[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
IPSEC Problem

To: <tech@openbsd.org>
Subject: IPSEC Problem
From: "Nicolas Prochazka" <nicolas@sansistor.com>
Date: Wed, 31 Jan 2001 18:01:14 +0100
Cc: <misc@openbsd.org>
Importance: Normal
Hi,
For one years we use ipsec tunnel (manual keying) between two openbsd 2.7
box without problem.
Now I update one of the box with an  openbsd 2.8.
After change our ipsec script (read new man vpn) , nothing run.
Is it possible to use 2.7 and 2.8 to create ipsec tunnel.

(The changes to 2.8 ipsec manual script) are :
 -require -in -src $A_EXTERNAL_IP and  -require -out -src $A_EXTERNAL_IP
at the good place in the flow and delele all -spi in flow making.

So What's wrong (i recall that it's working before)

Here you can find informations :
Please help me, i search for a long time without understand that's problem.


GATEWAY 2
Encap:
Source             Port  Destination        Port  Proto
SA(Address/SPI/Proto)
192.70.34.38/32    0     192.168.1/24       0     0
212.39.132.253/00001000/50
192.70.34.38/32    0     212.39.132.253/32  0     0
212.39.132.253/00001000/50
192.168.2/24       0     192.168.1/24       0     0
212.39.132.253/00001000/50
192.168.2/24       0     212.39.132.253/32  0     0
212.39.132.253/00001000/50
bash# uname -a
OpenBSD vpn2 2.7 GENERIC#2 i386

OLD GATEWAY 1 (OK)
Encap:
Source             Port  Destination        Port  Proto
SA(Address/SPI/Proto)
192.168.1/24       0     192.70.34.38/32    0     0
192.70.34.38/00001001/50
192.168.1/24       0     192.168.2/24       0     0
192.70.34.38/00001001/50
212.39.132.253/32  0     192.70.34.38/32    0     0
192.70.34.38/00001001/50
212.39.132.253/32  0     192.168.2/24       0     0
192.70.34.38/00001001/50


NEW GATEWAY 2(NOT OK)
Routing tables

Encap:
Source             Port  Destination        Port  Proto
SA(Address/Proto/Type/Direction)
192.168.2/24       0     192.168.1/24       0     0
212.39.132.253/50/require/in
192.168.2/24       0     212.39.132.253/32  0     0
212.39.132.253/50/require/in
192.70.34.38/32    0     192.168.1/24       0     0
212.39.132.253/50/require/in
192.70.34.38/32    0     212.39.132.253/32  0     0
212.39.132.253/50/require/in
192.168.1/24       0     192.168.2/24       0     0
192.70.34.38/50/require/out
192.168.1/24       0     192.70.34.38/32    0     0
192.70.34.38/50/require/out
212.39.132.253/32  0     192.168.2/24       0     0
192.70.34.38/50/require/out
212.39.132.253/32  0     192.70.34.38/32    0     0
192.70.34.38/50/require/out


------- telnet from 192.168 .1.10 to 192.168.2.21 : OK ---
Dump  GATEWAY 2
bash#  tcpdump  -ni fxp1 esp
tcpdump: listening on fxp1
18:24:21.471753 esp 212.39.132.253 > 192.70.34.38 spi 0x00001001 seq 52568
len 76
18:24:21.472530 esp 192.70.34.38 > 212.39.132.253 spi 0x00001000 seq 33 len
76
18:24:21.531648 esp 212.39.132.253 > 192.70.34.38 spi 0x00001001 seq 52569
len 76
18:24:21.531959 esp 212.39.132.253 > 192.70.34.38 spi 0x00001001 seq 52570
len 100
18:24:21.532439 esp 192.70.34.38 > 212.39.132.253 spi 0x00001000 seq 34 len
76
18:24:21.569769 esp 192.70.34.38 > 212.39.132.253 spi 0x00001000 seq 35 len
92
18:24:21.650058 esp 212.39.132.253 > 192.70.34.38 spi 0x00001001 seq 52571
len 76
18:24:21.650437 esp 192.70.34.38 > 212.39.132.253 spi 0x00001000 seq 36 len
92
18:24:21.650568 esp 212.39.132.253 > 192.70.34.38 spi 0x00001001 seq 52572
len 84
18:24:21.741878 esp 192.70.34.38 > 212.39.132.253 spi 0x00001000 seq 37 len
76
18:24:21.940687 esp 212.39.132.253 > 192.70.34.38 spi 0x00001001 seq 52573
len 76
18:24:21.941365 esp 192.70.34.38 > 212.39.132.253 spi 0x00001000 seq 38 len
92


