Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Problem on IPSec
Operating Systems BSD Problem on IPSec Post 302537632 by aulia on Friday 8th of July 2011 08:31:07 PM
Old 07-08-2011
Problem on IPSec
Hi, this is my first post...Smilie


Hello Admin Smilie

Can I have an ask for something with my configuration ?

I have finished some kind of the tutorial to build ipsec site to site, and the "step" has finished completely.
I have a simulation with a local design topology with two PC's (FreeBSD 7.0) and the replace for public network (internet media) with a single switch device in the middle, it's look like this :


(PC-A)
Local Network A : 192.168.0.1/24
Network (Gateway) A : 202.10.10.1/24
SWITCH
(PC-B)
Network (Gateway) B : 202.10.10.2/24
Local Network B : 172.168.0.1/24


I got connect all this host by used a static routing, at first the communication between two site is completely connect eg. (Ping to Local Network B to Local Network A).
but when I've finished config the tunnel (GIF interface), started the racoon and ipsec daemon with those all configuration, I can't any longer ping the outside local network (Request Time out).

and sure there's no ESP protokol packet in the output of tcpdump on the traffic, I've tried Racoon-F command too, but the output is stack and look's not running.
Please, any suggest from this problem Smilie

I'm really appreciated with the respons, Thank's in advance Smilie
Aulia.
 

9 More Discussions You Might Find Interesting

1. Solaris

Solaris 10 IPSec peformance

Hi, does anyone have an experience how many IPSec tunnels Solaris 10 is able manage. A rough estimation would be great. I know it's hardly dependent on the hardware used, so if anyone says on a 490 with 2 CPUs and 4GB RAM a maximum of 1000 IPSec tunnels is possible, that would be great. I... (1 Reply)
Discussion started by: blombo
1 Replies

2. Cybersecurity

Problem while establishing ISAKMP in ipsec

Hi, I am facing problem while setting up ISAKMP between two hosts. I can see only the Initiator messages but no responder messages in tcpdump. Does anyone know the cause of this behaviour? FYI, here is the extracted information from tcpdump : 14:47:08.699113 IP 10.118.231.143.isakmp >... (0 Replies)
Discussion started by: universalTechie
0 Replies

3. IP Networking

IPSec VPN Routing

Hello, I'm trying to setup a gateway VPN between two routers across an unsecured network between two local networks. The routers are both linux and I'm using the ipsec tools, racoon and setkey. So far hosts from either local net can successfully ping hosts on the other local net without issue. ... (0 Replies)
Discussion started by: salukibob
0 Replies

4. Red Hat

ipsec policy not working

Hi, I am trying to set a policy between 2 machines for all the ports except for 22 i.e. for tcp - basically I want to bypass ssh. But my policy doesn't seem to work. Here are the entries spdadd 1.2.3.4 4.3.2.1 any -P out prio 100 ipsec esp/transport//require ah/transport//require; spdadd... (0 Replies)
Discussion started by: ahamed101
0 Replies

5. UNIX for Advanced & Expert Users

Ipsec implementation

How can i implement Ipsec between two machines in linux_ ubuntu? any link?? suggestion?? (0 Replies)
Discussion started by: elinaz
0 Replies

6. Cybersecurity

IPSEC

hello, after configuration ipsec in ip4 I can not ping between client and server whereas I had success ping before configuration! I also generate different key for AH and ESP as i have shown below. what is my problem and what should i do to have ping and test the configuration? code: ... (0 Replies)
Discussion started by: elinaz
0 Replies

7. AIX

Allow port range using IPsec?

Hi Guys, Please could you tell me if it is possible to have a single rule/filter to allow a certain port range instead of a separate rule for each port? I'm sure it must be possible but I am unable to find the syntax. Thanks Chris (4 Replies)
Discussion started by: chrisstevens
4 Replies

8. IP Networking

VPN IPSec Openswan

Hi all, I have installed Openswan and configured IPSec and works perfect, but for some unknown reasons it stop working. I see that the tunnels are up and established. The route to the destination are added. Everything by the book seems to be ok. But somehow when i start to ping the other side (... (4 Replies)
Discussion started by: ivancd
4 Replies

9. Solaris

What's wrong with my ipsec configuration?

