[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

(racoon 780) Tunnel over tunnel

To: Racoon <racoon@kame.net>, ipsec-tools <ipsec-tools-devel@lists.sourceforge.net>
Subject: (racoon 780) Tunnel over tunnel
From: Juan Antonio Martínez Navarro <jamn2@alu.um.es>
Date: Tue, 28 Sep 2004 12:58:11 +0200
Delivered-to: racoon-archive@kame.net
Delivered-to: racoon-outgo@kame.net
Delivered-to: racoon@kame.net
Reply-to: racoon@kame.net
Sender: owner-racoon@kame.net

Hello,

Aidas, thanks a lot, for the patch for IPv6 link local address. It works
;)

We're tryin to use Tunnel over Tunnel with IPSec and Racoon.

This is the scenario we're trying.

                  ================== ESP =================
                  |  ======= ESP =======                 |
                  |  |                 |                 |
                 Host-A            Gateway-A           Host-B
              fec0:0:0:1::1 ---- fec0:0:0:2::1 ---- fec0:0:0:2::2
2001:720:1710:0:202:b3ff:feb8:1857                 2002::202:b3ff:fe1c:e65b 
We've seen a solution for this scenario in:
http://www.cyberinfo.se/handbook/ipsec.html

This is the solution on the Host-A side:
    # setkey -c <<EOF
    spdadd fec0:0:0:1::1[any] fec0:0:0:2::2[80] tcp -P out ipsec
    esp/transport/fec0:0:0:1::1-fec0:0:0:2::2/use
    esp/tunnel/fec0:0:0:1::1-fec0:0:0:2::1/require ;
    spdadd fec0:0:0:2::1[80] fec0:0:0:1::1[any] tcp -P in ipsec
    esp/transport/fec0:0:0:2::2-fec0:0:0:l::1/use
    esp/tunnel/fec0:0:0:2::1-fec0:0:0:1::1/require ;
    add fec0:0:0:1::1 fec0:0:0:2::2 esp 0x10001
    -m transport
    -E cast128-cbc "12341234"
    -A hmac-sha1 "this is the test key" ;
    add fec0:0:0:1::1 fec0:0:0:2::1 esp 0x10002
    -E rc5-cbc "kamekame"
    -A hmac-md5 "this is the test" ;
    add fec0:0:0:2::2 fec0:0:0:1::1 esp 0x10003
    -m transport
    -E cast128-cbc "12341234"
    -A hmac-sha1 "this is the test key" ;
    add fec0:0:0:2::1 fec0:0:0:1::1 esp 0x10004
    -E rc5-cbc "kamekame"
    -A hmac-md5 "this is the test" ;

    EOF

But here, they don't use IKE.

We're are trying to imitate this rules in our configuration files.
These are the setkey and racoon configuration files in Host-A:

SETKEY.CONF
-----------
spdadd HOSTA/128 HOSTB/128 tcp -P out ipsec esp/tunnel/HOSTA-HOSTB/use esp/tunnel/HOSTA-GATEWAY/require ;
spdadd GATEWAY/128 HOSTA/128 tcp -P in ipsec esp/tunnel/HOSTB-HOSTA/use esp/tunnel/GATEWAY-HOSTA/require ;

spdadd HOSTB/128 HOSTA/128 tcp -P in ipsec esp/tunnel/HOSTB-HOSTA/use esp/tunnel/GATEWAY-HOSTA/require ;
(We added the last one because racoon said that there wasn't an in-bound policy)

RACOON.CONF
-----------
path pre_shared_key "/etc/racoon/psk.txt";

timer
{
	phase1 	1min;
	phase2	1min;
}

remote GATEWAY
{
	exchange_mode main;
	proposal
	{
		encryption_algorithm 3des;
		hash_algorithm md5;
		authentication_method pre_shared_key;
		dh_group 2;
	}
}

remote HOSTB
{
	exchange_mode main;
	proposal
	{
		encryption_algorithm 3des;
		hash_algorithm md5;
		authentication_method pre_shared_key;
		dh_group 2;
	}
}

sainfo address HOSTA/128 tcp address HOSTB/128 tcp
{
	pfs_group 2;
	lifetime time 12 hour;
	encryption_algorithm 3des;
	authentication_algorithm hmac_sha1, hmac_md5;
	compression_algorithm deflate;
}

sainfo address HOSTA/128 tcp address GATEWAY/128 tcp
{
	pfs_group 2;
	lifetime time 12 hour;
	encryption_algorithm 3des;
	authentication_algorithm hmac_sha1, hmac_md5;
	compression_algorithm deflate;
}


