Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
If you want to work with ipsec, just use SAD & SPD entries.In SAD entry, you have 16 bits auth value,that's the password for you to commnicate .If you change that one you can't ping6.
Hi,
This is my SAD and SPD entries in the server PC.
add -6 2001:328:2003:2::11 2001:328:2::12 ah 17000 -m transport -A hmac-md5 "1234567890123456";
add -6 2001:328:2003:2::12 2001:328:2::11 ah 17001 -m transport -A hmac-md5 "1234567890123456";
add 2001:328:2003:2::11 2001:328:2::12 esp 25000 -m transport -E des-cbc "12345678";
add 2001:328:2003:2::12 2001:328:2::11 esp 25000 -m transport -E des-cbc "12345678";
spdadd 2001:328:2003:2::11 2001:328:2003:2::12 any -P out ipsec esp/transport//require;
spdadd 2001:328:2003:2::12 2001:328:2003:2::11 any -P out ipsec esp/transport//require;
Then SAD and SPD entries in remote host is also same?only replace "in" withe "out" ?The key I use in Ah is "1234567890123456" and ESP is "12345678" is right"
Then I need to test the ipsec with tcpdump?
No command to start the ipsec?Just setup the SAD and SPD?
Sorry ask so much questions.
I still can't ping after setup the SAD & SPD.
That is /etc/setkey.conf in host 2001:328:2003:2::5
Quote:
#!/usr/sbin/setkey -f
#host 2001:328:2003:2::5
add -6 2001:328:2003:2::5 2001:328:2003:2::6 ah 15700 -m transport -A hmac-md5 "1234567890123456";
add -6 2001:328:2003:2::6 2001:328:2003:2::5 ah 24500 -m transport -A hmac-md5 "6541230987654321";
add 2001:328:2003:2::5 2001:328:2003:2::6 esp 15701 -m transport -E des-cbc "12345678";
add 2001:328:2003:2::6 2001:328:2003:2::5 esp 24501 -m transport -E des-cbc "87654321";
spdadd 2001:328:2003:2::5 2001:328:2003:2::6 any -P out ipsec esp/transport//require ah/transport//require;
spdadd 2001:328:2003:2::6 2001:328:2003:2::5 any -P in ipsec esp/transport//require ah/transport//require;
That is /etc/setkey.conf in host 2001:328:2003:2::6
Quote:
#!/usr/sbin/setkey -f
#host 2001:328:2003:2::6
add -6 2001:328:2003:2::5 2001:328:2003:2::6 ah 15700 -m transport -A hmac-md5 "1234567890123456";
add -6 2001:328:2003:2::6 2001:328:2003:2::5 ah 24500 -m transport -A hmac-md5 "6541230987654321";
add 2001:328:2003:2::5 2001:328:2003:2::6 esp 15701 -m transport -E des-cbc "12345678";
add 2001:328:2003:2::6 2001:328:2003:2::5 esp 24501 -m transport -E des-cbc "87654321";
spdadd 2001:328:2003:2::5 2001:328:2003:2::6 any -P in ipsec esp/transport//require ah/transport//require;
spdadd 2001:328:2003:2::6 2001:328:2003:2::5 any -P out ipsec esp/transport//require ah/transport//require;
Any problem in my setup?
After configure both host,I invoke the setkey by setkey -f /etc/setkey.conf
Before setup the SAD & SPD I can ping6 each other.
Thanks a lot.
Thanks
----------------------------------------------
If you want to work with ipsec, just use SAD & SPD entries.In SAD entry, you have 16 bits auth value,that's the password for you to commnicate .If you change that one you can't ping6.
----------------------------------------------
I still use the same key?right?however both host still can't communicate.
[root@localhost racoon]# /etc/racoon/racoon.conf
/etc/racoon/racoon.conf: line 6: path: command not found
/etc/racoon/racoon.conf: line 7: path: command not found
/etc/racoon/racoon.conf: line 10: listen: command not found
/etc/racoon/racoon.conf: line 12: isakmp: command not found
/etc/racoon/racoon.conf: line 15: remote: command not found
/etc/racoon/racoon.conf: line 17: exchange_mode: command not found
/etc/racoon/racoon.conf: line 18: lifetime: command not found
/etc/racoon/racoon.conf: line 19: proposal: command not found
/etc/racoon/racoon.conf: line 21: encryption_algorithm: command not found
/etc/racoon/racoon.conf: line 22: hash_algorithm: command not found
/etc/racoon/racoon.conf: line 23: authentication_method: command not found
/etc/racoon/racoon.conf: line 24: dh_group: command not found
/etc/racoon/racoon.conf: line 28: sainfo: command not found
/etc/racoon/racoon.conf: line 30: lifetime: command not found
/etc/racoon/racoon.conf: line 31: encryption_algorithm: command not found
/etc/racoon/racoon.conf: line 32: authentication_algorithm: command not found
/etc/racoon/racoon.conf: line 33: compression_algorithm: command not found
/etc/racoon/racoon.conf: line 36: sainfo: command not found
/etc/racoon/racoon.conf: line 38: lifetime: command not found
/etc/racoon/racoon.conf: line 39: encryption_algorithm: command not found
/etc/racoon/racoon.conf: line 40: authentication_algorithm: command not found
/etc/racoon/racoon.conf: line 41: compression_algorithm: command
[root@localhost racoon]# racoon -F -v -f /etc/racoon/racoon.conf
Foreground mode.
