[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

(usagi-users 02853) Is possible interoperation of Windows2000 ipsec and Usagi IPsec in IPv6 ?

To: <usagi-users@xxxxxxxxxxxxxx>
Subject: (usagi-users 02853) Is possible interoperation of Windows2000 ipsec and Usagi IPsec in IPv6 ?
From: 한영주 <yjhan@xxxxxxxxxxxxxxxx>
Date: Wed, 17 Mar 2004 17:50:23 +0900
Reply-to: usagi-users@xxxxxxxxxxxxxx
Thread-index: AcQL/OLI6sw96dI3Sjq1x4SVPRHmxQ==

Hello.
 
Who have ever tested IPv6 IPsec between usagi and Windows2000??

I hope to know method for interoperation of Windows2000 ipsec and Usagi
IPsec in IPv6. 
I have a test IPv6 IPsec between usagi and Windows2000.
But, There are some probelem our tests.
my test 1 was between usagi and usagi(usagi-usagi) . It works.
my test 2 was between Windows2000  and Windows2000(windows2000-windows2000)
. also it works.

but usagi-windows2000 does not work..
As test, they can't process in ipsec module of each other. 
 
and as I know, for supporting SAD (IPSEC), the prefix length for ipv6
address of Windows2000  is just 64 bits.
but, usagi doesn't accept prefix length that are equal and smaller than 64
bits. If I try input that, usagi want to have just 1 policy not 2 ( 2 means
bi-directional).
 
who can give some advice me with your experiece?
I must know whether it can or not..
 
My test environments as follows.
 
-------------------------------------------------------------------
1. Test envirionments
 

1.1 Linux A (LA)
Usagi version : usagi-linux24-stable-20040104 
IPv6 address : fe80::22e0:6cff:fe39:244b
 
1.2. Linux B (LB)
Usagi version : usagi-linux24-stable-20030214
IPv6 address : fe80::22e0:6cff:fe39:244b 
 
1.3. Windows2000 (WA)
IPsec : Windows 2000 + SP4
IPv6 address : fe80::250:daff:fe90:48f7
 
1.4  Windows2000 (WB)
IPsec : Windows 2000 + SP4
IPv6 address : fe80::202:44ff:fe60:9a02
 
 
 
2. Test
 
2.1 Test 1 : LA  <-->  LB
 
(1) LA setting
 
-OUTBOUND
./pfkey -A sa -s fe80::22e0:6cff:fe39:244b -d fe80::250:bfff:fe27:3e4  -T
ah -S 3000 -p any --auth hmac-md5 --authkey 0x49545243
./pfkey -A sp -s fe80::22e0:6cff:fe39:244b -d 'fe80::250:bfff:fe27:3e4  -T
ah -S 3000 -p any 
 
-INBOUND
./pfkey -A sa -d fe80::22e0:6cff:fe39:244b -s fe80::250:bfff:fe27:3e4 -T ah
-S 3001 -p any --auth hmac-md5 --authkey 0x49545243
./pfkey -A sp -d fe80::22e0:6cff:fe39:244b -s fe80::250:bfff:fe27:3e4 -T ah
-S 3001 -p any  
 
(2) LB setting
Same with LA
 
(3) Test result
PING RESULT : ECHO REQUEST / REPLY WITH AH , THEN SUCCESS
 
 
 
2.2 Test 2 : WA <--> WB
 
(1) WA setting
-SPD
.spd file field  Value
Policy   2
RemoteIPAddr  - fe80::202:44ff:fe60:9a02
LocalIPAddr  - *
Protocol   - *
RemotePort  - *
LocalPort  - *
IPSecProtocol  AH
IPSecMode  TRANSPORT
RemoteGWIPAddr  *
SABundleIndex  NONE
Direction  BIDIRECT
Direction  APPLY
InterfaceIndex  0
 
-SAD
.sad file field  Value    Value
SAEntry   2    1
SPI   3000    3001
SADestIPAddr  fe80::202:44ff:fe60:9a02 fe80::250:daff:fe90:48f7
DestIPAddr  POLICY    POLICY
SrcIPAddr  POLICY    POLICY
Protocol  POLICY    POLICY
DestPort  POLICY    POLICY
SrcPort   POLICY    POLICY
AuthAlg   AH    AH
KeyFile   HMAC-MD5   HMAC-MD5
Direction  OUTBOUND   INBOUND
SecPolicyIndex  2    2
 

