Date: Thu, 30 Jun 2005 07:51:43 +0100 (BST) From: mohan chandra <mohanchandra_01@yahoo.co.in> To: freebsd-security@freebsd.org Subject: Problem with IPSec tunnel, using IPv6 addresses, between Two FreeBSD systems...? Message-ID: <20050630065143.8706.qmail@web8502.mail.in.yahoo.com>
next in thread | raw e-mail | index | archive | help
--0-2132320001-1120114303=:8698 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Content-Id: Content-Disposition: inline Hi All, I need to establish an IPSec tunnel between two FreeBSD systems using IPv6 addresses.The connetcion is host-to-host between two FreeBSD( RELEASE 4.11) systems with KAME IPSec implementation. |----------------->| host1-[mohan]| |host2-[ram] |<-----------------| host1 IPv6 address : fe80::2b0:d0ff:fe6f:dfa0 host2 IPv6 address : fe80::2b0:d0ff:fe48:7ce7 The 'ipsec.conf' file at Host1 and Host2 are attached along with this email.(you can refer them) IPsec is started with the following commands at both systems: *******at Host1******* mohan# /usr/local/etc/rc.d/setkey.sh start Starting VPN tunnel encryption..Ok mohan# ******************* *******at Host2******* ram# /usr/local/etc/rc.d/setkey.sh start Starting VPN tunnel encryption..Ok ram# ******************* (File setkey.sh is also attached with the email below for ur reference) After that I executed 'ping6' and 'tcpdump' commands to test the connection(on my system i.e.,host1-mohan), but, it seems is not working properly... ########### ping6 command output at host1 ############ mohan# ping6 -I xl0 fe80::2b0:d0ff:fe48:7ce7 PING6(56=40+8+8 bytes) fe80::2b0:d0ff:fe6f:dfa0%xl0 --> fe80::2b0:d0ff:fe48:7ce7 ^C --- fe80::2b0:d0ff:fe48:7ce7 ping6 statistics --- 6 packets transmitted, 0 packets received, 100% packet loss mohan# ############################################# But, with tcpdump command it seems like packets are moving from host1 to host2 without ESP(encryption) and reply packets from host2 to host1 with ESP(encryption) header. It is shown in the following output: ########## tcpdump at host1 ################### mohan# tcpdump -i xl0 host fe80::2b0:d0ff:fe6f:dfa0 tcpdump: listening on xl0 10:08:43.844723 fe80::2b0:d0ff:fe6f:dfa0[host1] > ff02::1:ff48:7ce7[host2]: icmp6: neighbor sol: who has fe80::2b0:d0ff:fe48:7ce7 10:08:43.845127 fe80::2b0:d0ff:fe48:7ce7 > fe80::2b0:d0ff:fe6f:dfa0: ESP(spi=0x0000fead,seq=0xf) 10:08:44.844736 fe80::2b0:d0ff:fe6f:dfa0 > ff02::1:ff48:7ce7: icmp6: neighbor sol: who has fe80::2b0:d0ff:fe48:7ce7 10:08:44.845109 fe80::2b0:d0ff:fe48:7ce7 > fe80::2b0:d0ff:fe6f:dfa0: ESP(spi=0x0000fead,seq=0x10) 10:08:48.844804 fe80::2b0:d0ff:fe6f:dfa0 > ff02::1:ff48:7ce7: icmp6: neighbor sol: who has fe80::2b0:d0ff:fe48:7ce7 10:08:48.845150 fe80::2b0:d0ff:fe48:7ce7 > fe80::2b0:d0ff:fe6f:dfa0: ESP(spi=0x0000fead,seq=0x13) 10:08:49.085694 fe80::2b0:d0ff:fe48:7ce7 > fe80::2b0:d0ff:fe6f:dfa0: ESP(spi=0x0000fead,seq=0x14) 10:08:49.844840 fe80::2b0:d0ff:fe6f:dfa0 > ff02::1:ff48:7ce7: icmp6: neighbor sol: who has fe80::2b0:d0ff:fe48:7ce7 10:08:49.845232 fe80::2b0:d0ff:fe48:7ce7 > fe80::2b0:d0ff:fe6f:dfa0: ESP(spi=0x0000fead,seq=0x15) 10:08:50.085696 fe80::2b0:d0ff:fe48:7ce7 > fe80::2b0:d0ff:fe6f:dfa0: ESP(spi=0x0000fead,seq=0x16) 10:08:51.085741 fe80::2b0:d0ff:fe48:7ce7 > fe80::2b0:d0ff:fe6f:dfa0: ESP(spi=0x0000fead,seq=0x17) ###################################### Please, reply me what is the problem with the connection setup.Inform me is there any mistakes with the ipsec.conf file, policy setup..? Reply as soon as possible.. If you need any detail regarding the setup, I will send the details.. Please, give me proper suggestions..any help will be appreciated greatly.. Thanx, with Regards Mohan. __________________________________________________________ How much free photo storage do you get? Store your friends 'n family snaps for FREE with Yahoo! Photos http://in.photos.yahoo.com --0-2132320001-1120114303=:8698 Content-Type: text/plain; name="ipsec-host1.conf" Content-Description: 1396178509-ipsec-host1.conf Content-Disposition: inline; filename="ipsec-host1.conf" ########The 'ipsec.conf' file at Host2 ######### # flush configs flush ; spdflush ; # add a SAD entry add fe80::2b0:d0ff:fe48:7ce7 fe80::2b0:d0ff:fe6f:dfa0 esp 0xFEAD -m transport -E 3des-cbc "ipv6readylogo3descbcout1" -A hmac-sha1 "ipv6readylogsha1out1"; add fe80::2b0:d0ff:fe6f:dfa0 fe80::2b0:d0ff:fe48:7ce7 esp 0xFEED -m transport -E 3des-cbc "ipv6readylogo3descbcin01" -A hmac-sha1 "ipv6readylogsha1in01"; # and specify what has to be encrypted spdadd fe80::2b0:d0ff:fe48:7ce7 fe80::2b0:d0ff:fe6f:dfa0 any -P out ipsec esp/transport/fe80::2b0:d0ff:fe48:7ce7-fe80::2b0:d0ff:fe6f:dfa0/require ; spdadd fe80::2b0:d0ff:fe6f:dfa0 fe80::2b0:d0ff:fe48:7ce7 any -P in ipsec esp/transport/fe80::2b0:d0ff:fe6f:dfa0-fe80::2b0:d0ff:fe48:7ce7/require ; --0-2132320001-1120114303=:8698 Content-Type: text/plain; name="ipsec-host2.conf" Content-Description: 3256422772-ipsec-host2.conf Content-Disposition: inline; filename="ipsec-host2.conf" ########The 'ipsec.conf' file at Host2 ######### # flush configs flush ; spdflush ; # add a SAD entry add fe80::2b0:d0ff:fe48:7ce7 fe80::2b0:d0ff:fe6f:dfa0 esp 0xFEAD -m transport -E 3des-cbc "ipv6readylogo3descbcout1" -A hmac-sha1 "ipv6readylogsha1out1"; add fe80::2b0:d0ff:fe6f:dfa0 fe80::2b0:d0ff:fe48:7ce7 esp 0xFEED -m transport -E 3des-cbc "ipv6readylogo3descbcin01" -A hmac-sha1 "ipv6readylogsha1in01"; # and specify what has to be encrypted spdadd fe80::2b0:d0ff:fe48:7ce7 fe80::2b0:d0ff:fe6f:dfa0 any -P out ipsec esp/transport/fe80::2b0:d0ff:fe48:7ce7-fe80::2b0:d0ff:fe6f:dfa0/require ; spdadd fe80::2b0:d0ff:fe6f:dfa0 fe80::2b0:d0ff:fe48:7ce7 any -P in ipsec esp/transport/fe80::2b0:d0ff:fe6f:dfa0-fe80::2b0:d0ff:fe48:7ce7/require ; --0-2132320001-1120114303=:8698--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050630065143.8706.qmail>