LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 03-28-2014, 02:21 AM   #1
samiran.linux
LQ Newbie
 
Registered: Jul 2013
Posts: 28

Rep: Reputation: Disabled
How to set up ipsec esp tunnel between two linux host machine using ip xfrm


Hi,
I want to create a ipsec tunnel between two linux machine using ip-xfrm so that if I ping to each other I can see those as ESP packet. Any idea how to do it?

Last edited by samiran.linux; 03-28-2014 at 02:34 AM.
 
Old 03-28-2014, 03:33 PM   #2
nini09
Senior Member
 
Registered: Apr 2009
Posts: 1,889

Rep: Reputation: 163Reputation: 163
Following link could help you. It give you a API how to communicate with IPSec module.
http://www.linuxfoundation.org/colla...ipsec-overview
 
Old 03-31-2014, 05:52 AM   #3
samiran.linux
LQ Newbie
 
Registered: Jul 2013
Posts: 28

Original Poster
Rep: Reputation: Disabled
Thanks for reply... I have created a ESP tunnel between two machine such that if I ping from one machine to other then I am seeing ESP packets. Now what I am trying to do is that I have three machines, say MC1,MC2 and MC3 , There would be ESP tunnel only between MC1 and MC2 and MC1 can be connect to MC3 through MC2. So If I Ping from MC1 to MC3. there would be ESP Packet between MC1 and MC2 and ICMP packet between MC2 and MC3. How can I implement that? Any Help.

MC1 <------------->MC2<------------->MC3
ping MC3 -->(ESP)--> ------> (ICMP) -->

<--(ESP)<-- <------ (ICMP) <--

Last edited by samiran.linux; 03-31-2014 at 08:02 AM.
 
Old 03-31-2014, 03:24 PM   #4
nini09
Senior Member
 
Registered: Apr 2009
Posts: 1,889

Rep: Reputation: 163Reputation: 163
ESP packet encapsulate original packet. So there are two IP header in ESP packet, inner IP header(ICMP), and outer IP header(ESP). After ESP packet is terminated in MC2, ICMP packet will be forwarded to MC3 based on routing table in MC2.
 
Old 04-01-2014, 01:31 AM   #5
samiran.linux
LQ Newbie
 
Registered: Jul 2013
Posts: 28

Original Poster
Rep: Reputation: Disabled
IP addresses of machines are MC1(192.168.211.138), MC2(192.168.211.203(ens33) && 192.168.245.129(ens37)) and MC3(192.168.245.130)..

I have create ESP tunnel between MC1 and MC2 using following commands :
MC1 Config:-

ip xfrm state add src 192.168.211.138 dst 192.168.211.203 proto esp spi 0x53fa0fdd mode transport reqid 16386 replay-window 32 auth "hmac(sha1)" 0x55f01ac07e15e437115dde0aedd18a822ba9f81e enc "cbc(aes)" 0x6aed4975adf006d65c76f63923a6265b sel src 0.0.0.0/0 dst 0.0.0.0/0
ip xfrm policy add dir out src 192.168.211.138 dst 192.168.211.203 ptype main action allow priority 2080 tmpl src 192.168.211.138 dst 192.168.211.203 proto esp reqid 16386 mode transport
ip xfrm policy add dir fwd src 192.168.211.138 dst 192.168.211.203 ptype main action allow priority 2080 tmpl src 192.168.211.138 dst 192.168.211.203 proto esp reqid 16386 mode transport
ip xfrm state add src 192.168.211.203 dst 192.168.211.138 proto esp spi 0x53fa0fdd mode transport reqid 16386 replay-window 32 auth "hmac(sha1)" 0x55f01ac07e15e437115dde0aedd18a822ba9f81e enc "cbc(aes)" 0x6aed4975adf006d65c76f63923a6265b sel src 0.0.0.0/0 dst 0.0.0.0/0
ip xfrm policy add dir in src 192.168.211.203 dst 192.168.211.138 ptype main action allow priority 2080 tmpl src 192.168.211.203 dst 192.168.211.138 proto esp reqid 16386 mode transport
ip xfrm policy add dir fwd src 192.168.211.203 dst 192.168.211.138 ptype main action allow priority 2080 tmpl src 192.168.211.203 dst 192.168.211.138 proto esp reqid 16386 mode transport


