Visit The New, Modern Unix Linux Community


What's wrong with my ipsec configuration?


 
Thread Tools Search this Thread
Operating Systems Solaris What's wrong with my ipsec configuration?
# 1  
What's wrong with my ipsec configuration?

I want a lan encrypted with ipsec.
This is my /etc/inet/ike/config


Code:
p1_xform
  { auth_method preshared oakley_group 5 auth_alg sha256 encr_alg aes }
p2_pfs 2


this is my /etc/inet/secret/ike.preshared


Code:
# ike.preshared on hostA, 192.168.0.21
#...
{ localidtype IP
    localid 192.168.0.21
    remoteidtype IP
    remoteid 192.168.0.119
    key *****...

}


this is my /etc/inet/ipsecinit.conf



Code:
# LAN traffic to and from this host can bypass IPsec.
{laddr 192.168.0.21 dir both} bypass {}

# Lan encrypted
{laddr 10.4.0.0/24 dir both} apply {auth_algs sha256 encr_algs aes sa shared}


Services are actives


Code:
for i in ike ipsec/policy;do svcadm refresh $i; done
svcs -a|grep ipse
disabled       22:12:33 svc:/network/ipsec/manual-key:default
online         22:12:56 svc:/network/ipsec/ipsecalgs:default
online         22:50:34 svc:/network/ipsec/ike:default
online         22:50:34 svc:/network/ipsec/policy:default


Interface is active
Code:
ifconfig  e1000g1
e1000g1: flags=1100843<UP,BROADCAST,RUNNING,MULTICAST,ROUTER,IPv4> mtu 1500 index 3
        inet 10.4.0.1 netmask ffffff00 broadcast 10.4.0.255
        ether SE:CR:ET


But nothing work, no ping,no telnet,nothing.


dmesg said


Code:
[ID 726330 kern.error] ipsec_check_global_policy: Dropping inbound secure datagram because it does not match the policy; Source 010.004.000.001, Destination 010.004.000.001.

# 2  
Solution found, a lot of errors


First the file

/etc/inet/ike.preshared

must be like this,the ip
to use must be the ip of the tunnel not the ip
of "main" interface.

Code:
    # ike.preshared on hostA
    #...
    { localidtype IP
        localid 10.4.0.1
        remoteidtype IP
        remoteid 10.4.0.2
        key keyinhexformat
        # The preshared key can also be represented in hex
    # as in 0xf47cb0f432e14480951095f82b
    # key "This is an ASCII Cqret phrAz, use str0ng p@ssword tekniques"
    }

To generate the key in hex I use this command

Code:
    echo "mypassword" | od -t x1|head -1|tr -d ' '

The file /etc/inet/ike/config must be similar to this,even in this case use the ip of tunnel,not ip of main interface.

Code:
 p1_xform
      { auth_method preshared oakley_group 5 auth_alg sha encr_alg 3des }
    p2_pfs 2
    { label "test1-test2" local_addr 10.4.0.1 remote_addr 10.4.0.2 p1_xform { auth_method preshared oakley_group 5 auth_alg sha256 encr_alg aes } p2_pfs 5 }

Of course in hostB must be reverse 10.4.0.1 with 10.4.0.2
for both files.

Finally I edit the file /etc/inet/ipsecinit.conf


Code:
    {laddr 192.168.0.21 dir both} bypass {}
    {laddr 10.4.0.1 raddr 10.4.0.2} ipsec {encr_algs aes encr_auth_algs sha256 sa shared}

Of course in hostB must be reverse 10.4.0.1 with 10.4.0.2
and 192.168.0.21 must be changed with host main ip of hostB

Now run the script on hostA

Code:
 ifconfig ip.tun0 unplumb
    ifconfig ip.tun0 plumb
    ifconfig ip.tun0 10.4.0.1  10.4.0.2 netmask 255.255.255.0 tsrc 192.168.0.21 tdst 192.168.0.199 router up
    for i in ike ipsec/policy;do svcadm refresh $i; done

Now run the script on hostB

Code:
    ifconfig ip.tun0 unplumb
        ifconfig ip.tun0 plumb
        ifconfig ip.tun0 10.4.0.2  10.4.0.1 netmask 255.255.255.0 tsrc 192.168.0.199 tdst 192.168.0.21 router up
        for i in ike ipsec/policy;do svcadm refresh $i; done

And all works,tested with ping and snoop.

