[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPSEC VPN 2.6<-->2.7 troubleshooting

To: angelos@dsl.cis.upenn.edu (Angelos D. Keromytis)
Subject: Re: IPSEC VPN 2.6<-->2.7 troubleshooting
From: Steve Williams <steve@genie96.com>
Date: Fri, 17 Nov 2000 11:08:02 -0700 (MST)
Cc: steve@genie96.com (Steve Williams), misc@openbsd.org
Read-Receipt-To: steve@genie96.com

Hi,

That netstat command is way cool...

# netstat -ss -p esp
esp:
        1621 input ESP packets
        543 output ESP packets
        1621 packets for which no TDB was found
        45612 output bytes

I'm getting similar results on the firewall on the other end of the 
VPN.

That's fantastic, and it is apparant that the problem is that it's not
finding a TDB for any packets.  I have grep'd the entire man pages, and
can find no reference to TDB... can anyone shed some light on what a TDB
is?

Also, I can't seem to figure out exactly what the SPI is used for.  
Someone mentioned that the SPI looked suspicious.  Is the SPI associated
with a specific IP address regardless of which end of the VPN it is on?

eg: should a.115.242.23 be associated with the SPI 1000 ON BOTH sides 
    of the VPN?

Thanks for any and all assistnace!!

I did a little more work, and here are the commands that are being 
generated by the rc.vpn's

bastion - OpenBSD 2.6
---------------------
Internal Network 192.168.0.0/24
External IP address:a.115.242.23/32


/sbin/ipsecadm new esp -src a.115.242.23 -dst a.115.230.160 \
	-forcetunnel -spi 1000 -enc 3des -auth sha1 	    \
	-key ${key} -authkey ${authkey} 

/sbin/ipsecadm new esp -src a.115.230.160 -dst a.115.242.23 \
	-forcetunnel -spi 1001 -enc 3des -auth sha1 	    \
	-key ${key} -authkey ${authkey} 

/sbin/ipsecadm flow -proto esp -dst a.115.230.160 -spi 1000 \
	-addr 0.0.0.0 0xffffffff a.115.230.160 0xffffffff

/sbin/ipsecadm flow -proto esp -dst a.115.230.160 -spi 1000 \
	-addr 192.168.0.0 0xffffff00 192.168.88.0 0xffffff00

/sbin/ipsecadm flow -proto esp -dst a.115.230.160 -spi 1000 \
	-addr 0.0.0.0 0xffffffff 192.168.88.0 0xffffff00

/sbin/ipsecadm flow -proto esp -dst a.115.230.160 -spi 1000 \
	-addr 192.168.0.0 0xffffff00 a.115.230.160 0xffffffff

Gives netstat -rn -f encap
Encap:
Source         Port  Destination        Port  Proto SA(Address/SPI/Proto) 
0.0.0.0/32     0     192.168.88/24      0     0     a.115.230.160/00001000/50
0.0.0.0/32     0     a.115.230.160/32   0     0     a.115.230.160/00001000/50
192.168.0/24   0     192.168.88/24      0     0     a.115.230.160/00001000/50
192.168.0/24   0     a.115.230.160/32   0     0     a.115.230.160/00001000/50


OpenBSD 2.7-current
-------------------
Internal Network 192.168.88.0/24
External IP address: a.115.230.160


/sbin/ipsecadm new esp -src a.115.230.160 -dst a.115.242.23 \
	-forcetunnel -spi 1000 -enc 3des -auth sha1 		\
	-keyfile /etc/ipsec/enc_key -authkeyfile /etc/ipsec/auth_key

/sbin/ipsecadm new esp -src a.115.242.23 -dst a.115.230.160 \
	-forcetunnel -spi 1001 -enc 3des -auth sha1 		\
	-keyfile /etc/ipsec/enc_key -authkeyfile /etc/ipsec/auth_key

/sbin/ipsecadm flow -proto esp -dst a.115.242.23 -spi 1000 	\
	-addr a.115.230.160 255.255.255.255 a.115.242.23 255.255.255.255

/sbin/ipsecadm flow -proto esp -dst a.115.230.160 -spi 1001 	\
  	-addr a.115.242.23 255.255.255.255 a.115.230.160 	\
	255.255.255.255 -ingress

/sbin/ipsecadm flow -proto esp -dst a.115.242.23 -spi 1000 	\
	-addr 192.168.88.0 255.255.255.0 192.168.0.0 255.255.255.5

/sbin/ipsecadm flow -proto esp -dst a.115.230.160 -spi 1001 	\
	-ingress -addr 192.168.0.0 255.255.255.0 192.168.88.0 255.255.255.0

/sbin/ipsecadm flow -proto esp -dst a.115.242.23 -spi 1000 	\
	-addr a.115.230.160 255.255.255.255 192.168.0.0 255.255.255.0

/sbin/ipsecadm flow -proto esp -dst a.115.230.160 -spi 1001 	\
	-ingress -addr 192.168.0.0 255.255.255.0 a.115.230.160 255.255.255.255

/sbin/ipsecadm flow -proto esp -dst a.115.242.23 -spi 1000 	\
	-addr 192.168.88.0 255.255.255.0 a.115.242.23 255.255.255.255

/sbin/ipsecadm flow -proto esp -dst a.115.230.160 -spi 1001 	\
	-ingress -addr a.115.242.23 255.255.255.255 		\
	192.168.88.0 255.255.255.0

Encap:
Source            Port  Destination        Port  Proto SA(Address/SPI/Proto) 
192.168.88/24     0     192.168.0/24       0     0     a.115.242.23/00001000/50
192.168.88/24     0     a.115.242.23/32    0     0     a.115.242.23/00001000/50
a.115.230.160/32  0     192.168.0/24       0     0     a.115.242.23/00001000/50
a.115.230.160/32  0     a.115.242.23/32    0     0     a.115.242.23/00001000/50


> 
> 
> You can try running tcpdump on the enc0 interface on the 2.7 box (after you
> ifconfig enc0 up), to see if the packets are processed. Also, netstat -ss -p esp
> will give you error statistics for the ESP protocol.
> -Angelos
> 
> 


-- 
	Steve Williams, Calgary, Alberta, Canada
	Genie Computer Systems Inc.
	steve@genie96.com

"A man doesn't begin to attain wisdom until he recognizes that he is 
 no longer indispensable."
- Admiral Richard E. Byrd ( 1888-1957 )

Follow-Ups:
- Re: IPSEC VPN 2.6<-->2.7 troubleshooting
  - From: "Angelos D. Keromytis" <angelos@dsl.cis.upenn.edu>

References:
- Re: IPSEC VPN 2.6<-->2.7 troubleshooting
  - From: "Angelos D. Keromytis" <angelos@dsl.cis.upenn.edu>

Prev by Date: Re: Swissgerman keyboard
Next by Date: Re: Boot problem on laptop
Prev by thread: Re: IPSEC VPN 2.6<-->2.7 troubleshooting
Next by thread: Re: IPSEC VPN 2.6<-->2.7 troubleshooting
Index(es):
- Date
- Thread