IPsec:Problem with setkey

squirtle · 10-09-2006, 04:25 AM

I create the setkey script in /etc/racoon/setkey.sh,then i chmod 777 /etc/racoon/setkey.sh.
After that I type setkey -D and have below error
[root@mailv6 test-messages]# setkey -D
No SAD entries.

setkey -DP
[root@mailv6 test-messages]# setkey -DP
2001:328:2003:2::10[any] 2001:328:2003:2::5[any] any
in prio def ipsec
esp/transport//require
ah/transport//require
created: Oct 9 15:25:56 2006 lastused:
lifetime: 0(s) validtime: 0(s)
spid=48 seq=4 pid=4425
refcnt=1
2001:328:2003:2::5[any] 2001:328:2003:2::10[any] any
out prio def ipsec
esp/transport//require
ah/transport//require
created: Oct 9 15:25:56 2006 lastused:
lifetime: 0(s) validtime: 0(s)
spid=41 seq=3 pid=4425
refcnt=1
2001:328:2003:2::10[any] 2001:328:2003:2::5[any] any
fwd prio def ipsec
esp/transport//require
ah/transport//require
created: Oct 9 15:25:56 2006 lastused:
lifetime: 0(s) validtime: 0(s)
spid=58 seq=2 pid=4425
refcnt=1
(per-socket policy)
in none
created: Oct 9 15:25:57 2006 lastused:
lifetime: 0(s) validtime: 0(s)
spid=67 seq=1 pid=4425
refcnt=1
(per-socket policy)
out none
created: Oct 9 15:25:57 2006 lastused:
lifetime: 0(s) validtime: 0(s)
spid=76 seq=0 pid=4425
refcnt=1

My setkey.sh and racoon.conf are as following
[root@mailv6 test-messages]# cat /etc/racoon/setkey.sh
#!/sbin/setkey -f
flush;
spdflush;
spdadd 2001:328:2003:2::1 2001:328:2003:2::2 any -P out ipsec esp/transport//require;
spdadd 2001:328:2003:2::2 2001:328:2003:2::1 any -P in ipsec esp/transport//require;

[root@mailv6 test-messages]# cat /etc/racoon/racoon.conf

# Racoon IKE daemon configuration file.
# See 'man racoon.conf' for a description of the format and entries.

path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
#path certificate "/etc/racoon/certs";

listen
{
isakmp 2001:328:2003:2::5;
}

remote 2001:328:2003:2::10
{
exchange_mode main;
lifetime time 24 hour;
proposal
{
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group 2;
}
}

sainfo address 2001:328:2003:2::5 any address 2001:328:2003:2::10 any
{
lifetime time 1 hour;
encryption_algorithm 3des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}

sainfo address 2001:328:2003:2::10 any address 2001:328:2003:2::5 any
{
lifetime time 1 hour;
encryption_algorithm 3des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}

Thanks a lot.

hegdeshashi · 10-09-2006, 05:25 AM

Hi,

=========================
cat /etc/racoon/setkey.sh
#!/sbin/setkey -f
flush;
spdflush;
spdadd 2001:328:2003:2::1 2001:328:2003:2::2 any -P out ipsec esp/transport//require;
spdadd 2001:328:2003:2::2 2001:328:2003:2::1 any -P in ipsec esp/transport//require;
===============

In setkey.sh ,you are having only spd entries,there is no sad entries.that's why ypu are getting that error.
Just create SAD entries in setkey.sh.

squirtle · 10-10-2006, 04:12 AM

May I ask where should I compile my kernel?at /lib/modules/2.6.11-1.1369_FC4/build or /usr/src/kernels/2.6.11-1.1369_FC4-i686?
Should I need to downlaod kernel source?

[root@root ~]# rpm -qa|grep kernel-devel
kernel-devel-2.6.11-1.1369_FC4
[root@root ~]# uname -m
i686
[root@root ~]# uname -r
2.6.11-1.1369_FC4

After I try configure the kernel by make menuconfig and then type make all to compile the kernel but have the below error
[root@root 2.6.11-1.1369_FC4-i686]# make all
CHK include/linux/version.h
SPLIT include/linux/autoconf.h -> include/config/*
CHK include/asm-i386/asm_offsets.h
make[1]: *** No rule to make target `init/main.o', needed by `init/built-in.o'. Stop.
make: *** [init] Error 2

