ipsec blues

noeffred · 04-09-2004, 04:16 PM

I've set up ipsec with preshared keys and it works, at least sort of. While my outbound traffic is marked "ESP" when running tcpdump, which is a good thing. But all my inbound connections (which are not coming from the ipsec gateway!) are received using no encryption at all.

I know my link is encrypted because:
1. ipsec auto --status says so
2. I've setup my firewall rules on the gateway host so that only ipsec encrypted traffic is allowed, which I've verified.

Code:

/etc/ipsec.conf on notebook, IPadresses swapped on gateway

version 2.0
config setup
        forwardcontrol=yes
        interfaces="ipsec0=eth2"
 
conn wlan
        left=172.19.0.3
        right=172.19.0.1
        rightsubnet=0.0.0.0/0
        authby=secret
        auto=start

The gateway is running Kernel 2.4.20 while the notebook is running 2.6.4. Yet I doubt, that this is the reason behind this problem.

czarherr · 04-17-2004, 04:15 PM

are you requiring or only requesting security? either way, there is clearly an issue, but if you are only requesting, try setting it to require. no traffic will come back, but you can look at the capture and narrow down the problem here, or post the dump here and let all of us try and see. In fact, can you post the output of the dump here so we can take a look?

noeffred · 04-17-2004, 04:33 PM

Encryption is required, The firewall/gateway drop everything but ESP/AH Packets. If the ipsec tunnel isn't up, there is no way to get past the gateway.

Here's a sample of the traffic.

Code:

23:28:35.490558 192.168.1.3 > 192.168.1.1: ESP(spi=0xed0a6c66,seq=0x1afa) (DF)
23:28:35.630238 192.168.1.1 > 192.168.1.3: ESP(spi=0x96e66cef,seq=0x2d2a) (frag 13076:1480@0+)
23:28:35.630542 192.168.1.1 > 192.168.1.3: ipv6-crypt (frag 13076:20@1480)
23:28:35.630542 216.239.59.104.http > 192.168.1.3.32990: . 3761784812:3761786242(1430) ack 22801796 win 31460 [tos 0x10]
23:28:35.631421 192.168.1.3 > 192.168.1.1: ESP(spi=0xed0a6c66,seq=0x1afb) (DF)
23:28:35.631518 192.168.1.1 > 192.168.1.3: ESP(spi=0x96e66cef,seq=0x2d2b)
23:28:35.631518 216.239.59.104.http > 192.168.1.3.32990: P 1430:1481(51) ack 1 win 31460 [tos 0x10]
23:28:35.631561 192.168.1.3 > 192.168.1.1: ESP(spi=0xed0a6c66,seq=0x1afc) (DF)
23:28:35.804425 192.168.1.3 > 192.168.1.1: ESP(spi=0xed0a6c66,seq=0x1afd) (DF)
23:28:35.832408 192.168.1.3 > 192.168.1.1: ESP(spi=0xed0a6c66,seq=0x1afe) (DF)
23:28:35.849230 192.168.1.3 > 192.168.1.1: ESP(spi=0xed0a6c66,seq=0x1aff) (DF)
23:28:35.866314 192.168.1.3 > 192.168.1.1: ESP(spi=0xed0a6c66,seq=0x1b00) (DF)
23:28:35.931316 192.168.1.1 > 192.168.1.3: ESP(spi=0x96e66cef,seq=0x2d2c)
23:28:35.931316 216.239.59.99.http > 192.168.1.3.32991: P 226929988:226930139(151) ack 23965469 win 31460 [tos 0x10]
23:28:35.931411 192.168.1.3 > 192.168.1.1: ESP(spi=0xed0a6c66,seq=0x1b01) (DF)
23:28:35.979414 192.168.1.1 > 192.168.1.3: ESP(spi=0x96e66cef,seq=0x2d2d)
23:28:35.979414 216.239.59.104.http > 192.168.1.3.32992: P 883636524:883636675(151) ack 29455344 win 31460 [tos 0x10]
23:28:35.979524 192.168.1.3 > 192.168.1.1: ESP(spi=0xed0a6c66,seq=0x1b02) (DF)
23:28:36.024186 192.168.1.1 > 192.168.1.3: ESP(spi=0x96e66cef,seq=0x2d2e)
23:28:36.024186 216.239.59.99.http > 192.168.1.3.32993: . ack 22317298 win 31460 [tos 0x10]
23:28:36.029301 192.168.1.1 > 192.168.1.3: ESP(spi=0x96e66cef,seq=0x2d2f)
23:28:36.029301 216.239.59.99.http > 192.168.1.3.32993: P 0:151(151) ack 1 win 31460 [tos 0x10]
23:28:36.029388 192.168.1.3 > 192.168.1.1: ESP(spi=0xed0a6c66,seq=0x1b03) (DF)
23:28:36.078411 192.168.1.1 > 192.168.1.3: ESP(spi=0x96e66cef,seq=0x2d30)
23:28:36.078411 216.239.59.104.http > 192.168.1.3.32990: P 1481:1632(151) ack 625 win 31460 [tos 0x10]
23:28:36.078529 192.168.1.3 > 192.168.1.1: ESP(spi=0xed0a6c66,seq=0x1b04) (DF)