0.0.0/0 0.0.0.0/0 any -P out ipsec esp/transport//require;

Also, the Redhat box have  a policy to connect to 4104 of Ubuntu:

spdadd 0.0.0.0/0 ubuntu[4104] tcp -P out ipsec esp/transport//require;
spdadd ubuntu[4104] 0.0.0.0/0 tcp -P in ipsec esp/transport//require;

When I try to connect from Redhat to Ubuntu port 4104 the ISAKMP-SA is
established but I get an error with IPSEC-SA:

Jul 17 12:01:29 ubuntu racoon: ERROR: no policy found:
10.2.1.86/32[500] 10.2.1.83/32[500] proto=any dir=in
Jul 17 12:01:29 ubuntu racoon: ERROR: failed to get proposal for responder.
Jul 17 12:01:29 ubuntu racoon: ERROR: failed to pre-process packet.

If I remove all policies from Redhat except these:

spdadd 0.0.0.0/0 ubuntu[4104] tcp -P out ipsec esp/transport//require;
spdadd ubuntu[4104] 0.0.0.0/0 tcp -P in ipsec esp/transport//require;

It works.


Regards,
 Diego

-- 
Diego Woitasen
XTECH

[Ipsec-tools-devel] IPSEC SA not established in transport mode

[Diego Woitasen <diegows@xt...>]

Hi,
 I'm setting up an escenario where I have two ipsec boxes with Ubuntu
and Redhat (ipsec 0.6.7 and 0.3.3). The first have a policy to protect
one port:

spdadd 0.0.0.0/0 0.0.0.0/0[4104] tcp -P in ipsec esp/transport//require;
spdadd 0.0.0.0/0[4104] 0.0.0.0/0 tcp -P out ipsec esp/transport//require;

and the second to protect all ports:

spdadd 0.0.0.0/0[500] 0.0.0.0/0[500] any -P in none;
spdadd 0.0.0.0/0[500] 0.0.0.0/0[500] any -P out none;
spdadd 0.0.0.0/0 0.0.0.0/0[53] any -P out none;
spdadd 0.0.0.0/0[53] 0.0.0.0/0 any -P in none;
spdadd 0.0.0.0/0 0.0.0.0/0 any -P in ipsec esp/transport//require;
spdadd 0.0.0.0/0 0.0.0.0/0 any -P out ipsec esp/transport//require;

Also, the Redhat box have  a policy to connect to 4104 of Ubuntu:

spdadd 0.0.0.0/0 ubuntu[4104] tcp -P out ipsec esp/transport//require;
spdadd ubuntu[4104] 0.0.0.0/0 tcp -P in ipsec esp/transport//require;

When I try to connect from Redhat to Ubuntu port 4104 the ISAKMP-SA is
established but I get an error with IPSEC-SA:

Jul 17 12:01:29 ubuntu racoon: ERROR: no policy found:
10.2.1.86/32[500] 10.2.1.83/32[500] proto=any dir=in
Jul 17 12:01:29 ubuntu racoon: ERROR: failed to get proposal for responder.
Jul 17 12:01:29 ubuntu racoon: ERROR: failed to pre-process packet.

If I remove all policies from Redhat except these:

spdadd 0.0.0.0/0 ubuntu[4104] tcp -P out ipsec esp/transport//require;
spdadd ubuntu[4104] 0.0.0.0/0 tcp -P in ipsec esp/transport//require;

It works.


Regards,
 Diego

-- 
Diego Woitasen
XTECH

[Ipsec-tools-devel] IPSEC SA not established in transport mode

[Diego Woitasen <diegows@xt...>]

Hi,
 I'm setting up an escenario where I have two ipsec boxes with Ubuntu
and Redhat (ipsec 0.6.7 and 0.3.3). The first have a policy to protect
one port:

spdadd 0.0.0.0/0 0.0.0.0/0[4104] tcp -P in ipsec esp/transport//require;
spdadd 0.0.0.0/0[4104] 0.0.0.0/0 tcp -P out ipsec esp/transport//require;

and the second to protect all ports:

spdadd 0.0.0.0/0[500] 0.0.0.0/0[500] any -P in none;
spdadd 0.0.0.0/0[500] 0.0.0.0/0[500] any -P out none;
spdadd 0.0.0.0/0 0.0.0.0/0[53] any -P out none;
spdadd 0.0.0.0/0[53] 0.0.0.0/0 any -P in none;
spdadd 0.0.0.0/0 0.0.0.0/0 any -P in ipsec esp/transport//require;
spdadd 0.0.0.0/0 0.0.0.0/0 any -P out ipsec esp/transport//require;

Also, the Redhat box have  a policy to connect to 4104 of Ubuntu:

spdadd 0.0.0.0/0 ubuntu[4104] tcp -P out ipsec esp/transport//require;
spdadd ubuntu[4104] 0.0.0.0/0 tcp -P in ipsec esp/transport//require;

When I try to connect from Redhat to Ubuntu port 4104 the ISAKMP-SA is
established but I get an error with IPSEC-SA:

Jul 17 12:01:29 ubuntu racoon: ERROR: no policy found:
10.2.1.86/32[500] 10.2.1.83/32[500] proto=any dir=in
Jul 17 12:01:29 ubuntu racoon: ERROR: failed to get proposal for responder.
Jul 17 12:01:29 ubuntu racoon: ERROR: failed to pre-process packet.

If I remove all policies from Redhat except these:

spdadd 0.0.0.0/0 ubuntu[4104] tcp -P out ipsec esp/transport//require;
spdadd ubuntu[4104] 0.0.0.0/0 tcp -P in ipsec esp/transport//require;

It works.


Regards,
 Diego

-- 
Diego Woitasen
XTECH

Re: [Ipsec-tools-devel] IPSEC SA not established in transport mode

[Timo Teräs <timo.teras@ik...>]

Diego Woitasen wrote:
> Hi,
>  I'm setting up an escenario where I have two ipsec boxes with Ubuntu
> and Redhat (ipsec 0.6.7 and 0.3.3). The first have a policy to protect
> one port:

Those are very, very old versions. Try later versions.

> When I try to connect from Redhat to Ubuntu port 4104 the ISAKMP-SA is
> established but I get an error with IPSEC-SA:
> 
> Jul 17 12:01:29 ubuntu racoon: ERROR: no policy found:
> 10.2.1.86/32[500] 10.2.1.83/32[500] proto=any dir=in
> Jul 17 12:01:29 ubuntu racoon: ERROR: failed to get proposal for responder.
> Jul 17 12:01:29 ubuntu racoon: ERROR: failed to pre-process packet.

I remember fixing problem related to wildcard transport selectors
(0.0.0.0/0). But there could be still problems in the port specific
parts; especially related to how the IPSEC SA:s are shared. It's
mostly about limitations in PF_KEY API and there's no easy way to
fix that for ipsec-tools (would require implementation of Linux
specific Netlink XFRM API).

- Timo