IPsec on Debian Probable Routing Issue in Config File

danmartinj · 11-11-2009, 11:40 AM

Hello Fellow Linux Users,
I was hoping someone could help me with a possible routing issue. I have a linux network setup like this: This network Does Work

_____________B-------C
A------B_____10.0.63.X_______C-------D
10.0.62.X____________________10.0.64.X

current route setup example on host C:
Destination-- Gateway -- Genmask-- Flags Metric-- Ref Use Iface
localnet * 255.255.255.0 U 0 0 0 eth0
10.0.63.0 * 255.255.255.0 U 0 0 0 eth0
10.0.62.0 10.0.63.249 255.255.255.0 UG 0 0 0 eth0
default 10.0.64.1 0.0.0.0 UG 0 0 0 eth0

Its 4 Debian machines on a single switch that is able to communicate via routing and a couple of virtual network interfaces.

I have got ipsec and openvpn to work all in basic client to client configurations or client to server. I cannot for the life of me get them to work in network to network configuration. My latest effort consists of ipsec-tools.conf on Host C

__________________________________________________________
#!/usr/sbin/setkey -f
#
# SPD for gateway A (172.16.72.1)
#

#Security Policy Database Information
spdadd 10.0.64.0/24 10.0.62.0/24 any -P out ipsec
esp/tunnel/10.0.63.250-10.0.63.249/require
ah/tunnel/10.0.63.250-10.0.63.249/require;

spdadd 10.0.62.0/24 10.0.64.0/24 any -P in ipsec
esp/tunnel/10.0.63.249-10.0.63.250/require
ah/tunnel/10.0.63.249-10.0.63.250/require;

#Now Create the Kyes to be Used
# AH SAD entries with 160 bit keys
add 10.0.63.249 10.0.63.250 ah 0x200 -A hmac-sha1 0x46915c30ed7e2465b42861b6ab19f2772813020c;
add 10.0.63.250 10.0.63.249 ah 0x300 -A hmac-sha1 0xc4dac594f8228e0b94a54758f7fbf2fdf4e37f3e;

# ESP SAD entries with 192 bit keys
add 10.0.63.249 10.0.63.250 esp 0x201 -E rijndael-cbc 0xa3993b3dfc41ef0a1aa8d168a8bf2c27e48249ac17b61e09;
add 10.0.63.250 10.0.63.249 esp 0x301 -E rijndael-cbc 0x8f6498928ba354bd45cfad147f54c67b3b742896b3bafc02;
________________________________________________________

I have also tried to use: spdadd 10.0.64.0/24 10.0.62.0/24 any -P fwd ipsec instead of out because of my current routing rules. I am pretty confused on this issue. I really believe its my routing thats killing me here. On Host B I have the exact configuration but is mirrored. If someone has any ideas I am all ears!! By the way the main tutorials I have been using are:
http://linuxgazette.net/126/pfeiffer.html
http://www.ipsec-howto.org/x304.html

Thanks,

Dan

danmartinj · 11-11-2009, 02:09 PM

Hello again folks,
I just wanted to post the other ipsec-tools.conf that I have been using.

#!/usr/sbin/setkey -f

# Flush the SAD and SPD
flush;
spdflush;

# ESP SAs doing encryption using 192 bit long keys (168 + 24 parity)
# and authentication using 128 bit long keys

#These are the nodes to be protected "internal LAN Routers"
add 10.0.64.250 10.0.62.249 esp 0x201 -m tunnel -E 3des-cbc
0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831
-A hmac-md5 0xc0291ff014dccdd03874d9e8e4cdf3e6;

#These are the nodes to be protected "internal LAN Routers"
add 10.0.62.249 10.0.64.250 esp 0x301 -m tunnel -E 3des-cbc
0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df
-A hmac-md5 0x96358c90783bbfa3d7b196ceabe0536b;

# Security policies
#Packets using these source and destination addresses shall be protected
spdadd 10.0.64.0/24 10.0.62.0/24 any -P out ipsec
esp/tunnel/10.0.63.250-10.0.63.249/require;
#ah/tunnel/10.0.63.250-10.0.63.249/require;

spdadd 10.0.62.0/24 10.0.64.0/24 any -P in ipsec
esp/tunnel/10.0.63.249-10.0.63.250/require;
#ah/tunnel/10.0.63.249-10.0.63.250/require;
~