I want a lan encrypted with ipsec. This is my /etc/inet/ike/config p1_xform { auth_method preshared oakley_group 5 auth_alg sha256 encr_alg aes } p2_pfs 2 this is my /etc/inet/secret/ike.preshared # ike.preshared on hostA, 192.168.0.21 #... { localidtype IP localid... (1 Reply)
Discussion started by: Linusolaradm1
1 Replies

LEARN ABOUT DEBIAN

ipsec_eroute

IPSEC_EROUTE(5) 						  [FIXME: manual]						   IPSEC_EROUTE(5)

NAME

       ipsec_eroute - list of existing eroutes

SYNOPSIS

       ipsec eroute
	     cat/proc/net/ipsec_eroute

OBSOLETE

       Note that eroute is only supported on the classic KLIPS stack. It is not supported on any other stack and will be completely removed in
       future versions. On the mast stack, use ipsec policy, on the netkey stack, use ip xfrm

DESCRIPTION

       /proc/net/ipsec_eroute lists the IPSEC extended routing tables, which control what (if any) processing is applied to non-encrypted packets
       arriving for IPSEC processing and forwarding. At this point it is a read-only file.

       A table entry consists of:

       +
	   packet count,

       +
	   source address with mask and source port (0 if all ports or not applicable)

       +
	   a '->' separator for visual and automated parsing between src and dst

       +
	   destination address with mask and destination port (0 if all ports or not applicable)

       +
	   a '=>' separator for visual and automated parsing between selection criteria and SAID to use

       +
	   SAID (Security Association IDentifier), comprised of:

       +
	   protocol (proto),

       +
	   address family (af), where '.' stands for IPv4 and ':' for IPv6

       +
	   Security Parameters Index (SPI),

       +
	   effective destination (edst), where the packet should be forwarded after processing (normally the other security gateway) together
	   indicate which Security Association should be used to process the packet,

       +
	   a ':' separating the SAID from the transport protocol (0 if all protocols)

       +
	   source identity text string with no whitespace, in parens,

       +
	   destination identity text string with no whitespace, in parens

       Addresses are written as IPv4 dotted quads or IPv6 coloned hex, protocol is one of "ah", "esp", "comp" or "tun" and SPIs are prefixed
       hexadecimal numbers where the prefix '.' is for IPv4 and the prefix ':' is for IPv6

       SAIDs are written as "protoafSPI@edst". There are also 5 "magic" SAIDs which have special meaning:

       +
	   %drop means that matches are to be dropped

       +
	   %reject means that matches are to be dropped and an ICMP returned, if possible to inform

       +
	   %trap means that matches are to trigger an ACQUIRE message to the Key Management daemon(s) and a hold eroute will be put in place to
	   prevent subsequent packets also triggering ACQUIRE messages.

       +
	   %hold means that matches are to stored until the eroute is replaced or until that eroute gets reaped

       +
	   %pass means that matches are to allowed to pass without IPSEC processing

EXAMPLES

       1867 172.31.252.0/24:0 -> 0.0.0.0/0:0 => tun0x130@192.168.43.1:0

	() ()

       means that 1,867 packets have been sent to an eroute that has been set up to protect traffic between the subnet 172.31.252.0 with a subnet
       mask of 24 bits and the default address/mask represented by an address of 0.0.0.0 with a subnet mask of 0 bits using the local machine as a
       security gateway on this end of the tunnel and the machine 192.168.43.1 on the other end of the tunnel with a Security Association
       IDentifier of tun0x130@192.168.43.1 which means that it is a tunnel mode connection (4, IPPROTO_IPIP) with a Security Parameters Index of
       130 in hexadecimal with no identies defined for either end.