MC2 Config :-

ip xfrm state add src 192.168.211.203 dst 192.168.211.138 proto esp spi 0x53fa0fdd mode transport reqid 16386 replay-window 32 auth "hmac(sha1)" 0x55f01ac07e15e437115dde0aedd18a822ba9f81e enc "cbc(aes)" 0x6aed4975adf006d65c76f63923a6265b sel src 0.0.0.0/0 dst 0.0.0.0/0
ip xfrm policy add dir out src 192.168.211.203 dst 192.168.211.138 ptype main action allow priority 2080 tmpl src 192.168.211.203 dst 192.168.211.138 proto esp reqid 16386 mode transport
ip xfrm policy add dir fwd src 192.168.211.203 dst 192.168.211.138 ptype main action allow priority 2080 tmpl src 192.168.211.203 dst 192.168.211.138 proto esp reqid 16386 mode transport
ip xfrm state add src 192.168.211.138 dst 192.168.211.203 proto esp spi 0x53fa0fdd mode transport reqid 16386 replay-window 32 auth "hmac(sha1)" 0x55f01ac07e15e437115dde0aedd18a822ba9f81e enc "cbc(aes)" 0x6aed4975adf006d65c76f63923a6265b sel src 0.0.0.0/0 dst 0.0.0.0/0
ip xfrm policy add dir in src 192.168.211.138 dst 192.168.211.203 ptype main action allow priority 2080 tmpl src 192.168.211.138 dst 192.168.211.203 proto esp reqid 16386 mode transport
ip xfrm policy add dir fwd src 192.168.211.138 dst 192.168.211.203 ptype main action allow priority 2080 tmpl src 192.168.211.138 dst 192.168.211.203 proto esp reqid 16386 mode transport


For routing I have done following entry :
MC1 :-
route -n

192.168.211.0 0.0.0.0 255.255.255.0 U 1 0 0 eth3
192.168.245.0 192.168.211.203 255.255.255.0 UG 0 0 0 eth3
0.0.0.0 192.168.211.2 0.0.0.0 UG 0 0 0 eth3

MC2 :-
route -n

0.0.0.0 192.168.211.2 0.0.0.0 UG 0 0 0 ens33
192.168.211.0 0.0.0.0 255.255.255.0 U 1 0 0 ens33
192.168.245.0 192.168.245.129 255.255.255.0 UG 0 0 0 ens37



Now if I ping to 192.168.211.203 from MC1 I am seeing ESP Packet and also geting trace by ip xfrm monitor but If I ping to 192.168.245.130 then I am seeing plain ICMP packet by running tcpdump -i ens33 in MC2 and also no trace by ip xfrm monitor...
Where I am doing wrong?? How can I specify that all the packets that use the MC1-MC2 channel should also be ESP encrypted I mean Forwarded packets.. Any help...

Last edited by samiran.linux; 04-01-2014 at 07:33 AM.
 
Old 04-01-2014, 03:54 PM   #6
nini09
Senior Member
 
Registered: Apr 2009
Posts: 1,889

Rep: Reputation: 163Reputation: 163
1)Route table on MC1 shouldn't include 192.168.245.0 entry.
2)In ip xfrm policy, first src and dst IP should be 192.168.245.x IP.
 
Old 04-02-2014, 08:04 AM   #7
samiran.linux
LQ Newbie
 
Registered: Jul 2013
Posts: 28

Original Poster
Rep: Reputation: Disabled
1> If I delete route entry for 192.168.245.0 then how it will forward the packet,which are intended for MC3 to MC2???.. Because MC1 can not ping directly to 245 subnet.. is not it??
2> would you please give me the ip xfrm policy command , I am not getting your point by "first src and dst IP should be 192.168.245.x IP"..
and in which machine we have to do that MC1 or MC2 and the "ip xfrm state" commands are ok or not??
It would be better if you give the policy rule for each machine needed for setup..

Last edited by samiran.linux; 04-02-2014 at 08:43 AM.
 
Old 04-02-2014, 03:20 PM   #8
nini09
Senior Member
 
Registered: Apr 2009
Posts: 1,889

Rep: Reputation: 163Reputation: 163
The following link has almost same environment as yours. You can refer it.
http://openisp.westnetz.org/content/tunneling/
 
Old 04-02-2014, 04:50 PM   #9
samiran.linux
LQ Newbie
 
Registered: Jul 2013
Posts: 28

Original Poster
Rep: Reputation: Disabled
Thanks for you help....... In tunneled mode I have succeed to create forwading tunnel... But there are some query..
Does the source address and destination address in template list(tmpl) are the addresses for Ip header over ESP encapsulated packet i.e. outer ip header one??? and does this only for tunnel mode??? as per this line in your referred document "In transport mode, only the payload of the IP packet is usually encrypted or authenticated. The routing is intact, since the IP header is neither modified nor encrypted" .... so is it useless to provide src address and dst address in tmpl list if I am using transport mode??

Last edited by samiran.linux; 04-04-2014 at 02:46 AM.
 
Old 04-03-2014, 03:45 PM   #10
nini09
Senior Member
 
Registered: Apr 2009
Posts: 1,889

Rep: Reputation: 163Reputation: 163
The source and destination IP address in tmpl are outer IP address.
I never try transport mode for IPSec tunnel.
 
Old 04-04-2014, 02:27 AM   #11
samiran.linux
LQ Newbie
 
Registered: Jul 2013
Posts: 28

Original Poster
Rep: Reputation: Disabled
Is there any tutorial link or example to add xfrm policy and state from c code by including net/xfrm.h in c code instead of running linux command(ip xfrm)..
 
Old 04-04-2014, 03:32 PM   #12
nini09
Senior Member
 
Registered: Apr 2009
Posts: 1,889

Rep: Reputation: 163Reputation: 163
Check following link.
http://www.croz.net/eng/xfrm-programming/
 
Old 04-07-2014, 07:37 AM   #13
samiran.linux
LQ Newbie
 
Registered: Jul 2013
Posts: 28

Original Poster
Rep: Reputation: Disabled
Thanks for the tutorial .. its really helpful.........

I want to know that suppose my machine ip is 192.168.211.203 ... Now I got a ESP packet (in transport mode) whose destination address 192.168.245.130 .. Can I set a rule such that my machine (192.168.211.203) will decrypt it and forward the packet to original destination address(192.168.245.130).. Assume that my machine can ping 192.168.245.130..

Last edited by samiran.linux; 04-07-2014 at 07:40 AM.
 
Old 04-07-2014, 03:58 PM   #14
nini09
Senior Member
 
Registered: Apr 2009
Posts: 1,889

Rep: Reputation: 163Reputation: 163
Your machine is like IPSec router. If your machine can reach 192.168.245.130, ip xfrm policy should be work no matter transport or tunnel mode.
 
Old 04-08-2014, 02:02 AM   #15
samiran.linux
LQ Newbie
 
Registered: Jul 2013
Posts: 28

Original Poster
Rep: Reputation: Disabled
My Machine's ip addresses are 192.168.211.203(ens33) and 192.168.245.129(ens37)... I receive ESP packets at the interface ens33 and trying to decrypt and forward it through ens37...

I receive ESP Packets(transport mode) for 192.168.245.130... My machine job would be decrypt it and forward the packet to 192.168.245.130(My machine can ping 192.168.245.130)..

I have define the state and policies like this..
ip xfrm state add src 192.168.211.138 dst 192.168.245.130 proto esp spi 0x53fa0fdd mode transport reqid 16386 replay-window 32 auth "hmac(sha1)" 0x55f01ac07e15e437115dde0aedd18a822ba9f81e enc "cbc(aes)" 0x6aed4975adf006d65c76f63923a6265b sel src 0.0.0.0/0 dst 0.0.0.0/0
ip xfrm policy add dir fwd src 192.168.211.138 dst 192.168.245.130 ptype main action allow priority 2080 tmpl src 192.168.211.138 dst 192.168.245.130 proto esp reqid 16386 mode transport
ip xfrm policy add dir out src 192.168.211.138 dst 192.168.245.130 ptype main action allow priority 2080 tmpl src 192.168.211.138 dst 192.168.245.130 proto esp reqid 16386 mode transport
ip xfrm policy add dir in src 192.168.211.138 dst 192.168.245.130 ptype main action allow priority 2080 tmpl src 192.168.211.138 dst 192.168.245.130 proto esp reqid 16386 mode transport

But it does not forwarding anything to 192.168.245.130 i.e. simply dropping the packets, most probable reason could be xfrm_state_lookup return NOT_FOUND ... But this should not happen since dst_addr,spi,proto,family these should match the defined rule......... Any idea why this happens...
Is it because transport mode works between host to host machine that's why it is dropping the packets because received packets are not destined to my machine???

Last edited by samiran.linux; 04-08-2014 at 02:05 AM.
 
  


Reply

Tags
ipsec


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
how to know if the traffic via IPSEC tunnel is encrypted and tunnel working Gil@LQ Linux - Security 3 09-06-2013 06:02 AM
Strongswan - IPsec tunnel - can we have one way tunnel vishalwithme Linux - Networking 4 04-05-2012 01:07 AM
How to set iptables for IPSec tunnel? ecvoyager Linux - Security 3 01-11-2010 09:39 PM
xfrm in ipsec atul_mehrotra Linux - Security 1 05-28-2005 07:28 AM
creating a vpn tunnel to windows 2003 machine with ISA2003 using IPSec from RHES 3.0 gauravjee Linux - Networking 0 08-26-2004 07:05 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 04:05 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration