Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
03-28-2014, 02:21 AM
|
#1
|
LQ Newbie
Registered: Jul 2013
Posts: 28
Rep:
|
How to set up ipsec esp tunnel between two linux host machine using ip xfrm
Hi,
I want to create a ipsec tunnel between two linux machine using ip-xfrm so that if I ping to each other I can see those as ESP packet. Any idea how to do it?
Last edited by samiran.linux; 03-28-2014 at 02:34 AM.
|
|
|
03-31-2014, 05:52 AM
|
#3
|
LQ Newbie
Registered: Jul 2013
Posts: 28
Original Poster
Rep:
|
Thanks for reply... I have created a ESP tunnel between two machine such that if I ping from one machine to other then I am seeing ESP packets. Now what I am trying to do is that I have three machines, say MC1,MC2 and MC3 , There would be ESP tunnel only between MC1 and MC2 and MC1 can be connect to MC3 through MC2. So If I Ping from MC1 to MC3. there would be ESP Packet between MC1 and MC2 and ICMP packet between MC2 and MC3. How can I implement that? Any Help.
MC1 <------------->MC2<------------->MC3
ping MC3 -->(ESP)--> ------> (ICMP) -->
<--(ESP)<-- <------ (ICMP) <--
Last edited by samiran.linux; 03-31-2014 at 08:02 AM.
|
|
|
03-31-2014, 03:24 PM
|
#4
|
Senior Member
Registered: Apr 2009
Posts: 1,889
Rep:
|
ESP packet encapsulate original packet. So there are two IP header in ESP packet, inner IP header(ICMP), and outer IP header(ESP). After ESP packet is terminated in MC2, ICMP packet will be forwarded to MC3 based on routing table in MC2.
|
|
|
04-01-2014, 01:31 AM
|
#5
|
LQ Newbie
Registered: Jul 2013
Posts: 28
Original Poster
Rep:
|
IP addresses of machines are MC1(192.168.211.138), MC2(192.168.211.203(ens33) && 192.168.245.129(ens37)) and MC3(192.168.245.130)..
I have create ESP tunnel between MC1 and MC2 using following commands :
MC1 Config:-
ip xfrm state add src 192.168.211.138 dst 192.168.211.203 proto esp spi 0x53fa0fdd mode transport reqid 16386 replay-window 32 auth "hmac(sha1)" 0x55f01ac07e15e437115dde0aedd18a822ba9f81e enc "cbc(aes)" 0x6aed4975adf006d65c76f63923a6265b sel src 0.0.0.0/0 dst 0.0.0.0/0
ip xfrm policy add dir out src 192.168.211.138 dst 192.168.211.203 ptype main action allow priority 2080 tmpl src 192.168.211.138 dst 192.168.211.203 proto esp reqid 16386 mode transport
ip xfrm policy add dir fwd src 192.168.211.138 dst 192.168.211.203 ptype main action allow priority 2080 tmpl src 192.168.211.138 dst 192.168.211.203 proto esp reqid 16386 mode transport
ip xfrm state add src 192.168.211.203 dst 192.168.211.138 proto esp spi 0x53fa0fdd mode transport reqid 16386 replay-window 32 auth "hmac(sha1)" 0x55f01ac07e15e437115dde0aedd18a822ba9f81e enc "cbc(aes)" 0x6aed4975adf006d65c76f63923a6265b sel src 0.0.0.0/0 dst 0.0.0.0/0
ip xfrm policy add dir in src 192.168.211.203 dst 192.168.211.138 ptype main action allow priority 2080 tmpl src 192.168.211.203 dst 192.168.211.138 proto esp reqid 16386 mode transport
ip xfrm policy add dir fwd src 192.168.211.203 dst 192.168.211.138 ptype main action allow priority 2080 tmpl src 192.168.211.203 dst 192.168.211.138 proto esp reqid 16386 mode transport
MC2 Config :-
