Subject: IPSec w. IPv4 Wierdness
To: None <itojun@iijlab.net, mtbell@mb1.micropede.com, tech-net@netbsd.org>
From: Alex Barclay <alex@tfo-consulting.com>
List: tech-net
Date: 01/01/2001 18:39:35
So I was packing up the files for Matt. I decided to try to work out the
correct starting order and I got back to the original problem that is
plaguing us both.
Basic setup is
Office Net ------ Cisco 2600--------------Netbsd--------Windoze
10.2.0.0/24 10.2.2.36,63.93.241.3 24.5.71.86,10.3.3.3 10.3.3.32
I first run isakmpd and I can now ping and telnet from 10.3.3.3 to all
machines on 10.2.0.0 I now terminate isakmpd and I can still ping in the
same manner. No SA will have expired yet..
Now if I try to ping from 10.3.3.32 to 10.2.0.0 then the original ping
stops. I just noticed something even wierder here... The ping restarts
some time later
64 bytes from 10.2.16.2: icmp_seq=47 ttl=254 time=200.756 ms
64 bytes from 10.2.16.2: icmp_seq=48 ttl=254 time=205.326 ms
64 bytes from 10.2.16.2: icmp_seq=49 ttl=254 time=217.328 ms
64 bytes from 10.2.16.2: icmp_seq=387 ttl=254 time=264.315 ms
64 bytes from 10.2.16.2: icmp_seq=389 ttl=254 time=243.434 ms
64 bytes from 10.2.16.2: icmp_seq=391 ttl=254 time=292.307 ms
64 bytes from 10.2.16.2: icmp_seq=393 ttl=254 time=240.245 ms
Any timers at 340 seconds?
Output from setkey stuff reads....
wibble# setkey -D
24.5.71.86 63.93.241.3
esp mode=any spi=405212012(0x18270b6c) reqid=0(0x00000000)
E: des-cbc key here
A: hmac-md5 key here
replay=16 flags=0x00000000 state=mature seq=1 pid=6653
created: Jan 1 18:21:16 2001 current: Jan 1 18:22:27 2001
diff: 71(s) hard: 1200(s) soft: 1080(s)
last: Jan 1 18:22:26 2001 hard: 0(s) soft: 0(s)
current: 10872(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 80 hard: 0 soft: 0
refcnt=2
63.93.241.3 24.5.71.86
esp mode=any spi=1373785933(0x51e24f4d) reqid=0(0x00000000)
E: des-cbc key here
A: hmac-md5 key here
replay=16 flags=0x00000000 state=mature seq=0 pid=6653
created: Jan 1 18:21:16 2001 current: Jan 1 18:22:27 2001
diff: 71(s) hard: 1200(s) soft: 1080(s)
last: Jan 1 18:21:35 2001 hard: 0(s) soft: 0(s)
current: 45088(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 525 hard: 0 soft: 0
refcnt=2
wibble# setkey -DP
10.3.3.0/24[any] 10.2.0.0/16[any] any
out ipsec
esp/tunnel/24.5.71.86-63.93.241.3/require
spid=23 seq=3 pid=6654
refcnt=1
63.93.241.3[any] 10.3.3.0/24[any] any
out ipsec
esp/tunnel/63.93.241.3-24.5.71.86/require
spid=24 seq=2 pid=6654
refcnt=1
63.93.241.3[any] 24.5.71.86[any] any
out ipsec
esp/tunnel/63.93.241.3-24.5.71.86/require
spid=25 seq=1 pid=6654
refcnt=1
10.2.0.0/16[any] 10.3.3.0/24[any] any
out ipsec
esp/tunnel/63.93.241.3-24.5.71.86/require
spid=26 seq=0 pid=6654
refcnt=1
I'm not sure what the SPD entries for 63.93.241.3 and 24.5.71.86 are
about. I don't see a need for a tunnel between the two. Could this be
causing the problem?
During the time when no ping occurs I can capture a packet trace with the
correct incoming and outgoing spi values.
Any ideas?
I think it may be something to do with the effect of receiving a packet
going to a different host on the netbsd side.
I'm going to continue attempting to get racoon working instead of isakmpd
as it may be a better fit with netbsd.
Alex.