(2) WB setting
-SPD
.spd file field  Value
Policy          2
RemoteIPAddr  - fe80::250:daff:fe90:48f7
LocalIPAddr  - *
Protocol  - *
RemotePort  - *
LocalPort  - *
IPSecProtocol  AH
IPSecMode  TRANSPORT
RemoteGWIPAddr  *
SABundleIndex  NONE
Direction  BIDIRECT
Direction  APPLY
InterfaceIndex  0
 

-SAD
.sad file field  Value           Value
SAEntry 2  1
SPI   3001    3000
SADestIPAddr  fe80::250:daff:fe90:48f7 fe80::202:44ff:fe60:9a02
DestIPAddr  POLICY    POLICY
SrcIPAddr  POLICY    POLICY
Protocol  POLICY    POLICY
DestPort  POLICY    POLICY
SrcPort   POLICY    POLICY
AuthAlg   HMAC-MD5   HMAC-MD5
KeyFile   Test.key   Test.key
Direction  OUTBOUND   INBOUND
SecPolicyIndex  2    2
 

(3) Test result
PING RESULT : ECHO REQUEST / REPLY WITH AH , THEN SUCCESS
 

2.3 Test 2 : LA <-->  WA
 
(1) LA setting
 
-OUTBOUND
./pfkey -A sa -s fe80::22e0:6cff:fe39:244b -d fe80::250:daff:fe90:48f7 -T
ah -S 6000 -p any --auth hmac-md5 --authkey 'AAAAAAAAAAAAAAAA'
./pfkey -A sp -s fe80::22e0:6cff:fe39:244b -d fe80::250:daff:fe90:48f7 -T
ah -S 6000 -p any  
 
-INBOUND
./pfkey -A sa -d fe80::22e0:6cff:fe39:244b -s fe80::250:daff:fe90:48f7  -T
ah -S 6001 -p any --auth hmac-md5 --authkey 'AAAAAAAAAAAAAAAA'
./pfkey -A sp -d fe80::22e0:6cff:fe39:244b -s fe80::250:daff:fe90:48f7 -T
ah -S 6001 -p any  
 

(2) WA setting
 
Test.key : "AAAAAAAAAAAAAAAA"
 
-SPD
.spd file field  Value
Policy   2
RemoteIPAddr  - fe80::22e0:6cff:fe39:244b
LocalIPAddr  - *
Protocol  - *
RemotePort  - *
LocalPort  - *
IPSecProtocol  AH
IPSecMode  TRANSPORT
RemoteGWIPAddr  *
SABundleIndex  NONE
Direction  BIDIRECT
Direction  APPLY
InterfaceIndex  0
 
-SAD
.sad file field  Value    Value
SAEntry   2    1
SPI   6001    6000
SADestIPAddr  fe80::22e0:6cff:fe39:244b fe80::250:daff:fe90:48f7
DestIPAddr  POLICY    POLICY
SrcIPAddr  POLICY    POLICY
Protocol  POLICY    POLICY
DestPort  POLICY    POLICY
SrcPort   POLICY    POLICY
AuthAlg   AH    AH
KeyFile   HMAC-MD5   HMAC-MD5
Direction  OUTBOUND    INBOUND
SecPolicyIndex  2    2
 
 
 
(3) Test result
-PING from LA to WA
 LA -->  ECHO REQUEST ( including AH) -->  WA
 And No ECHO REPLY from WA
 
And vice versa.
----------------------------------------------
Thanks, 
Eunseon lee

Prev by Date: (usagi-users 02852) [ANNOUNCEMENT]DHCPv6 0.10 new release on sourceforge
Next by Date: (usagi-users 02854) where is the mipv6 code?
Previous by thread: (usagi-users 02852) [ANNOUNCEMENT]DHCPv6 0.10 new release on sourceforge
Next by thread: (usagi-users 02854) where is the mipv6 code?
Index(es):
- Date
- Thread