LinuxQuestions.org
Review your favorite Linux distribution.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
Reload this Page [SOLVED] ipsec not working between two hosts
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-03-2010, 04:19 AM   #1
SkyHiRider
LQ Newbie
 
Registered: Nov 2010
Posts: 5

Rep: Reputation: 0
ipsec not working between two hosts

I've set up two security associations(in and out) on two hosts, and then set up two policies per host that should filter traffic to those SA's. Yet when I try to ping one host from the other I get no response, meaning that the filters on one side work and drop unprotected packets, but both hosts are configured to communicate using ipsec.

Can anyone point me in the right direction?

Code:
ip xfrm state add src 192.168.77.23 dst 192.168.77.24 proto esp spi 0x53fa0fdd mode transport reqid 16386 replay-window 32 auth "hmac(sha1)" 0x55f01ac07e15e437115dde0aedd18a822ba9f81e enc "cbc(aes)" 0x6aed4975adf006d65c76f63923a6265b sel src 0.0.0.0/0 dst 0.0.0.0/0

ip xfrm state add src 192.168.77.24 dst 192.168.77.23 proto esp spi 0x53fa0fdd mode transport reqid 16386 replay-window 32 auth "hmac(sha1)" 0x55f01ac07e15e437115dde0aedd18a822ba9f81e enc "cbc(aes)" 0x6aed4975adf006d65c76f63923a6265b sel src 0.0.0.0/0 dst 0.0.0.0/0  

ip xfrm policy add dir out src 192.168.77.23 dst 192.168.77.24 ptype main action allow priority 2080 tmpl src 192.168.77.23 dst 192.168.77.24 proto esp reqid 16385 mode transport

ip xfrm policy add dir in src 192.168.77.24 dst 192.168.77.23 ptype main action allow priority 2080 tmpl src 192.168.77.24 dst 192.168.77.23 proto esp reqid 16385 mode transport
Code:
ip xfrm state add src 192.168.77.24 dst 192.168.77.23 proto esp spi 0x53fa0fdd mode transport reqid 16386 replay-window 32 auth "hmac(sha1)" 0x55f01ac07e15e437115dde0aedd18a822ba9f81e enc "cbc(aes)" 0x6aed4975adf006d65c76f63923a6265b sel src 0.0.0.0/0 dst 0.0.0.0/0

ip xfrm state add src 192.168.77.23 dst 192.168.77.24 proto esp spi 0x53fa0fdd mode transport reqid 16386 replay-window 32 auth "hmac(sha1)" 0x55f01ac07e15e437115dde0aedd18a822ba9f81e enc "cbc(aes)" 0x6aed4975adf006d65c76f63923a6265b sel src 0.0.0.0/0 dst 0.0.0.0/0 

ip xfrm policy add dir out src 192.168.77.24 dst 192.168.77.23 ptype main action allow priority 2080 tmpl src 192.168.77.24 dst 192.168.77.23 proto esp reqid 16385 mode transport

ip xfrm policy add dir in src 192.168.77.23 dst 192.168.77.24 ptype main action allow priority 2080 tmpl src 192.168.77.23 dst 192.168.77.24 proto esp reqid 16385 mode transport
 
Old 11-09-2010, 05:47 AM   #2
SkyHiRider
LQ Newbie
 
Registered: Nov 2010
Posts: 5

Original Poster
Rep: Reputation: 0
Nevermind, solved it by changing the reqid to match the SA, if the reqid is not the same ipsec does not work.
 
  


Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ipsec pings not working dbrazeau Linux - Software 2 11-04-2010 07:13 AM
vpn-ipsec : Failed to parse config setup portion of ipsec.conf hari85 Linux - Newbie 1 07-17-2010 08:12 PM
my hosts.allow hosts.deny not working twlilinux Linux - Newbie 7 06-19-2008 07:20 AM
can't restrict sshd access through hosts.allow and hosts.deny but was working earlier farhan Linux - Security 4 04-18-2008 07:41 AM
hosts file not working Tekime Linux - Networking 4 04-09-2002 08:06 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 11:51 PM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration