tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: IPsec vs ssh



On 13/11/2013 6:25 AM, Greg Troxel wrote:
> 
> Darren Reed <darrenr%netbsd.org@localhost> writes:
> 
>> On 12/11/2013 12:40 PM, John Nemeth wrote:
> 
>>>     A tunnel is basically encapsulation of any sort.  So, when you
>>> encapsulate any of kind of packet with an IPSec (ESP) wrapper, you
>>> have essentially created a tunnel.
> 
> If you use tunnel mode, yes.  One can also use transport mode, where
> IP:TCP is replaced by IP:ESP[TCP] (note that there is no outer header and
> the original header is not inside the ESP payload.   But in the modern
> world, that's odd.
> 
>> Ah, ok, then yes, the tunnel is created by the SPD in ipsec.conf.
>> I wasn't sure if you were referring to a gif, etc, style of tunnel.
> 
> Exactly; it's internal to the IPsec implementation.
> 
>> FWIW, I get 3 out of 4 "IPsec-SA established" messages. Unfortunately
>> unless you get all four, it does not work.
> 
> That's a huge clue. I would turn up racoon debugging.

I have and it isn't really helping.

I'm starting to suspect there is a bug in racoon and that I'm going
to have to go digging. What appears to go wrong is that when it adds
the second SA.

e.g. racoon logs for just messages with "pfkey" in them:

Remote host:
/tmp/rac.log.0:DEBUG: call pfkey_send_register for AH
/tmp/rac.log.0:DEBUG: call pfkey_send_register for ESP
/tmp/rac.log.0:DEBUG: call pfkey_send_register for IPCOMP
/tmp/rac.log.0:DEBUG: get pfkey X_SPDDUMP message
/tmp/rac.log.0:DEBUG: get pfkey X_SPDDUMP message
/tmp/rac.log.0:DEBUG: get pfkey X_SPDDUMP message
/tmp/rac.log.0:DEBUG: get pfkey X_SPDDUMP message
/tmp/rac.log.0:DEBUG: get pfkey X_SPDDUMP message
/tmp/rac.log.0:DEBUG: get pfkey X_SPDDUMP message
/tmp/rac.log.0:DEBUG: call pfkey_send_dump
/tmp/rac.log.0:DEBUG: call pfkey_send_getspi
/tmp/rac.log.0:DEBUG: pfkey GETSPI sent: ESP/Tunnel 
128.250.34.26[4500]->10.1.3.254[4500]
/tmp/rac.log.0:DEBUG: pfkey getspi sent.
/tmp/rac.log.0:DEBUG: get pfkey GETSPI message
/tmp/rac.log.0:DEBUG: pfkey GETSPI succeeded: ESP/Tunnel 
128.250.34.26[4500]->10.1.3.254[4500] spi=225908429(0xd7716cd)
/tmp/rac.log.0:DEBUG: call pfkey_send_update2
/tmp/rac.log.0:DEBUG: pfkey update sent.
/tmp/rac.log.0:DEBUG: call pfkey_send_add2 (NAT flavor)
/tmp/rac.log.0:DEBUG: call pfkey_send_add2
/tmp/rac.log.0:DEBUG: pfkey add sent.
/tmp/rac.log.0:DEBUG: get pfkey UPDATE message
/tmp/rac.log.0:DEBUG: pfkey UPDATE succeeded: ESP/Tunnel 
128.250.34.26[4500]->10.1.3.254[4500] spi=225908429(0xd7716cd)
/tmp/rac.log.0:DEBUG: get pfkey ADD message
/tmp/rac.log.0:DEBUG: get pfkey FLUSH message
/tmp/rac.log.0:DEBUG: call pfkey_send_dump

Local host:
/tmp/rac.log.2:DEBUG: call pfkey_send_register for AH
/tmp/rac.log.2:DEBUG: call pfkey_send_register for ESP
/tmp/rac.log.2:DEBUG: call pfkey_send_register for IPCOMP
/tmp/rac.log.2:DEBUG: got pfkey X_SPDDUMP message
/tmp/rac.log.2:DEBUG: got pfkey X_SPDDUMP message
/tmp/rac.log.2:DEBUG: got pfkey X_SPDDUMP message
/tmp/rac.log.2:DEBUG: got pfkey X_SPDDUMP message
/tmp/rac.log.2:DEBUG: got pfkey X_SPDDUMP message
/tmp/rac.log.2:DEBUG: got pfkey X_SPDDUMP message
/tmp/rac.log.2:DEBUG: got pfkey ACQUIRE message
/tmp/rac.log.2:DEBUG: call pfkey_send_dump
/tmp/rac.log.2:DEBUG: call pfkey_send_getspi
/tmp/rac.log.2:DEBUG: pfkey GETSPI sent: ESP/Tunnel 
141.161.4.77[4500]->10.1.3.254[4500]
/tmp/rac.log.2:DEBUG: pfkey getspi sent.
/tmp/rac.log.2:DEBUG: got pfkey GETSPI message
/tmp/rac.log.2:DEBUG: pfkey GETSPI succeeded: ESP/Tunnel 
141.161.4.77[500]->10.1.3.254[500] spi=70491361(0x4339ce1)
/tmp/rac.log.2:DEBUG: call pfkey_send_update2
/tmp/rac.log.2:DEBUG: pfkey update sent.
/tmp/rac.log.2:DEBUG: call pfkey_send_add2 (NAT flavor)
/tmp/rac.log.2:DEBUG: call pfkey_send_add2
/tmp/rac.log.2:DEBUG: pfkey add sent.
/tmp/rac.log.2:DEBUG: got pfkey UPDATE message
/tmp/rac.log.2:ERROR: pfkey UPDATE failed: No such file or directory
/tmp/rac.log.2:DEBUG: got pfkey ADD message

I suspect that there is either something wrong with the PF_KEY
message generated for "pfkey add sent." or the following update
message. The two versions of racoon are not the same - one is
the "rewrite" (doesn't work) and one is an older version (works).

Darren



Home | Main Index | Thread Index | Old Index