[strongSwan] Question on ESP tunnel configuration
nagaraj
nagaraj2 at gmail.com
Wed Apr 11 03:20:42 CEST 2012
Hi, I am trying to establish ESP tunnel between GW1 and GW2 and my ipsec
pre-shared key configuration on GW1 and GW2 is as follows: When I ping the
far end interface on Host A from Host B, I notice that ICMP packets are not
ESP encrypted and also ipsec status on both GW1 and GW2 reports no SA
associations. Could somebody please tell me if I am missing something in
here ? I am using strongswan ver 4.6.2 on both the gateways. My kernel
version on Gateway 1 is: [root at ex-target ~]# uname -a
Linux ex-target 2.6.23.1-42.fc8 #1 SMP Tue Oct 30 13:55:12 EDT 2007 i686
i686 i386 GNU/Linux
and on Gateway 2, kernel version is:
root at gateway2:~# uname -a
Linux gateway2 2.6.32-40-server #87-Ubuntu SMP Tue Mar 6 02:10:02 UTC 2012
x86_64 GNU/Linux
root at gateway2:~#
root at gateway2:~# ipsec status
Security Associations (0 up, 0 connecting):
none
root at gateway2:~#
HostA------------GW1==============GW2---------------HostB
HostA:
ipadress: 192.167.2.2/24
GW1:
ipaddress
etho: 192.167.2.180/24
eth1: 192.167.21.1/24
GW2:
ipaddress
eth1: 192.167.21.2/24
eth0: 192.167.1.180/24
HostB:
ipaddress 192.167.1.69/24
*ipsec configuration on GW1:*
[root at ex-target etc]# more /usr/local/etc/ipsec.conf
#!/usr/sbin/setkey -f
# Flush the SAD and SPD
flush;
spdflush;
# ESP SAs doing encryption using 192 bit long keys (168 + 24 parity)
# and authentication using 128 bit long keys
add 192.167.2.180 192.167.1.180 esp 0x201 -m tunnel -E 3des-cbc
0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831
-A hmac-md5 0xc0291ff014dccdd03874d9e8e4cdf3e6;
add 192.167.1.180 192.167.2.180 esp 0x301 -m tunnel -E 3des-cbc
0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df
-A hmac-md5 0x96358c90783bbfa3d7b196ceabe0536b;
# Security policies
spdadd 172.16.1.0/24 172.16.2.0/24 any -P in ipsec
esp/tunnel/192.168.1.172-192.168.31.141/require;
spdadd 172.16.2.0/24 172.16.1.0/24 any -P out ipsec
esp/tunnel/192.168.32.141-192.168.1.172/require;
spdadd 172.16.1.0/24 172.16.2.0/24 any -P fwd ipsec
esp/tunnel/192.168.1.172-192.168.31.141/require;
spdadd 172.16.2.0/24 172.16.1.0/24 any -P rev ipsec
esp/tunnel/192.168.32.141-192.168.1.172/require;
spdadd 192.167.2.0/24 192.167.1.0/24 any -P out ipsec
esp/tunnel/192.167.21.1-192.167.21.2/require;
spdadd 192.167.1.0/24 192.167.2.0/24 any -P in ipsec
esp/tunnel/192.167.21.2-192.167.21.1/require;
spdadd 192.167.2.0/24 192.167.1.0/24 any -P fwd ipsec
esp/tunnel/192.167.21.1-192.167.21.2/require;
spdadd 192.167.1.0/24 192.167.2.0/24 any -P rev ipsec
esp/tunnel/192.167.21.2-192.167.21.1/require;
# config setup
# cachecrli=yes
# strictcrlpolicy=yes
# plutostart=no
conn net-net
leftsubnet=192.167.2.0/24
right=192.167.21.2
rightsubnet=192.167.1.0/24
auto=add
[root at ex-target etc]#
[root at ex-target etc]# more /usr/local/etc/ipsec.secrets
: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
[root at ex-target etc]#
*ipsec configuration on GW2:*
root at gateway2:~# more /usr/local/etc/ipsec.conf
# Flush the SAD and SPD
flush;
spdflush;
# ESP SAs doing encryption using 192 bit long keys (168 + 24 parity)
# and authentication using 128 bit long keys
add 192.167.21.2 192.167.21.1 esp 0x201 -m tunnel -E 3des-cbc
0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831
-A hmac-md5 0xc0291ff014dccdd03874d9e8e4cdf3e6;
add 192.167.21.1 192.167.21.2 esp 0x301 -m tunnel -E 3des-cbc
0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df
-A hmac-md5 0x96358c90783bbfa3d7b196ceabe0536b;
spdadd 192.167.1.0/24 192.167.2.0/24 any -P out ipsec
esp/tunnel/192.167.21.2-192.167.21.1/require;
spdadd 192.167.2.0/24 192.167.1.0/24 any -P in ipsec
esp/tunnel/192.167.21.1-192.167.21.2/require;
spdadd 192.167.1.0/24 192.167.2.0/24 any -P fwd ipsec
esp/tunnel/192.167.21.2-192.167.21.1/require;
spdadd 192.167.2.0/24 192.167.1.0/24 any -P rev ipsec
esp/tunnel/192.167.21.1-192.167.21.2/require;
conn net-net
leftsubnet=192.167.1.0/24
right=192.167.21.1
rightsubnet=192.167.2.0/24
auto=add
root at gateway2:~#
root at gateway2:~# more /usr/local/etc/ipsec.secrets
: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
root at gateway2:~#
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120410/9d518004/attachment.html>
More information about the Users
mailing list