These are the setkey and racoon configuration files in GATEWAY:

SETKEY.CONF
-----------
flush;
spdflush;

spdadd 2002::0/64 HOSTA/128 tcp -P out ipsec esp/tunnel/GATEWAY-HOSTA/require ;
spdadd HOSTA/128 2002::0/64 tcp -P in ipsec esp/tunnel/HOSTA-GATEWAY/require ;

RACOON.CONF
-----------
path pre_shared_key "/etc/racoon/psk.txt" ;

timer
{
	phase1 1 min;
	phase2 1 min;
}

########### ANONIMOUS ############

remote anonymous 
{
	exchange_mode main;
	proposal 
	{
		encryption_algorithm 3des;
		hash_algorithm md5;
		authentication_method pre_shared_key;
		dh_group 2;
	}
}



sainfo anonymous
{
	pfs_group 2;
	lifetime time 12 hour;
	encryption_algorithm 3des;
	authentication_algorithm hmac_sha1, hmac_md5;
	compression_algorithm deflate ;
}

These are the setkey and racoon configuration files in Host-B:

SETKEY.CONF
-----------
flush;
spdflush;


spdadd HOSTB/128 HOSTA/128 tcp -P out ipsec esp/tunnel/HOSTB-HOSTA/use ;
spdadd HOSTA/128 HOSTB/128 tcp -P in ipsec esp/tunnel/HOSTA-HOSTB/use ;


RACOON.CONF
-----------
path pre_shared_key "/etc/racoon/psk.txt" ;

timer
{
        phase1 1 min;
        phase2 1 min;
}

remote HOSTA
{
        exchange_mode main;
        proposal
        {
                encryption_algorithm 3des;
                hash_algorithm md5;
                authentication_method pre_shared_key;
                dh_group 2;
        }
}


sainfo address HOSTB/128 tcp address HOSTA/128 tcp
{
        pfs_group 2;
        lifetime time 12 hour;
        encryption_algorithm 3des;
        authentication_algorithm hmac_sha1, hmac_md5;
        compression_algorithm deflate;
}
-------------------------------------------------------------------
-------------------------------------------------------------------
When we try this configuration we get this log messages. But we can't establish any tunnel.
Is racoon ready for establishing tunnel over tunnel?

Could anybody help us?

Thanks.


-- 
Juan Antonio Martínez Navarro <jamn2@alu.um.es>
                              <juanantonio@dif.um.es>
Pedro J. Fernández Ruiz <pedroj.fernandez@dif.um.es>

