IPsec and 4.2

Score:

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

To: OpenBSD <misc@...>

Date: Friday, November 16, 2007 - 4:17 pm

Hi all,

I try since a few days to setting up IPsec for my wireless network. The
internet gateway has a ral(4) device :

mattieu@meule: ~ $ ifconfig ral0
ral0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:18:f8:a5:f3:34
        description: WLAN Link
        groups: wlan
        media: IEEE802.11 autoselect hostap (autoselect mode 11b hostap)
        status: active
        ieee80211: nwid NUFNUFNUF chan 11 bssid 00:18:f8:a5:f3:34 100dBm
        inet6 fe80::218:f8ff:fea5:f334%ral0 prefixlen 64 scopeid 0x4
        inet 192.168.4.1 netmask 0xffffff00 broadcast 192.168.4.255

In /etc/ipsec.conf I have :
ike from any to 192.168.4.10 psk "test"

I start isakmpd and I load rules with ipsecctl :

mattieu@meule: ~ $ sudo isakmpd -K
mattieu@meule : ~ $ sudo ipsecctl -vf /etc/ipsec.conf
C set [Phase 1]:192.168.4.10=peer-192.168.4.10 force
C set [peer-192.168.4.10]:Phase=1 force
C set [peer-192.168.4.10]:Address=192.168.4.10 force
C set [peer-192.168.4.10]:Authentication=test force
C set [peer-192.168.4.10]:Configuration=mm-192.168.4.10 force
C set [mm-192.168.4.10]:EXCHANGE_TYPE=ID_PROT force
C add [mm-192.168.4.10]:Transforms=AES-SHA force
C set [IPsec-0.0.0.0/0-192.168.4.10]:Phase=2 force
C set [IPsec-0.0.0.0/0-192.168.4.10]:ISAKMP-peer=peer-192.168.4.10 force
C set [IPsec-0.0.0.0 /0-192.168.4.10]:Configuration=qm-0.0.0.0/0-
192.168.4.10 force
C set [IPsec-0.0.0.0/0-192.168.4.10]:Local-ID=lid-0.0.0.0 /0 force
C set [IPsec-0.0.0.0/0-192.168.4.10]:Remote-ID=rid-192.168.4.10 force
C set [qm-0.0.0.0/0-192.168.4.10]:EXCHANGE_TYPE=QUICK_MODE force
C set [qm-0.0.0.0/0-192.168.4.10]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
C set [lid-0.0.0.0/0]:ID-type=IPV4_ADDR_SUBNET force
C set [lid-0.0.0.0/0]:Network= 0.0.0.0 force
C set [lid-0.0.0.0/0]:Netmask=0.0.0.0 force
C set [rid-192.168.4.10]:ID-type=IPV4_ADDR force
C set [rid-192.168.4.10]:Address=192.168.4.10 force
C add [Phase 2]:Connections=IPsec-0.0.0.0/0-192.168.4.10

On the other side, my laptop has an iwi device. IPsec is configured that way
:

ike from any to any peer 192.168.4.1 psk "test"

I start IPsec the same way than the gateway :

mattieu@freekc: ~ $ sudo isakmpd -K
mattieu@freekc: ~ $ sudo ipsecctl -vf /etc/pf.conf
C set [Phase 1]: 192.168.4.1=peer-192.168.4.1 force
C set [peer-192.168.4.1]:Phase=1 force
C set [peer-192.168.4.1]:Address=192.168.4.1 force
C set [peer-192.168.4.1]:Authentication=test force
C set [peer-192.168.4.1]:Configuration=mm-192.168.4.1 force
C set [mm-192.168.4.1]:EXCHANGE_TYPE=ID_PROT force
C add [mm-192.168.4.1]:Transforms=AES-SHA force
C set [IPsec-0.0.0.0/0- 0.0.0.0/0]:Phase=2 <http://0.0.0.0/0%5D:Phase=2>force
C set [IPsec-0.0.0.0/0-0.0.0.0/0]:ISAKMP-peer=peer-192.168.4.1<http://0.0.0.0/0%5D:ISAKMP-peer=peer-192.168.4.1>force
C set [IPsec-0.0.0.0/0-
0.0.0.0/0]:Configuration=qm-0.0.0.0/0-0.0.0.0/0<http://0.0.0.0/0%5D:Configuration=qm-0.0.0.0/0-0.0.0.0/0>force
C set [IPsec-0.0.0.0/0-0.0.0.0/0]:Local-ID=lid-0.0.0.0/0<http://0.0.0.0/0%5D:Local-ID=lid-0.0.0.0/0>force
C set [IPsec-0.0.0.0/0-
0.0.0.0/0]:Remote-ID=rid-0.0.0.0/0<http://0.0.0.0/0%5D:Remote-ID=rid-0.0.0.0/0>force
C set [qm-0.0.0.0/0-0.0.0.0/0]:EXCHANGE_TYPE=QUICK_MODE<http://0.0.0.0/0%5D:EXCHANGE_TYPE=QUICK_MODE>force
C set [qm-0.0.0.0/0-
0.0.0.0/0]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE<http://0.0.0.0/0%5D:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE>force
C set [lid-0.0.0.0/0]:ID-type=IPV4_ADDR_SUBNET force
C set [lid-0.0.0.0/0]:Network=0.0.0.0 force
C set [lid-0.0.0.0/0]:Netmask= 0.0.0.0 force
C set [rid-0.0.0.0/0]:ID-type=IPV4_ADDR_SUBNET force
C set [rid-0.0.0.0/0]:Network=0.0.0.0 force
C set [rid-0.0.0.0/0]:Netmask= 0.0.0.0 force
C add [Phase 2]:Connections=IPsec-0.0.0.0/0-0.0.0.0/0
C set [Phase 1]:192.168.4.1=peer-192.168.4.1 force
C set [peer-192.168.4.1]:Phase=1 force
C set [peer-192.168.4.1 ]:Address=192.168.4.1 force
C set [peer-192.168.4.1]:Authentication=test force
C set [peer-192.168.4.1]:Configuration=mm-192.168.4.1 force
C set [mm-192.168.4.1]:EXCHANGE_TYPE=ID_PROT force
C add [mm-192.168.4.1]:Transforms=AES-SHA force
C set [IPsec-::/0-::/0]:Phase=2 force
C set [IPsec-::/0-::/0]:ISAKMP-peer=peer-192.168.4.1 force
C set [IPsec-::/0-::/0]:Configuration=qm-::/0-::/0 force
C set [IPsec-::/0-::/0]:Local-ID=lid-::/0 force
C set [IPsec-::/0-::/0]:Remote-ID=rid-::/0 force
C set [qm-::/0-::/0]:EXCHANGE_TYPE=QUICK_MODE force
C set [qm-::/0-::/0]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
C set [lid-::/0]:ID-type=IPV6_ADDR_SUBNET force
C set [lid-::/0]:Network=:: force
C set [lid-::/0]:Netmask=:: force
C set [rid-::/0]:ID-type=IPV6_ADDR_SUBNET force
C set [rid-::/0]:Network=:: force
C set [rid-::/0]:Netmask=:: force
C add [Phase 2]:Connections=IPsec-::/0-::/0
mattieu@freekc: ~ $ sudo ipsecctl -sa
FLOWS:
flow esp in from 0.0.0.0/0 to 0.0.0.0/0 peer 192.168.4.1 srcid
192.168.4.10/32 dstid 192.168.4.1/32 type use
flow esp out from 0.0.0.0/0 to 0.0.0.0/0 peer 192.168.4.1 srcid
192.168.4.10/32 dstid 192.168.4.1/32 type require

SAD:
esp tunnel from 192.168.4.10 to 192.168.4.1 spi 0x2ade7f1b auth
hmac-sha2-256 enc aes
esp tunnel from 192.168.4.1 to 192.168.4.10 spi 0x4476f5e3 auth
hmac-sha2-256 enc aes

On the gateway, I have :

mattieu@meule: ~ $ sudo ipsecctl -sa
FLOWS:
flow esp in from 0.0.0.0/0 to 0.0.0.0/0 peer 192.168.4.10 srcid
192.168.4.1/32 dstid 192.168.4.10/32 type use
flow esp out from 0.0.0.0/0 to 0.0.0.0/0 peer 192.168.4.10 srcid
192.168.4.1/32 dstid 192.168.4.10/32 type require

SAD:
esp tunnel from 192.168.4.10 to 192.168.4.1 spi 0x085bb93f auth
hmac-sha2-256 enc aes
esp tunnel from 192.168.4.1 to 192.168.4.10 spi 0x62cbaa80 auth
hmac-sha2-256 enc aes

When the client has associate with the gateway, no trafic except IPsec pass
through de gateway. It seems correct, since the flow on the gateway is from
0.0.0.0/0 to 0.0.0.0/0. But I don't understand  why the rule 'ike from any
to 192.168.4.10 psk "test"' on the gateway is resulting in "from 0.0.0.0/0to
0.0.0.0/0" in IPsec flows.

Am I doing something wrong ?

Mattieu


-- 
Mattieu Baptiste
"/earth is 102% full ... please delete anyone you can."

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

IPsec and 4.2, Mattieu Baptiste, (Fri Nov 16, 4:17 pm)


linux-kernel:
FUJITA Tomonori	Re: Integration of SCST in the mainstream Linux kernel
Arnd Bergmann	Re: [RFC][PATCH 1/4] checkpoint-restart: general infrastructure
Matthew Wilcox	Multiple MSI, take 3
Alok Kataria	Use CPUID to communicate with the hypervisor.
git:
Li Frank-B20596	why not TortoiseGit
Miklos Vajna	[rfc] git submodules howto
Linus Torvalds	Re: fatal: Out of memory, malloc failed
lukass	[RFC] Convert builin-mailinfo.c to use The Better String Library.
linux-netdev:
Evgeniy Polyakov	[resend take 2 0/4] Distributed storage.
Wenji Wu	A Linux TCP SACK Question
Marcel Holtmann	Bluetooth fixes for 2.6.27
David Miller	Re: [GIT PULL] [IPV6] COMPAT: Fix SSM applications on 64bit kernels.
openbsd-misc:
Chris	Prolific USB-Serial Controller
Nick Guenther	Re: how to clear dmesg outpout
Daniel Ouellet	identifying sparse files and get ride of them trick available?
Julien TOUCHE	setting up ssh tunnel/vpn


How can I see my kernel messages in vt12?	4 hours ago	Linux kernel
Why Windows is better than Linux	13 hours ago	Linux general
Grub	15 hours ago	Linux general
vmalloc_fault handling in x86_64	22 hours ago	Linux kernel
epoll_wait()ing on epoll FD	1 day ago	Linux kernel
Framebuffer in x86_64 causes problems to multiseat	1 day ago	Linux kernel
Difference between 2.4 and 2.6 regarding thread creation	1 day ago	Linux general
Netfilter kernel module	1 day ago	Linux kernel
Compiling gfs2 on kernel 2.6.27	1 day ago	Linux kernel
The lights are on but nobody's home	1 day ago	KernelTrap Suggestions and Feedback

IPsec and 4.2

Online users