[strongSwan] Question on ESP tunnel configuration
Andreas Steffen
andreas.steffen at strongswan.org
Wed Apr 11 07:34:31 CEST 2012
Hello,
strongSwan does not depend on setkey for the installatoin of
IPsec policies. Our daemon creates them itself. If you use
the mode auto=route then the first outbound IP packet will
trigger the negotiation of an IPsec SA. If you install the
policies using setkey then the daemon will not react on the
trigger received from the IPsec stack in the Linux kernel.
Please have a look at our net2net-route example:
http://www.strongswan.org/uml/testresults/ikev2/net2net-route/
Best regards
Andreas
On 04/11/2012 03:20 AM, nagaraj wrote:
> Hi, I am trying to establish ESP tunnel between GW1 and GW2 and my ipsec
> pre-shared key configuration on GW1 and GW2 is as follows: When I ping
> the far end interface on Host A from Host B, I notice that ICMP packets
> are not ESP encrypted and also ipsec status on both GW1 and GW2 reports
> no SA associations. Could somebody please tell me if I am missing
> something in here ? I am using strongswan ver 4.6.2 on both the
> gateways. My kernel version on Gateway 1 is: [root at ex-target ~]# uname -a
> Linux ex-target 2.6.23.1-42.fc8 #1 SMP Tue Oct 30 13:55:12 EDT 2007 i686
> i686 i386 GNU/Linux
>
> and on Gateway 2, kernel version is:
> root at gateway2:~# uname -a
> Linux gateway2 2.6.32-40-server #87-Ubuntu SMP Tue Mar 6 02:10:02 UTC
> 2012 x86_64 GNU/Linux
> root at gateway2:~#
>
> root at gateway2:~# ipsec status
> Security Associations (0 up, 0 connecting):
> none
> root at gateway2:~#
>
> HostA------------GW1==============GW2---------------HostB
>
> HostA:
> ipadress: 192.167.2.2/24 <http://192.167.2.2/24>
>
> GW1:
> ipaddress
> etho: 192.167.2.180/24 <http://192.167.2.180/24>
> eth1: 192.167.21.1/24 <http://192.167.21.1/24>
>
> GW2:
> ipaddress
> eth1: 192.167.21.2/24 <http://192.167.21.2/24>
> eth0: 192.167.1.180/24 <http://192.167.1.180/24>
>
> HostB:
> ipaddress 192.167.1.69/24 <http://192.167.1.69/24>
>
> *ipsec configuration on GW1:*
> [root at ex-target etc]# more /usr/local/etc/ipsec.conf
> #!/usr/sbin/setkey -f
>
> # Flush the SAD and SPD
> flush;
> spdflush;
>
> # ESP SAs doing encryption using 192 bit long keys (168 + 24 parity)
> # and authentication using 128 bit long keys
> add 192.167.2.180 192.167.1.180 esp 0x201 -m tunnel -E 3des-cbc
> 0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831
> -A hmac-md5 0xc0291ff014dccdd03874d9e8e4cdf3e6;
>
> add 192.167.1.180 192.167.2.180 esp 0x301 -m tunnel -E 3des-cbc
> 0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df
> -A hmac-md5 0x96358c90783bbfa3d7b196ceabe0536b;
>
> # Security policies
> spdadd 172.16.1.0/24 <http://172.16.1.0/24> 172.16.2.0/24
> <http://172.16.2.0/24> any -P in ipsec
> esp/tunnel/192.168.1.172-192.168.31.141/require;
>
> spdadd 172.16.2.0/24 <http://172.16.2.0/24> 172.16.1.0/24
> <http://172.16.1.0/24> any -P out ipsec
> esp/tunnel/192.168.32.141-192.168.1.172/require;
>
>
> spdadd 172.16.1.0/24 <http://172.16.1.0/24> 172.16.2.0/24
> <http://172.16.2.0/24> any -P fwd ipsec
> esp/tunnel/192.168.1.172-192.168.31.141/require;
>
> spdadd 172.16.2.0/24 <http://172.16.2.0/24> 172.16.1.0/24
> <http://172.16.1.0/24> any -P rev ipsec
> esp/tunnel/192.168.32.141-192.168.1.172/require;
>
>
> spdadd 192.167.2.0/24 <http://192.167.2.0/24> 192.167.1.0/24
> <http://192.167.1.0/24> any -P out ipsec
> esp/tunnel/192.167.21.1-192.167.21.2/require;
>
> spdadd 192.167.1.0/24 <http://192.167.1.0/24> 192.167.2.0/24
> <http://192.167.2.0/24> any -P in ipsec
> esp/tunnel/192.167.21.2-192.167.21.1/require;
>
>
> spdadd 192.167.2.0/24 <http://192.167.2.0/24> 192.167.1.0/24
> <http://192.167.1.0/24> any -P fwd ipsec
> esp/tunnel/192.167.21.1-192.167.21.2/require;
>
> spdadd 192.167.1.0/24 <http://192.167.1.0/24> 192.167.2.0/24
> <http://192.167.2.0/24> any -P rev ipsec
> esp/tunnel/192.167.21.2-192.167.21.1/require;
>
> # config setup
> # cachecrli=yes
> # strictcrlpolicy=yes
> # plutostart=no
>
> conn net-net
> leftsubnet=192.167.2.0/24 <http://192.167.2.0/24>
> right=192.167.21.2
> rightsubnet=192.167.1.0/24 <http://192.167.1.0/24>
> auto=add
> [root at ex-target etc]#
>
> [root at ex-target etc]# more /usr/local/etc/ipsec.secrets
> : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
> [root at ex-target etc]#
>
> *ipsec configuration on GW2:*
> root at gateway2:~# more /usr/local/etc/ipsec.conf
> # Flush the SAD and SPD
> flush;
> spdflush;
>
> # ESP SAs doing encryption using 192 bit long keys (168 + 24 parity)
> # and authentication using 128 bit long keys
> add 192.167.21.2 192.167.21.1 esp 0x201 -m tunnel -E 3des-cbc
> 0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831
> -A hmac-md5 0xc0291ff014dccdd03874d9e8e4cdf3e6;
>
> add 192.167.21.1 192.167.21.2 esp 0x301 -m tunnel -E 3des-cbc
> 0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df
> -A hmac-md5 0x96358c90783bbfa3d7b196ceabe0536b;
>
> spdadd 192.167.1.0/24 <http://192.167.1.0/24> 192.167.2.0/24
> <http://192.167.2.0/24> any -P out ipsec
> esp/tunnel/192.167.21.2-192.167.21.1/require;
>
> spdadd 192.167.2.0/24 <http://192.167.2.0/24> 192.167.1.0/24
> <http://192.167.1.0/24> any -P in ipsec
> esp/tunnel/192.167.21.1-192.167.21.2/require;
>
>
> spdadd 192.167.1.0/24 <http://192.167.1.0/24> 192.167.2.0/24
> <http://192.167.2.0/24> any -P fwd ipsec
> esp/tunnel/192.167.21.2-192.167.21.1/require;
>
> spdadd 192.167.2.0/24 <http://192.167.2.0/24> 192.167.1.0/24
> <http://192.167.1.0/24> any -P rev ipsec
> esp/tunnel/192.167.21.1-192.167.21.2/require;
>
> conn net-net
> leftsubnet=192.167.1.0/24 <http://192.167.1.0/24>
> right=192.167.21.1
> rightsubnet=192.167.2.0/24 <http://192.167.2.0/24>
> auto=add
> root at gateway2:~#
> root at gateway2:~# more /usr/local/etc/ipsec.secrets
> : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
> root at gateway2:~#
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
More information about the Users
mailing list