2006-10-30 16:00:38: INFO: @(#)ipsec-tools 0.5 (http://ipsec-tools.sourceforge.net)
2006-10-30 16:00:38: INFO: @(#)This product linked OpenSSL 0.9.7f 22 Mar 2005 (http://www.openssl.org/)
2006-10-30 16:00:39: INFO: 2001:328:2003:2::8[500] used as isakmp port (fd=6)
2006-10-30 16:01:10: INFO: IPsec-SA request for 2001:328:2003:2::6 queued due to no phase1 found.2006-10-30 16:01:10: INFO: initiate new phase 1 negotiation: 2001:328:2003:2::8[500]<=>2001:328:2003:2::6[500]
2006-10-30 16:01:10: INFO: begin Identity Protection mode.
2006-10-30 16:01:41: ERROR: phase2 negotiation failed due to time up waiting for phase1. AH 2001:328:2003:2::6->2001:328:2003:2::8
2006-10-30 16:01:41: INFO: delete phase 2 handler.
2006-10-30 16:02:10: ERROR: phase1 negotiation failed due to time up. 1b03638309977be7:0000000000000000
2006-10-30 16:02:10: INFO: IPsec-SA request for 2001:328:2003:2::6 queued due to no phase1 found.2006-10-30 16:02:10: INFO: initiate new phase 1 negotiation: 2001:328:2003:2::8[500]<=>2001:328:2003:2::6[500]
2006-10-30 16:02:10: INFO: begin Identity Protection mode.
2006-10-30 16:02:41: ERROR: phase2 negotiation failed due to time up waiting for phase1. AH 2001:328:2003:2::6->2001:328:2003:2::8
2006-10-30 16:02:41: INFO: delete phase 2 handler.
2006-10-30 16:03:10: ERROR: phase1 negotiation failed due to time up. 078f380d7dc7d070:0000000000000000
2006-10-30 16:12:07: INFO: unsupported PF_KEY message REGISTER
2006-10-30 16:12:29: INFO: caught signal 2
2006-10-30 16:12:30: INFO: racoon shutdown
That is psk.txt
# file for pre-shared keys used for IKE authentication
# format is: 'identifier' 'key'
# For example:
#
# 10.1.1.1 flibbertigibbet
# www.example.com 12345
# foo@www.example.com micropachycephalosaurus
2001:328:2003:2::6 124567890123456
In system: 2001:328:2003:2::11
=======================================
add -6 2001:328:2003:2::11 2001:328:2::12 ah 17000 -m transport -A hmac-md5 "1234567890123456";
add -6 2001:328:2003:2::12 2001:328:2::11 ah 17000 -m transport -A hmac-md5 "1234567890123456";
spdadd 2001:328:2003:2::11 2001:328:2003:2::12 any -P out ipsec esp/transport//require;
spdadd 2001:328:2003:2::12 2001:328:2003:2::11 any -P in ipsec esp/transport//require;
============================
In system : 2001:328:2003:2::12
================================
add -6 2001:328:2003:2::11 2001:328:2::12 ah 17000 -m transport -A hmac-md5 "1234567890123456";
add -6 2001:328:2003:2::12 2001:328:2::11 ah 17000 -m transport -A hmac-md5 "1234567890123456";
spdadd 2001:328:2003:2::12 2001:328:2003:2::11 any -P out ipsec esp/transport//require;
spdadd 2001:328:2003:2::11 2001:328:2003:2::12 any -P in ipsec esp/transport//require;
================================
Now, it has to work..
Your password is 1234567890123456
If you change this..
it won't ping6....
just try..
So I need to run racoon too?My configuration for racoon is correct?
I no need to add esp in SAD &SPD?
Now,is mean that ipsec is enabled already?
I need to create the ipsec in /etc/sysconfig/network-scripts/ifcfg-ipsec?
Thanks
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.