Last edited by Linusolaradm1; 02-18-2019 at 08:42 PM..
This User Gave Thanks to Linusolaradm1 For This Post:

Previous Thread | Next Thread
Thread Tools Search this Thread
Search this Thread:
Advanced Search

Test Your Knowledge in Computers #244
Difficulty: Medium
Networking research in the early 1970s by Robert E. Kahn and Vint Cerf let to the formulation of the Transmission Control Program (TCP), and its specification in December 1974 in RFC 699.
True or False?

10 More Discussions You Might Find Interesting

1. IP Networking

VPN IPSec Openswan

Hi all, I have installed Openswan and configured IPSec and works perfect, but for some unknown reasons it stop working. I see that the tunnels are up and established. The route to the destination are added. Everything by the book seems to be ok. But somehow when i start to ping the other side (... (4 Replies)
Discussion started by: ivancd
4 Replies

2. Shell Programming and Scripting

Why result is wrong here ? whether break statement is wrong ?

Hi ! all I am just trying to check range in my datafile pls tell me why its resulting wrong admin@IEEE:~/Desktop$ cat test.txt 0 28.4 5 28.4 10 28.4 15 28.5 20 28.5 25 28.6 30 28.6 35 28.7 40 28.7 45 28.7 50 28.8 55 28.8 60 28.8 65 28.1... (2 Replies)
Discussion started by: Akshay Hegde
2 Replies

3. AIX

Allow port range using IPsec?

Hi Guys, Please could you tell me if it is possible to have a single rule/filter to allow a certain port range instead of a separate rule for each port? I'm sure it must be possible but I am unable to find the syntax. Thanks Chris (4 Replies)
Discussion started by: chrisstevens
4 Replies

4. Cybersecurity

IPSEC

hello, after configuration ipsec in ip4 I can not ping between client and server whereas I had success ping before configuration! I also generate different key for AH and ESP as i have shown below. what is my problem and what should i do to have ping and test the configuration? code: ... (0 Replies)
Discussion started by: elinaz
0 Replies

5. UNIX for Advanced & Expert Users

Ipsec implementation

How can i implement Ipsec between two machines in linux_ ubuntu? any link?? suggestion?? (0 Replies)
Discussion started by: elinaz
0 Replies

6. BSD

Problem on IPSec

Hi, this is my first post...:p Hello Admin :) Can I have an ask for something with my configuration ? I have finished some kind of the tutorial to build ipsec site to site, and the "step" has finished completely. I have a simulation with a local design topology with two PC's (FreeBSD ... (0 Replies)
Discussion started by: aulia
0 Replies

7. Red Hat

ipsec policy not working

Hi, I am trying to set a policy between 2 machines for all the ports except for 22 i.e. for tcp - basically I want to bypass ssh. But my policy doesn't seem to work. Here are the entries spdadd 1.2.3.4 4.3.2.1 any -P out prio 100 ipsec esp/transport//require ah/transport//require; spdadd... (0 Replies)
Discussion started by: ahamed101
0 Replies

8. IP Networking

IPSec VPN Routing

Hello, I'm trying to setup a gateway VPN between two routers across an unsecured network between two local networks. The routers are both linux and I'm using the ipsec tools, racoon and setkey. So far hosts from either local net can successfully ping hosts on the other local net without issue. ... (0 Replies)
Discussion started by: salukibob
0 Replies

9. AIX

File Transfer thru AIX IPSEC

Hello, I have configured IPSEC between two AIX Server v5.2 using IKE transport. When I try to transfer a files from one server to another, it is very very slow and the file transfer has been terminated after 25% completes. How to overcome this problem? Please advsie. Thanks (0 Replies)
Discussion started by: srllee
0 Replies

10. Solaris

Solaris 10 IPSec peformance

Hi, does anyone have an experience how many IPSec tunnels Solaris 10 is able manage. A rough estimation would be great. I know it's hardly dependent on the hardware used, so if anyone says on a 490 with 2 CPUs and 4GB RAM a maximum of 1000 IPSec tunnels is possible, that would be great. I... (1 Reply)
Discussion started by: blombo
1 Replies

Featured Tech Videos