[strongSwan] Problem sending a packet out a raw socket over IPsec
Lin, Clifton (US SSA)
clifton.lin at baesystems.com
Tue Jun 21 15:32:10 CEST 2011
Hi Andreas,
Below is my ipsec.conf file on the first host (10.41.42.210):
# ipsec.conf - 10.41.42.210
config setup
plutostart=no
conn %default
reauth=no
rekey=no
keyingtries=1
keyexchange=ikev2
mobike=no
leftfirewall=yes
rightfirewall=yes
auto=add
esp=null-sha1
leftsendcert=never
rightsendcert=never
conn test
left=10.41.42.210
leftsubnet=10.41.42.210/32
leftcert=cert-10.41.42.210-10.41.42.215.der
right=10.41.42.215
rightsubnet=10.41.42.215/32
rightcert=cert-10.41.42.215-10.41.42.210.der
------------------------
Below is my ipsec.conf file on the second host (10.41.42.215):
# ipsec.conf - 10.41.42.215
config setup
plutostart=no
# Default connection parameters for IBR
conn %default
reauth=no
rekey=no
keyingtries=1
keyexchange=ikev2
mobike=no
leftfirewall=yes
rightfirewall=yes
auto=add
esp=null-sha1
leftsendcert=never
rightsendcert=never
conn test
left=10.41.42.215
leftsubnet=10.41.42.215/32
leftcert=cert-10.41.42.215-10.41.42.210.der
right=10.41.42.210
rightsubnet=10.41.42.210/32
rightcert=cert-10.41.42.210-10.41.42.215.der
------------------
Below is the output of "ipsec statusall" on 10.41.42.210, after sending five IP packets out the RAW socket:
Status of IKEv2 charon daemon (strongSwan 4.5.2dr2):
uptime: 54 seconds, since Jun 21 08:18:01 2011
malloc: sbrk 135168, mmap 0, used 85992, free 49176
worker threads: 9 idle of 16, job queue load: 0, scheduled events: 0
loaded plugins: aes des sha1 sha2 md5 random x509 revocation constraints pubkey pkcs1 pgp pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-raw stroke updown
Listening IP addresses:
10.41.42.210
fec0::1
192.168.206.1
192.168.81.1
Connections:
test: 10.41.42.210...10.41.42.215
test: local: [10.41.42.210] uses public key authentication
test: cert: "CN=10.41.42.210"
test: remote: [10.41.42.215] uses any authentication
test: cert: "CN=10.41.42.215"
test: child: 10.41.42.210/32 === 10.41.42.215/32
Security Associations:
test[1]: ESTABLISHED 29 seconds ago, 10.41.42.210[10.41.42.210]...10.41.42.215[10.41.42.215]
test[1]: IKE SPIs: ea6b527314da770b_i* 2aeaa8f396c90311_r, rekeying disabled
test[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
test{1}: INSTALLED, TUNNEL, ESP SPIs: c55b5f97_i c923f1f9_o
test{1}: NULL/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying disabled
test{1}: 10.41.42.210/32 === 10.41.42.215/32
Thanks for your help.
-Clifton
-----Original Message-----
From: Andreas Steffen [mailto:andreas.steffen at strongswan.org]
Sent: Monday, June 20, 2011 5:14 PM
To: Lin, Clifton (US SSA)
Cc: users at lists.strongswan.org
Subject: Re: [strongSwan] Problem sending a packet out a raw socket over IPsec
Hello Clifton,
could you send my your ipsec.conf files and the output of the
ipsec statusall command after you sent a couple of packets?
Regards
Andreas
On 06/20/2011 11:00 PM, Lin, Clifton (US SSA) wrote:
> Hello,
>
> I have set up a strongSwan IPsec connection between two hosts, and I
> can ping across with no problem. Now, I am trying to send an
> arbitrary IP packet out a raw socket destined for the other host, and
> I would like for this IP packet to traverse the IPsec connection.
> However, when I try this, it appears that the packet does NOT get
> encrypted by IPsec, as I hoped it would. Also, (as a result of the
> IPsec encapsulation not happening), the packet does not match the
> iptables rule that strongswan inserts into the OUTPUT chain to accept
> tunneled packets. Any idea what is wrong or how I can make this
> work?
>
> Thanks, Clifton
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
More information about the Users
mailing list