...
2004-09-28 12:12:11: DEBUG: resend phase2 packet a7b2e51824089847:e998959d36b78bf3:0000d2ce
2004-09-28 12:12:11: DEBUG: get pfkey GETSPI message
2004-09-28 12:12:11: ERROR: status mismatch (db:5 msg:3)
2004-09-28 12:12:11: DEBUG: ===
2004-09-28 12:12:11: DEBUG: 68 bytes message received from HOSTB[500] to HOSTA[500]
2004-09-28 12:12:11: DEBUG:
a7b2e518 24089847 e998959d 36b78bf3 08100501 dee72ea7 00000044 14c12171
9c19b4ec 1370c215 386d8a95 1df0b500 ce708a3e 4e33dde7 2c86f3a1 6c571919
95969815
2004-09-28 12:12:11: DEBUG: receive Information.
2004-09-28 12:12:11: DEBUG: compute IV for phase2
2004-09-28 12:12:11: DEBUG: phase1 last IV:
2004-09-28 12:12:11: DEBUG:
a9befa6b 04371907 dee72ea7
2004-09-28 12:12:11: DEBUG: hash(md5)
2004-09-28 12:12:11: DEBUG: encryption(3des)
2004-09-28 12:12:11: DEBUG: phase2 IV computed:
2004-09-28 12:12:11: DEBUG:
cd1d8854 833dbd6b
2004-09-28 12:12:11: DEBUG: begin decryption.
2004-09-28 12:12:11: DEBUG: encryption(3des)
2004-09-28 12:12:11: DEBUG: IV was saved for next processing:
2004-09-28 12:12:11: DEBUG:
6c571919 95969815
2004-09-28 12:12:11: DEBUG: encryption(3des)
2004-09-28 12:12:11: DEBUG: with key:
2004-09-28 12:12:11: DEBUG:
ea6adb74 2a255dbc 7ca4f65d 21369f41 dacde3b5 c681f0a1
2004-09-28 12:12:11: DEBUG: decrypted payload by IV:
2004-09-28 12:12:11: DEBUG:
cd1d8854 833dbd6b
2004-09-28 12:12:11: DEBUG: decrypted payload, but not trimed.
2004-09-28 12:12:11: DEBUG:
0b000014 f9d3c8c5 07c1379b 12d8c919 5fa8c623 0000000c 00000001 0100000e
8196d055 2abfbf07
2004-09-28 12:12:11: DEBUG: padding len=8
2004-09-28 12:12:11: DEBUG: skip to trim padding.
2004-09-28 12:12:11: DEBUG: decrypted.
2004-09-28 12:12:11: DEBUG:
a7b2e518 24089847 e998959d 36b78bf3 08100501 dee72ea7 00000044 0b000014
f9d3c8c5 07c1379b 12d8c919 5fa8c623 0000000c 00000001 0100000e 8196d055
2abfbf07
2004-09-28 12:12:11: DEBUG: HASH with:
2004-09-28 12:12:11: DEBUG:
dee72ea7 0000000c 00000001 0100000e
2004-09-28 12:12:11: DEBUG: hmac(hmac_md5)
2004-09-28 12:12:11: DEBUG: HASH computed:
2004-09-28 12:12:11: DEBUG:
f9d3c8c5 07c1379b 12d8c919 5fa8c623
2004-09-28 12:12:11: DEBUG: hash validated.
2004-09-28 12:12:11: DEBUG: begin.
2004-09-28 12:12:11: DEBUG: seen nptype=8(hash)
2004-09-28 12:12:11: DEBUG: seen nptype=11(notify)
2004-09-28 12:12:11: DEBUG: succeed.
2004-09-28 12:12:11: ERROR: unknown notify message, no phase2 handle found.
2004-09-28 12:12:11: DEBUG: notification message 14:NO-PROPOSAL-CHOSEN, doi=1 proto_id=1 spi=(size=0).

.....
2004-09-28 11:58:28: INFO: respond new phase 1 negotiation: HOSTB[500]<=>HOSTA[500]
2004-09-28 11:58:28: INFO: begin Identity Protection mode.
2004-09-28 11:58:29: INFO: ISAKMP-SA established HOSTB[500]-HOSTA[500] spi:4f83ecb0ba0d422a:a3c98e6f61bbdee3
2004-09-28 11:58:31: INFO: respond new phase 2 negotiation: HOSTB[0]<=>HOSTA[0]
2004-09-28 11:58:31: ERROR: not matched
2004-09-28 11:58:31: ERROR: no suitable policy found.
2004-09-28 11:58:31: ERROR: failed to pre-process packet.
2004-09-28 11:58:41: INFO: respond new phase 2 negotiation: HOSTB[0]<=>HOSTA[0]
2004-09-28 11:58:41: ERROR: not matched
2004-09-28 11:58:41: ERROR: no suitable policy found.
2004-09-28 11:58:41: ERROR: failed to pre-process packet.
....

Prev by Date: (racoon 779) Trying again... NAT-T on WinXP & racoon.
Next by Date: (racoon 781) Windows and Solaris IKE implementation of Racoon required
Previous by thread: (racoon 779) Trying again... NAT-T on WinXP & racoon.
Next by thread: (racoon 781) Windows and Solaris IKE implementation of Racoon required
Index(es):
- Date
- Thread