       746 192.168.2.110/32:0 -> 192.168.2.120/32:25 => esp0x130@192.168.2.120:6

	() ()

       means that 746 packets have been sent to an eroute that has been set up to protect traffic sent from any port on the host 192.168.2.110 to
       the SMTP (TCP, port 25) port on the host 192.168.2.120 with a Security Association IDentifier of tun0x130@192.168.2.120 which means that it
       is a transport mode connection with a Security Parameters Index of 130 in hexadecimal with no identies defined for either end.

       125 3049:1::/64 -> 0:0/0 => tun:130@3058:4::5 () ()

       means that 125 packets have been sent to an eroute that has been set up to protect traffic between the subnet 3049:1:: with a subnet mask
       of 64 bits and the default address/mask represented by an address of 0:0 with a subnet mask of 0 bits using the local machine as a security
       gateway on this end of the tunnel and the machine 3058:4::5 on the other end of the tunnel with a Security Association IDentifier of
       tun:130@3058:4::5 which means that it is a tunnel mode connection with a Security Parameters Index of 130 in hexadecimal with no identies
       defined for either end.

       42 192.168.6.0/24:0 -> 192.168.7.0/24:0 => %passthrough

       means that 42 packets have been sent to an eroute that has been set up to pass the traffic from the subnet 192.168.6.0 with a subnet mask
       of 24 bits and to subnet 192.168.7.0 with a subnet mask of 24 bits without any IPSEC processing with no identies defined for either end.

       2112 192.168.8.55/32:0 -> 192.168.9.47/24:0 => %hold (east) ()

       means that 2112 packets have been sent to an eroute that has been set up to hold the traffic from the host 192.168.8.55 and to host
       192.168.9.47 until a key exchange from a Key Management daemon succeeds and puts in an SA or fails and puts in a pass or drop eroute
       depending on the default configuration with the local client defined as "east" and no identy defined for the remote end.

       2001 192.168.2.110/32:0 -> 192.168.2.120/32:0 =>

	esp0xe6de@192.168.2.120:0 () ()

       means that 2001 packets have been sent to an eroute that has been set up to protect traffic between the host 192.168.2.110 and the host
       192.168.2.120 using 192.168.2.110 as a security gateway on this end of the connection and the machine 192.168.2.120 on the other end of the
       connection with a Security Association IDentifier of esp0xe6de@192.168.2.120 which means that it is a transport mode connection with a
       Security Parameters Index of e6de in hexadecimal using Encapsuation Security Payload protocol (50, IPPROTO_ESP) with no identies defined
       for either end.

       1984 3049:1::110/128 -> 3049:1::120/128 =>

	ah:f5ed@3049:1::120 () ()

       means that 1984 packets have been sent to an eroute that has been set up to authenticate traffic between the host 3049:1::110 and the host
       3049:1::120 using 3049:1::110 as a security gateway on this end of the connection and the machine 3049:1::120 on the other end of the
       connection with a Security Association IDentifier of ah:f5ed@3049:1::120 which means that it is a transport mode connection with a Security
       Parameters Index of f5ed in hexadecimal using Authentication Header protocol (51, IPPROTO_AH) with no identies defined for either end.

FILES

       /proc/net/ipsec_eroute, /usr/local/bin/ipsec

SEE ALSO

       ipsec(8), ipsec_manual(8), ipsec_tncfg(5), ipsec_spi(5), ipsec_spigrp(5), ipsec_klipsdebug(5), ipsec_eroute(8), ipsec_version(5),
       ipsec_pf_key(5)

HISTORY

       Written for the Linux FreeS/WAN project <http://www.freeswan.org/> by Richard Guy Briggs.

[FIXME: source] 						    10/06/2010							   IPSEC_EROUTE(5)
All times are GMT -4. The time now is 09:12 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy