tech-net: IPSec w. IPv4 Wierdness

Subject: IPSec w. IPv4 Wierdness
To: None <itojun@iijlab.net, mtbell@mb1.micropede.com, tech-net@netbsd.org>
From: Alex Barclay <alex@tfo-consulting.com>
List: tech-net
Date: 01/01/2001 18:39:35
So I was packing up the files for Matt. I decided to try to work out the
correct starting order and I got back to the original problem that is
plaguing us both.

Basic setup is


Office Net ------ Cisco 2600--------------Netbsd--------Windoze
10.2.0.0/24  10.2.2.36,63.93.241.3  24.5.71.86,10.3.3.3      10.3.3.32

I first run isakmpd and I can now ping and telnet from 10.3.3.3 to all
machines on 10.2.0.0 I now terminate isakmpd and I can still ping in the
same manner. No SA will have expired yet..

Now if I try to ping from 10.3.3.32 to 10.2.0.0 then the original ping
stops. I just noticed something even wierder here... The ping restarts
some time later
64 bytes from 10.2.16.2: icmp_seq=47 ttl=254 time=200.756 ms
64 bytes from 10.2.16.2: icmp_seq=48 ttl=254 time=205.326 ms
64 bytes from 10.2.16.2: icmp_seq=49 ttl=254 time=217.328 ms
64 bytes from 10.2.16.2: icmp_seq=387 ttl=254 time=264.315 ms
64 bytes from 10.2.16.2: icmp_seq=389 ttl=254 time=243.434 ms
64 bytes from 10.2.16.2: icmp_seq=391 ttl=254 time=292.307 ms
64 bytes from 10.2.16.2: icmp_seq=393 ttl=254 time=240.245 ms

Any timers at 340 seconds?

Output from setkey stuff reads....
wibble# setkey -D
24.5.71.86 63.93.241.3 
        esp mode=any spi=405212012(0x18270b6c) reqid=0(0x00000000)
        E: des-cbc key here
        A: hmac-md5  key here
        replay=16 flags=0x00000000 state=mature seq=1 pid=6653
        created: Jan  1 18:21:16 2001   current: Jan  1 18:22:27 2001
        diff: 71(s)     hard: 1200(s)   soft: 1080(s)
        last: Jan  1 18:22:26 2001      hard: 0(s)      soft: 0(s)
        current: 10872(bytes)   hard: 0(bytes)  soft: 0(bytes)
        allocated: 80   hard: 0 soft: 0
        refcnt=2
63.93.241.3 24.5.71.86 
        esp mode=any spi=1373785933(0x51e24f4d) reqid=0(0x00000000)
        E: des-cbc  key here
        A: hmac-md5  key here
        replay=16 flags=0x00000000 state=mature seq=0 pid=6653
        created: Jan  1 18:21:16 2001   current: Jan  1 18:22:27 2001
        diff: 71(s)     hard: 1200(s)   soft: 1080(s)
        last: Jan  1 18:21:35 2001      hard: 0(s)      soft: 0(s)
        current: 45088(bytes)   hard: 0(bytes)  soft: 0(bytes)
        allocated: 525  hard: 0 soft: 0
        refcnt=2
wibble# setkey -DP
10.3.3.0/24[any] 10.2.0.0/16[any] any
        out ipsec
        esp/tunnel/24.5.71.86-63.93.241.3/require
        spid=23 seq=3 pid=6654
        refcnt=1
63.93.241.3[any] 10.3.3.0/24[any] any
        out ipsec
        esp/tunnel/63.93.241.3-24.5.71.86/require
        spid=24 seq=2 pid=6654
        refcnt=1
63.93.241.3[any] 24.5.71.86[any] any
        out ipsec
        esp/tunnel/63.93.241.3-24.5.71.86/require
        spid=25 seq=1 pid=6654
        refcnt=1
10.2.0.0/16[any] 10.3.3.0/24[any] any
        out ipsec
        esp/tunnel/63.93.241.3-24.5.71.86/require
        spid=26 seq=0 pid=6654
        refcnt=1
 
I'm not sure what the SPD entries for 63.93.241.3 and 24.5.71.86 are
about. I don't see a need for a tunnel between the two. Could this be
causing the problem?

During the time when no ping occurs I can capture a packet trace with the
correct incoming and outgoing spi values.

Any ideas?

I think it may be something to do with the effect of receiving a packet
going to a different host on the netbsd side.

I'm going to continue attempting to get racoon working instead of isakmpd
as it may be a better fit with netbsd.

Alex.