ip xfrm state add src 192.168.211.203 dst 192.168.211.138 proto esp spi 0x53fa0fdd mode transport reqid 16386 replay-window 32 auth "hmac(sha1)" 0x55f01ac07e15e437115dde0aedd18a822ba9f81e enc "cbc(aes)" 0x6aed4975adf006d65c76f63923a6265b sel src 0.0.0.0/0 dst 0.0.0.0/0
ip xfrm policy add dir out src 192.168.211.203 dst 192.168.211.138 ptype main action allow priority 2080 tmpl src 192.168.211.203 dst 192.168.211.138 proto esp reqid 16386 mode transport
ip xfrm policy add dir fwd src 192.168.211.203 dst 192.168.211.138 ptype main action allow priority 2080 tmpl src 192.168.211.203 dst 192.168.211.138 proto esp reqid 16386 mode transport
ip xfrm state add src 192.168.211.138 dst 192.168.211.203 proto esp spi 0x53fa0fdd mode transport reqid 16386 replay-window 32 auth "hmac(sha1)" 0x55f01ac07e15e437115dde0aedd18a822ba9f81e enc "cbc(aes)" 0x6aed4975adf006d65c76f63923a6265b sel src 0.0.0.0/0 dst 0.0.0.0/0
ip xfrm policy add dir in src 192.168.211.138 dst 192.168.211.203 ptype main action allow priority 2080 tmpl src 192.168.211.138 dst 192.168.211.203 proto esp reqid 16386 mode transport
ip xfrm policy add dir fwd src 192.168.211.138 dst 192.168.211.203 ptype main action allow priority 2080 tmpl src 192.168.211.138 dst 192.168.211.203 proto esp reqid 16386 mode transport
For routing I have done following entry :
MC1 :-
route -n
192.168.211.0 0.0.0.0 255.255.255.0 U 1 0 0 eth3
192.168.245.0 192.168.211.203 255.255.255.0 UG 0 0 0 eth3
0.0.0.0 192.168.211.2 0.0.0.0 UG 0 0 0 eth3
MC2 :-
route -n
0.0.0.0 192.168.211.2 0.0.0.0 UG 0 0 0 ens33
192.168.211.0 0.0.0.0 255.255.255.0 U 1 0 0 ens33
192.168.245.0 192.168.245.129 255.255.255.0 UG 0 0 0 ens37
Now if I ping to 192.168.211.203 from MC1 I am seeing ESP Packet and also geting trace by ip xfrm monitor but If I ping to 192.168.245.130 then I am seeing plain ICMP packet by running tcpdump -i ens33 in MC2 and also no trace by ip xfrm monitor...
Where I am doing wrong?? How can I specify that all the packets that use the MC1-MC2 channel should also be ESP encrypted I mean Forwarded packets.. Any help...
Last edited by samiran.linux; 04-01-2014 at 07:33 AM.
|
|
|
04-01-2014, 03:54 PM
|
#6
|
Senior Member
Registered: Apr 2009
Posts: 1,889
Rep:
|
1)Route table on MC1 shouldn't include 192.168.245.0 entry.
2)In ip xfrm policy, first src and dst IP should be 192.168.245.x IP.
|
|
|
04-02-2014, 08:04 AM
|
#7
|
LQ Newbie
Registered: Jul 2013
Posts: 28
Original Poster
Rep:
|
1> If I delete route entry for 192.168.245.0 then how it will forward the packet,which are intended for MC3 to MC2???.. Because MC1 can not ping directly to 245 subnet.. is not it??
2> would you please give me the ip xfrm policy command , I am not getting your point by "first src and dst IP should be 192.168.245.x IP"..
and in which machine we have to do that MC1 or MC2 and the "ip xfrm state" commands are ok or not??
It would be better if you give the policy rule for each machine needed for setup..
Last edited by samiran.linux; 04-02-2014 at 08:43 AM.
|
|
|
04-02-2014, 04:50 PM
|
#9
|
LQ Newbie
Registered: Jul 2013
Posts: 28
Original Poster
Rep:
|
Thanks for you help....... In tunneled mode I have succeed to create forwading tunnel... But there are some query..
Does the source address and destination address in template list(tmpl) are the addresses for Ip header over ESP encapsulated packet i.e. outer ip header one??? and does this only for tunnel mode??? as per this line in your referred document "In transport mode, only the payload of the IP packet is usually encrypted or authenticated. The routing is intact, since the IP header is neither modified nor encrypted" .... so is it useless to provide src address and dst address in tmpl list if I am using transport mode??
Last edited by samiran.linux; 04-04-2014 at 02:46 AM.
|
|
|
04-03-2014, 03:45 PM
|
#10
|
Senior Member
Registered: Apr 2009
Posts: 1,889
Rep:
|
The source and destination IP address in tmpl are outer IP address.
I never try transport mode for IPSec tunnel.
|
|
|
04-04-2014, 02:27 AM
|
#11
|
LQ Newbie
Registered: Jul 2013
Posts: 28
Original Poster
Rep:
|
Is there any tutorial link or example to add xfrm policy and state from c code by including net/xfrm.h in c code instead of running linux command(ip xfrm)..
|
|
|
04-04-2014, 03:32 PM
|
#12
|
Senior Member
Registered: Apr 2009
Posts: 1,889
Rep:
|
|
|
|
04-07-2014, 07:37 AM
|
#13
|
LQ Newbie
Registered: Jul 2013
Posts: 28
Original Poster
Rep:
|
Thanks for the tutorial .. its really helpful.........
I want to know that suppose my machine ip is 192.168.211.203 ... Now I got a ESP packet (in transport mode) whose destination address 192.168.245.130 .. Can I set a rule such that my machine (192.168.211.203) will decrypt it and forward the packet to original destination address(192.168.245.130).. Assume that my machine can ping 192.168.245.130..
Last edited by samiran.linux; 04-07-2014 at 07:40 AM.
|
|
|
04-07-2014, 03:58 PM
|
#14
|
Senior Member
Registered: Apr 2009
Posts: 1,889
Rep:
|
Your machine is like IPSec router. If your machine can reach 192.168.245.130, ip xfrm policy should be work no matter transport or tunnel mode.
|
|
|
04-08-2014, 02:02 AM
|
#15
|
LQ Newbie
Registered: Jul 2013
Posts: 28
Original Poster
Rep:
|
My Machine's ip addresses are 192.168.211.203(ens33) and 192.168.245.129(ens37)... I receive ESP packets at the interface ens33 and trying to decrypt and forward it through ens37...
I receive ESP Packets(transport mode) for 192.168.245.130... My machine job would be decrypt it and forward the packet to 192.168.245.130(My machine can ping 192.168.245.130)..
I have define the state and policies like this..
ip xfrm state add src 192.168.211.138 dst 192.168.245.130 proto esp spi 0x53fa0fdd mode transport reqid 16386 replay-window 32 auth "hmac(sha1)" 0x55f01ac07e15e437115dde0aedd18a822ba9f81e enc "cbc(aes)" 0x6aed4975adf006d65c76f63923a6265b sel src 0.0.0.0/0 dst 0.0.0.0/0
ip xfrm policy add dir fwd src 192.168.211.138 dst 192.168.245.130 ptype main action allow priority 2080 tmpl src 192.168.211.138 dst 192.168.245.130 proto esp reqid 16386 mode transport
ip xfrm policy add dir out src 192.168.211.138 dst 192.168.245.130 ptype main action allow priority 2080 tmpl src 192.168.211.138 dst 192.168.245.130 proto esp reqid 16386 mode transport
ip xfrm policy add dir in src 192.168.211.138 dst 192.168.245.130 ptype main action allow priority 2080 tmpl src 192.168.211.138 dst 192.168.245.130 proto esp reqid 16386 mode transport
But it does not forwarding anything to 192.168.245.130 i.e. simply dropping the packets, most probable reason could be xfrm_state_lookup return NOT_FOUND ... But this should not happen since dst_addr,spi,proto,family these should match the defined rule......... Any idea why this happens...
Is it because transport mode works between host to host machine that's why it is dropping the packets because received packets are not destined to my machine???
Last edited by samiran.linux; 04-08-2014 at 02:05 AM.
|
|
|
All times are GMT -5. The time now is 04:05 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|