[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

(usagi-users 02201) Strange behaviour with IPsec

To: usagi-users@xxxxxxxxxxxxxx
Subject: (usagi-users 02201) Strange behaviour with IPsec
From: Bernd Leinfelder <leinfeld@xxxxxxxxxx>
Date: Wed, 12 Feb 2003 17:48:44 +0100
Reply-to: usagi-users@xxxxxxxxxxxxxx
Resent-date: Thu, 13 Feb 2003 12:32:26 +0900
Resent-from: sekiya@xxxxxxxxxx
Resent-message-id: <200302131232.FMLAAB24985.usagi-users@linux-ipv6.org>
Resent-to: usagi-users@xxxxxxxxxxxxxx (moderated)
User-agent: Mutt/1.4i

Hi,

I have the following configuration:

SG1-ppp0========================eth1-SG2-eth0-----------------eth0-HOST2
ppp0: 217.185.122.178                              eth0: 2001:638:100:2:f432:bb83:55d9:46b9/64
sit1: fec1::5378/128
tnl0: fe80::10
tnl0: 2001:638:100:3::5378/128

                            eth1: 141.84.224.70
                            sit1: fec1::1/128
                            tnl0: fe80::20
                            eth1: 2001:638:100:3::1/128
                            eth0: 2001:638:100:2::1/64

I want to communicate from SG1 to HOST2, where the packets
from SG1 to SG2 should be encrypted.

So I configured a sit-tunnel from SG1 to SG2 for v6-connectivity and
an ipv6-tunnel as in the IPSec-Howto. Then
I made the IPSec setup:


pfkey -A sa -s fec1::5378 -d fec1::1 -T esp -S 0xdef1 \
	--esp 3des-cbc --espkey 0xa7a36ebd9....

pfkey -A sp -s 2001:638:100:3::5378 -d 2001:638:100:2::/64 \
	-T esp -S 0xdef1 --tunnel --sad fec1::1

pfkey -A sa -s fec1::1 -d fec1::5378 -T esp -S 0xdef0 \
	--esp 3des-cbc --espkey 0xa7a36...

pfkey -A sp -s 2001:638:100:2::/64 -d 2001:638:100:3::5378 \
	-T esp -S 0xdef0 --tunnel --sad fec1::5378


Now the problem:  packets from Host2 to SG1 are properly encrypted.
From SG1 to Host2, they have an ESP-Header, but with the
wrong spi (0x60000000) and the data is not encrypted. Here is the 
tcpdump (ping6 -p feed), sniffing was done at the ipv4-link:

16:45:41.505833 217.185.122.178 > 141.84.224.70: fec1::5378 > fec1::1: ESP(spi=0x60000000,seq=0x403a40) (encap)
0x0000   4500 00bc 0000 4000 3129 9112 d9b9 7ab2
0x0010   8d54 d646 6000 0000 0068 32ff fec1 0000
0x0020   0000 0000 0000 0000 0000 5378 fec1 0000
0x0030   0000 0000 0000 0000 0000 0001 6000 0000
0x0040   0040 3a40 2001 0638 0100 0003 0000 0000
0x0050   0000 5378 2001 0638 0100 0002 f432 bb83
0x0060   55d9 46b9 8000 4cbf da2d 0300 256c 4a3e
0x0070   0565 0c00 feed feed feed feed feed feed
0x0080   feed feed feed feed feed feed feed feed
0x0090   feed feed feed feed feed feed feed feed
0x00a0   feed feed 9cc2 4b4b 2a9a e9d9 c07c f42a
0x00b0   088b a331 2a3a e958 2fcc 3062          

So, where does this spi come from? Why are these packets
not encrypted, altough there's an esp-header?


Another question: after this config works, I want
to use pluto for key exchange. Do I have to configure
the ipv6tunnel still manually then?

Best,

Bernd

Prev by Date: (usagi-users 02197) Re: [OT] VIC & IPv6 compilation
Next by Date: (usagi-users 02200) [ANNOUCEMENT] new release for dhcpv6 is available (ver 0.2)
Previous by thread: (usagi-users 02197) Re: [OT] VIC & IPv6 compilation
Next by thread: (usagi-users 02198)
Index(es):
- Date
- Thread