DUMP GATEWAY 1 OLD
bash# tcpdump  -ni fxp1 esp
tcpdump: listening on fxp1
17:12:30.271892 esp 212.39.132.253 > 192.70.34.38 spi 0x00001001 seq 52568
len 76
17:12:30.371363 esp 192.70.34.38 > 212.39.132.253 spi 0x00001000 seq 33 len
76
17:12:30.372093 esp 212.39.132.253 > 192.70.34.38 spi 0x00001001 seq 52569
len 76
17:12:30.373082 esp 212.39.132.253 > 192.70.34.38 spi 0x00001001 seq 52570
len 100
17:12:30.433999 esp 192.70.34.38 > 212.39.132.253 spi 0x00001000 seq 34 len
76
17:12:30.467226 esp 192.70.34.38 > 212.39.132.253 spi 0x00001000 seq 35 len
92
17:12:30.467762 esp 212.39.132.253 > 192.70.34.38 spi 0x00001001 seq 52571
len 76
17:12:30.468094 esp 212.39.132.253 > 192.70.34.38 spi 0x00001001 seq 52572
len 84
17:12:30.630106 esp 192.70.34.38 > 212.39.132.253 spi 0x00001000 seq 36 len
92
17:12:30.654619 esp 192.70.34.38 > 212.39.132.253 spi 0x00001000 seq 37 len
76
17:12:30.680824 esp 212.39.132.253 > 192.70.34.38 spi 0x00001001 seq 52573
len 76
17:12:30.857997 esp 192.70.34.38 > 212.39.132.253 spi 0x00001000 seq 38 len
92
17:12:30.860002 esp 212.39.132.253 > 192.70.34.38 spi 0x00001001 seq 52574
len 132




---------- telnet from 192.168 .1.10 to 192.168.2.21 : NOT OK ---
DUMP GATEWAY 2
bash#  tcpdump  -ni fxp1 esp
tcpdump: listening on fxp1
18:49:42.169853 esp 212.39.132.253 > 192.70.34.38 spi 0x00001001 seq 33 len
76
18:49:42.170446 esp 192.70.34.38 > 212.39.132.253 spi 0x00001000 seq 125 len
76
18:49:45.518971 esp 212.39.132.253 > 192.70.34.38 spi 0x00001001 seq 34 len
76
18:49:45.519757 esp 192.70.34.38 > 212.39.132.253 spi 0x00001000 seq 126 len
76
18:49:45.533988 esp 192.70.34.38 > 212.39.132.253 spi 0x00001000 seq 127 len
76
18:49:52.270538 esp 212.39.132.253 > 192.70.34.38 spi 0x00001001 seq 35 len
76
18:49:52.271364 esp 192.70.34.38 > 212.39.132.253 spi 0x00001000 seq 128 len
76
18:49:52.284585 esp 192.70.34.38 > 212.39.132.253 spi 0x00001000 seq 129 len
76
18:50:05.772844 esp 212.39.132.253 > 192.70.34.38 spi 0x00001001 seq 36 len
76
18:50:05.773682 esp 192.70.34.38 > 212.39.132.253 spi 0x00001000 seq 130 len
76
18:50:05.786044 esp 192.70.34.38 > 212.39.132.253 spi 0x00001000 seq 131 len
76

DUMP GATEWAY 1 (NEW)
bash#  tcpdump -ni fxp1 esp
tcpdump: listening on fxp1
18:57:20.364693 esp 212.39.132.253 > 192.70.34.38 spi 0x00001001 seq 33 len
76
18:57:20.461584 esp 192.70.34.38 > 212.39.132.253 spi 0x00001000 seq 125 len
76
18:57:23.731631 esp 212.39.132.253 > 192.70.34.38 spi 0x00001001 seq 34 len
76
18:57:23.800127 esp 192.70.34.38 > 212.39.132.253 spi 0x00001000 seq 126 len
76
18:57:23.841620 esp 192.70.34.38 > 212.39.132.253 spi 0x00001000 seq 127 len
76
18:57:30.480906 esp 212.39.132.253 > 192.70.34.38 spi 0x00001001 seq 35 len
76
18:57:30.542840 esp 192.70.34.38 > 212.39.132.253 spi 0x00001000 seq 128 len
76
18:57:30.560708 esp 192.70.34.38 > 212.39.132.253 spi 0x00001000 seq 129 len
76
18:57:43.979426 esp 212.39.132.253 > 192.70.34.38 spi 0x00001001 seq 36 len
76
18:57:44.117016 esp 192.70.34.38 > 212.39.132.253 spi 0x00001000 seq 130 len
76
18:57:44.141572 esp 192.70.34.38 > 212.39.132.253 spi 0x00001000 seq 131 len
76
Prev by Date: weird cause of timeouts for apache
Next by Date: OpenBSD under VMWare on Linux
Prev by thread: Re: weird cause of timeouts for apache
Next by thread: OpenBSD under VMWare on Linux
Index(es):
- Date
- Thread