Thanks a lot

squirtle · 10-10-2006, 11:08 PM

[root@mailv6 racoon]# cat setkey.sh
#!/sbin/setkey -f
flush;
spdflush;
#AH
add 2001:328:2003:2::5 2001:328:2003:2::10 ah 15700 -A hmac-md5 f516fe8fe41b286c78c6342936994ab2;
add 2001:328:2003:2::10 2001:328:2003:2::5 ah 24500 -A hmac-md5 f516fe8fe41b286c78c6342936994ab2;

#ESP
add 2001:328:2003:2::5 2001:328:2003:2::10 esp 15701 -E 3des-cbc 5c3a36fd8cbaf52ffcac79105baeb851;
add 2001:328:2003:2::10 2001:328:2003:2::5 esp 24501 -E 3des-cbc 5c3a36fd8cbaf52ffcac79105baeb851;

spdadd 2001:328:2003:2::5 2001:328:2003:2::10 any -P out ipsec esp/transport//require;
spdadd 2001:328:2003:2::10 2001:328:2003:2::5 any -P in ipsec esp/transport//require;

but i still have same error!!!
No SAD Entries.

hegdeshashi · 10-11-2006, 01:58 AM

Hi,

use this one..
add -6 2001:200:141:4320:1::1 2001:200:141:4320:1::2 ah 5555 -m transport -A hmac-md5 "1234567890123456";

For auth value ,you need to set 16 bits .

Then try ,setkey -DP;
You will get definetly SAD entries.
And also refer setkey man pages.

squirtle · 10-11-2006, 10:23 PM

Hai.Should I compile my kernel to support Ipv6 ESP and AH?Should I install IPsec-tools?
But I face a problem when compile kernel.

I follow the command but still can't work
add -6 2001:200:141:4320:1::1 2001:200:141:4320:1::2 ah 5555 -m transport -A hmac-md5 "1234567890123456";

Thanks.

hegdeshashi · 10-11-2006, 11:52 PM

Hi,

Unlike in IPv4, encryption and authentication is a mandatory feature of IPv6. Those features are normally implemented using IPsec.Just enable IPv6 .

ipsec-tool is not necessary.
SAD and SPD entries in setkey.sh will take the part of ipsec-tool/racoon.

FOr more detail refer this url:http://www.ibiblio.org/pub/Linux/doc...O.html#AEN2362

squirtle · 10-12-2006, 01:59 AM

Hai.Mean I enable IPv6 in /etc/sysconfi/network NETWORKINGIPV6=yes ? or i need to change teh configuration of kernel by make menuconfig?

Just now I found error invalid key length.

[root@mailv6 sbin]# setkey.sh
128 192 192
line 11: Invalid key length at [bd6477f26fd4bbc1]
parse failed, line 11.

I use this command to generate the key
dd if=/dev/random count=24 bs=1|xxd -ps

That is setkey.sh.I put in /sbin/setkey.sh
#!/sbin/setkey -f
flush;
spdflush;
#AH
#add 2001:328:2003:2::5 2001:328:2003:2::10 ah 15700 -A hmac-md5 f516fe8fe41b286c78c6342936994ab2;
#add 2001:328:2003:2::10 2001:328:2003:2::5 ah 24500 -A hmac-md5 f516fe8fe41b286c78c6342936994ab2;
add -6 2001:328:2003:2::5 2001:328:2003:2::2 ah 1570 -m transport -A hmac-md5 "f516fe8fe41b286c78c6342936994ab2";
add -6 2001:328:2003:2::10 2001:328:2003:2::5 ah 1570 -m transport -A hmac-md5 "f516fe8fe41b286c78c6342936994ab2";

#ESP
add 2001:328:2003:2::5 2001:328:2003:2::10 esp 15701 -E 3des-cbc 5c3a36fd8cbaf52ffcac79105baeb851;
add 2001:328:2003:2::10 2001:328:2003:2::5 esp 24501 -E 3des-cbc 5c3a36fd8cbaf52ffcac79105baeb851;

spdadd 2001:328:2003:2::5 2001:328:2003:2::10 any -P out ipsec esp/transport//require;
spdadd 2001:328:2003:2::10 2001:328:2003:2::5 any -P in ipsec esp/transport//require;

1;

[root@localhost ~]# racoon -F -v -f /etc/racoon/racoon.conf
Foreground mode.
2006-10-12 19:01:34: INFO: @(#)ipsec-tools 0.5 (http://ipsec-tools.sourceforge.net)
2006-10-12 19:01:34: INFO: @(#)This product linked OpenSSL 0.9.7f 22 Mar 2005 (http://www.openssl.org/)
2006-10-12 19:01:36: ERROR: failed to bind to address 2001:328:2003:2::11[500] (Address already in use).
2006-10-12 19:01:36: ERROR: no address could be bound.

