Re: IPsec vs ssh

[Darren Reed <darrenr%netbsd.org@localhost>]

On 11/11/2013 9:25 PM, John Nemeth wrote:
...
> } Connectivity between the two endpoints exists well enough to support ssh
> } between them.
> } 
> } If it helps, let me rewrite the above like this:
> } 
> } spdadd 203.33.153.28/32 10.1.1.0/24 icmp -P in ipsec 
> esp/tunnel/203.33.153.28-10.1.1.1/require;
> } spdadd 10.1.1.0/24 203.33.153.28/32 icmp -P out ipsec 
> esp/tunnel/10.1.1.1-203.33.153.28/require;
> 
>      With a private address as one of the tunnel endpoints, are
> you trying do to NAT-T?  Last I checked, that didn't work, and I
> don't know if it has been fixed (there have been several attempts).
> I'm assuming that you can ping from 10.1.1.1 to 203.33.153.28...

Yes, I'm trying to do NAT-T but I'm using KAME, not FAST_IPSEC.

> } > Also, just encrypting icmp is next to useless.
> } 
> } Encrypting only icmp is perfect for testing until the configuration
> } is correct and properly operationalised.
> 
>      True enough.  Does the tunnel come up and work?  Can you ping
> both directions through the tunnel?

Almost.

I've got a pair of hosts using a full SPD like this:

spdadd 10.1.2.254/24 10.1.3.0/24 any -P out ipsec 
esp/tunnel/10.1.2.254-203.33.153.28/require;
spdadd 10.1.3.0/24 10.1.2.0.254/32 any -P in ipsec 
esp/tunnel/203.33.153.28-10.1.2.254/require;

spdadd 203.33.153.28/32 10.1.1.0/24 icmp -P in ipsec 
esp/tunnel/203.33.153.28-10.1.2.254/require;
spdadd 10.1.1.0/24 203.33.153.28/32 icmp -P out ipsec 
esp/tunnel/10.1.2.254-203.33.153.28/require;

spdadd 10.1.3.0/24 10.1.1.0/24 any -P in ipsec 
esp/tunnel/203.33.153.28[4500]-10.1.2.254[4500]/require;
spdadd 10.1.1.0/24 10.1.3.0/24 any -P out ipsec 
esp/tunnel/10.1.2.254[4500]-203.33.153.28[4500]/require;

For now, with racoon I'm using both "remote anonymous" and "sainfo anonymous".

It all goes well until this locally:

DEBUG: Either family (2 - 2), types (1 - 0) of ID from initiator differ or 
matching sainfo has no id_i defined for the peer. Not filling iph2->sa_src and 
iph2->sa_dst.
DEBUG: get src address from ID payload 10.1.2.254[0] prefixlen=32 ul_proto=255
DEBUG: get dst address from ID payload 10.1.1.0[0] prefixlen=24 ul_proto=255
DEBUG: sub:0xbfbfe288: 10.1.2.254/32[0] 10.1.1.0/24[0] proto=any dir=in
DEBUG: db :0xbb661078: 10.1.2.254/24[0] 10.1.3.0/24[0] proto=any dir=out
DEBUG: sub:0xbfbfe288: 10.1.2.254/32[0] 10.1.1.0/24[0] proto=any dir=in
DEBUG: db: 0xbb661078: 10.1.2.254/24[0] 10.1.3.0/24[0] proto=any dir=out
DEBUG: sub:0xbfbfe288: 10.1.2.254/32[0] 10.1.1.0/24[0] proto=any dir=in
DEBUG: db :0xbb6611a8: 10.1.3.0/24[0] 10.1.2.254/32[0] proto=any dir=in
DEBUG: sub:0xbfbfe288: 10.1.2.254/32[0] 10.1.1.0/24[0] proto=any dir=in
DEBUG: db: 0xbb6611a8: 10.1.3.0/24[0] 10.1.2.254/32[0] proto=any dir=in
DEBUG: 0xbfbfe288 masked with /24: 10.1.2.0[0]
DEBUG: 0xbb6611a8 masked with /24: 10.1.3.0[0]
ERROR: no policy found: 10.1.2.254/32[0] 10.1.1.0/24[0] proto=any dir=in
ERROR: failed to get proposal for responder.
[203.33.153.28] ERROR: failed to pre-process ph2 packet (side: 1, status: 1).
DEBUG: IV freed

At which point ping packets go out from the netbsd box at the other end,
get decrypted, received, replied to, reply comes back encrypted and is then
dropped due to a missing SPI.

Darren