Thanks

hegdeshashi · 10-12-2006, 06:51 AM

Hi,

send me the 'uname -a ' & ifconfig information.

IPv6 is enabled or not? how ur checking?

For SAD entries,
use this example..

add -6 2001:200:141:4320:1::1 2001:200:141:4320:1::2 ah 5555 -m transport -A hmac-md5 "1234567890123456";

Don't use racoon.instead use racoon2

squirtle · 10-12-2006, 09:42 AM

[root@root etc]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:10

C:FF:1A:41
inet addr:10.0.0.12 Bcast:10.0.0.255 Mask:255.255.255.0
inet6 addr: 2001:328:2003:2::11/64 Scope:Global
inet6 addr: fe80::210:dcff:feff:1a41/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2999 errors:0 dropped:0 overruns:0 frame:0
TX packets:2106 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1691377 (1.6 MiB) TX bytes:422647 (412.7 KiB)
Interrupt:11 Base address:0xe800

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:7068 errors:0 dropped:0 overruns:0 frame:0
TX packets:7068 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:4619394 (4.4 MiB) TX bytes:4619394 (4.4 MiB)

[root@root etc]# uname -a
Linux root.mailv6.fsktm.upm.edu.my 2.6.17-1.2187_FC5 #1 Thu Jun 2 22:55:56 EDT 2005 i686 i686 i386 GNU/Linux
[root@root etc]

Sorry that version I post before is my PC at home: usr/src/kernels/2.6.11-1.1369_FC4-i686

This is my real mail server's kernel version 2.6.17-1.2187_FC5. The Racoon2 more difficult Racoon.So can I still use the Racoon?Racoon have problem?Because this project is time cosuming.Thanks

hegdeshashi · 10-13-2006, 12:34 AM

For IPv6,you need to configure gif0 interface.
Like ifconfig gif0 create etc.. and enable ipv4 and ipv6 addresses.

==============

[root@root etc]# uname -a
Linux root.mailv6.fsktm.upm.edu.my 2.6.17-1.2187_FC5 #1 Thu Jun 2 22:55:56 EDT 2005 i686 i686 i386 GNU/Linux
[root@root etc]
==============

It seems ,Ipsec is not enabled.
Just refer this url.
http://www.ibiblio.org/pub/Linux/doc...EMCHECK-KERNEL

Racoon2 is the extnded part of racoon.
Don't use racoon. Better option is racoon2

Follow abobe steps.
You willget definetly.
Best of luck.

squirtle · 10-13-2006, 08:24 PM

Hi,
So sorry ask so many question.
For SAD entires,use this and the key also "1234567890123456"?I no need to generate the key by own?
add -6 2001:200:141:4320:1::1 2001:200:141:4320:1::2 ah 5555 -m transport -A hmac-md5 "1234567890123456";

I not have file ipsec.conf.How to enable ipsec?

I load module IPv6 first
[root@root net]# modprobe ipv6
[root@root net]# lsmod |grep -w 'ipv6' && echo "IPv6 module successfully loaded> "
ipv6 268097 28
IPv6 module successfully loaded

[root@root net]# test -f /proc/net/if_inet6 && echo "Running kernel is IPv6 ready"
Running kernel is IPv6 ready

I check IPv6 enable by see "inet6 addr: fe80::210:dcff:feff:1a41/64 Scope:Link"
I assign my eth0 as inet6 addr: 2001:328:2003:2::1/64 Scope:Globa"

[root@root net]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:10

C:FF:1A:41
inet addr:10.0.0.12 Bcast:10.0.0.255 Mask:255.255.255.0
inet6 addr: 2001:328:2003:2::1/64 Scope:Global
inet6 addr: fe80::210:dcff:feff:1a41/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:7281 errors:0 dropped:0 overruns:0 frame:0
TX packets:5377 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:8944954 (8.5 MiB) TX bytes:507642 (495.7 KiB)
Interrupt:11 Base address:0xe800

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:4417 errors:0 dropped:0 overruns:0 frame:0
TX packets:4417 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:4207220 (4.0 MiB) TX bytes:4207220 (4.0 MiB)

Thanks

squirtle · 10-18-2006, 10:37 PM

Hai,
I can success run the setkey -D and setkey -DP by using the example suggested by hegdeshashi.Thanks

I startup the ipsec by /sbin/ifup myipsec.Is right?Tha's all for set up the IPsec between 2 PC?I need to setup the same setkey file in the remote host?

Thanks.

squirtle · 10-20-2006, 07:42 AM

Hai.
That is result after I run setkey -D and setkey -DP.
[root@localhost sbin]# setkey -DP
2001:328:2003:2::11[any] 2001:328:2003:2::12[any] any
in prio def ipsec
esp/transport//require
created: Oct 20 17:09:11 2006 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1120 seq=2 pid=6299
refcnt=1
2001:328:2003:2::12[any] 2001:328:2003:2::11[any] any
out prio def ipsec
esp/transport//require
created: Oct 20 17:09:11 2006 lastused: Oct 20 17:17:35 2006
lifetime: 0(s) validtime: 0(s)
spid=1113 seq=1 pid=6299
refcnt=3
2001:328:2003:2::11[any] 2001:328:2003:2::12[any] any
fwd prio def ipsec
esp/transport//require
created: Oct 20 17:09:11 2006 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1130 seq=0 pid=6299
refcnt=1
[root@localhost sbin]# setkey -D
2001:328:2003:2::12 2001:328:2003:2::11
esp mode=transport spi=25001(0x000061a9) reqid=0(0x00000000)
E: des-cbc 31323334 35363738
seq=0x00000000 replay=0 flags=0x00000000 state=mature
created: Oct 20 17:09:11 2006 current: Oct 20 17:17:42 2006
diff: 511(s) hard: 0(s) soft: 0(s)
last: Oct 20 17:09:29 2006 hard: 0(s) soft: 0(s)
current: 38656(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 302 hard: 0 soft: 0
sadb_seq=3 pid=6302 refcnt=0
2001:328:2003:2::12 2001:328:2003:2::11
ah mode=transport spi=15701(0x00003d55) reqid=0(0x00000000)
A: hmac-md5 31323334 35363738 39303132 33343536
seq=0x00000000 replay=0 flags=0x00000000 state=mature
created: Oct 20 17:09:10 2006 current: Oct 20 17:17:42 2006
diff: 512(s) hard: 0(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=2 pid=6302 refcnt=0
2001:328:2003:2::11 2001:328:2003:2::12
esp mode=transport spi=25001(0x000061a9) reqid=0(0x00000000)
E: des-cbc 31323334 35363738
seq=0x00000000 replay=0 flags=0x00000000 state=mature
created: Oct 20 17:09:11 2006 current: Oct 20 17:17:42 2006
diff: 511(s) hard: 0(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=1 pid=6302 refcnt=0
2001:328:2003:2::11 2001:328:2003:2::12
ah mode=transport spi=15700(0x00003d54) reqid=0(0x00000000)
A: hmac-md5 31323334 35363738 39303132 33343536
seq=0x00000000 replay=0 flags=0x00000000 state=mature
created: Oct 20 17:09:10 2006 current: Oct 20 17:17:42 2006
diff: 512(s) hard: 0(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=0 pid=6302 refcnt=0
[root@localhost sbin]#

squirtle · 10-20-2006, 07:55 AM

Sorry because I still use racoon to set up IPsec.After that I set up the racoon.conf,then i run it and have below error.Both two Pc also can't ping6 to each other.Before set up the IPsec they stil can ping6.

[root@localhost racoon]# /etc/racoon/racoon.conf
/etc/racoon/racoon.conf: line 5: path: command not found
/etc/racoon/racoon.conf: line 6: path: command not found
/etc/racoon/racoon.conf: line 7: path: command not found
/etc/racoon/racoon.conf: line 9: listen: command not found
/etc/racoon/racoon.conf: line 11: isakmp: command not found
/etc/racoon/racoon.conf: line 13: remote: command not found
/etc/racoon/racoon.conf: line 15: exchange_mode: command not found
/etc/racoon/racoon.conf: line 16: lifetime: command not found
/etc/racoon/racoon.conf: line 17: proposal: command not found
/etc/racoon/racoon.conf: line 19: encryption_algorithm: command not found
/etc/racoon/racoon.conf: line 20: hash_algorithm: command not found
/etc/racoon/racoon.conf: line 21: authentication_method: command not found
/etc/racoon/racoon.conf: line 22: dh_group: command not found
/etc/racoon/racoon.conf: line 42: sainfo: command not found
/etc/racoon/racoon.conf: line 44: pfs_group: command not found
/etc/racoon/racoon.conf: line 45: lifetime: command not found
/etc/racoon/racoon.conf: line 46: encryption_algorithm: command not found
/etc/racoon/racoon.conf: line 47: authentication_algorithm: command not found
/etc/racoon/racoon.conf: line 48: compression_algorithm: command not found

Can tell me what are the problem?Thanks a lot.