[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

(usagi-users 02509) USAGI ipsec on august 4-snapshot.



I've recently started considering ipsec for some needs, and since I use usagi
ipv6, I decided to stick with usagi.

Now, in my test-scenario I have three machines on the same subnet. Not ideal,
but I created a different subnet between 2, so it now looks like this.

192.168.27.1
10.0.0.2/24
         A
        / \
       /   \
      /     \
     /       \
    B         C
10.0.0.1/24
192.168.27.10    192.168.27.70

So A and B have a different subnet. Now, what I try to do is to make an
ipsec tunnel between A and C and make C see the 10.0.0.0/24-subnet.

The subnets are properly setup, I can ping between A and C both ways and
between A and B on both subnets.

But, it seems I am not able to use the tunnel, trying to ping 10.0.0.1 from
192.168.27.70 fails. pinging the other way is of course a futile experiment
as it would use the common subnet.

All the details of my setup and experiments are outlined below. Can anyone
point to any obvious errors, things I have forgot? I have not read much
about usagi ipv4 ipsec, does it even work? To an untrained eye, it seems things
are correctly set up, protocolwise, ready for usage...

Now, the details:

After:
ipsec pluto (both nodes)
ipsec auto --ready (both nodes)
ipsec auto --add selbustrand and ipsec auto --add soekris
ipsec auto --up soekris (from selbustrand)

Things look like this:

soekris:~# ipsec auto --status         
000 interface lo ::1
000 interface eth0 fe80::200:24ff:fec0:7778
000 interface eth1 fe80::200:24ff:fec0:7779
000 interface wlan0 3ffe:80ee:3fc:2::1
000 interface eth0 3ffe:80ee:3fc:1::1
000 interface sixb 3ffe:80ee:3fc::1
000 interface sixb fe80::d5bb:b1e6
000 interface wlan0 fe80::2a0:c5ff:fe40:2bbd
000 interface lo 127.0.0.1
000 interface eth0 192.168.27.1
000 interface eth0:2 10.0.0.2
000 interface eth1 213.187.177.230
000 interface wlan0 192.168.11.1
000  
000 "selbustrand": 10.0.0.0/24===192.168.27.1[@soekris.engen.priv.no]...
000 "selbustrand": ...192.168.27.70[@selbustrand.engen.priv.no]
000 "selbustrand":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "selbustrand":   policy: RSASIG+ENCRYPT+AUTHENTICATE+TUNNEL+PFS; interface: eth0; erouted
000 "selbustrand":   newest ISAKMP SA: #7; newest IPsec SA: #8; eroute owner: #8
000  
000 #8: "selbustrand" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 28502s; newest IPSEC; eroute owner
000 #8: "selbustrand" esp.633b047e@xxxxxxxxxxxxx esp.e9249de6@xxxxxxxxxxxx tun.0@xxxxxxxxxxxxx tun.0@xxxxxxxxxxxx
000 #7: "selbustrand" STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 3301s; newest ISAKMP


selbustrand:~# ipsec auto --status
000 interface dummy0 fe80::200:ff:fe00:0
000 interface lo ::1
000 interface eth0 3ffe:80ee:3fc:1:20b:dbff:fe19:b4a
000 interface sit0 ::c0a8:1b46
000 interface sit0 ::a00:201
000 interface sit0 ::7f00:1
000 interface sit0 ::a00:101
000 interface eth0 3ffe:80ee:3fc:1:8b7:48d1:acb:2bca
000 interface eth0 fe80::20b:dbff:fe19:b4a
000 interface lo 127.0.0.1
000 interface eth0 192.168.27.70
000 interface dummy0 10.0.1.1
000 interface sit0 10.0.2.1
000  
000 "soekris": 192.168.27.70[@selbustrand.engen.priv.no]...
000 "soekris": ...192.168.27.1[@soekris.engen.priv.no]===10.0.0.0/24
000 "soekris":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "soekris":   policy: RSASIG+ENCRYPT+TUNNEL+PFS; interface: eth0; erouted
000 "soekris":   newest ISAKMP SA: #1; newest IPsec SA: #2; eroute owner: #2
000  
000 #2: "soekris" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 28004s; newest IPSEC; eroute owner
000 #2: "soekris" esp.e9249de6@xxxxxxxxxxxx esp.633b047e@xxxxxxxxxxxxx tun.0@xxxxxxxxxxxx tun.0@xxxxxxxxxxxxx
000 #1: "soekris" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 2562s; newest ISAKMP

Now, this is my configuration:

A:

config setup
        # THIS SETTING MUST BE CORRECT or almost nothing will work;
        # %defaultroute is okay for most simple cases.
        interfaces="ipsec0=eth0"
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        klipsdebug=none
        plutodebug=none
        # Use auto= parameters in conn descriptions to control startup actions.
        plutoload=%search
        plutostart=%search
        # Close down old connection when new one using same ID shows up.
        uniqueids=yes

conn %default
        # How persistent to be in (re)keying negotiations (0 means very).
        keyingtries=0
        # How to authenticate gateways
        auth=ah
        authby=rsasig

conn selbustrand
        left=192.168.27.1
        leftsubnet=10.0.0.0/24
        leftid=@xxxxxxxxxxxxxxxxxxxxx
        leftrsasigkey=0sAQNWalHcfKprLPGLAAXXJlSoS/Gou3v+F/bE9VWrUb+4Tch/Hw9a57fq
VZkGDunzkhWleNiw2kJ84cRK6mQrL60FzjJuBY/Xy2PAINre0IsDvOm2tjP93bEedqDTOG6+D5H3y5QE
+6/5/gFa12mgrFg8MfElNFhR3/5H6uP4U2JQOzNmJxAeYZ1AKjMk6IRbqZRT2yAU4BonHP4VzWBn5L4L
1Q9OnokaCt8C1ok40ojN5v9qgXf9b4M0wejIAsX0b+FNQnK2h8XR7a2alRKlsuvNE2cIKGKrifalX6Hn
/6H1fNb0KNkyQTfBO7HJnBqtx8xFudrsd8lUcMlRO7HvkUir
        right=192.168.27.70
        rightid=@xxxxxxxxxxxxxxxxxxxxxxxxx
        rightrsasigkey=0sAQPSEvktLMpkhiiGRMpUEAVFi4YAhbJdbMLHdQDxmIT1nG6dEiGEtx+
fok02Ay2rCD3M5nJbGJN/qm0SRHTCYPXi0vVXRQZYN3oecBgKFjLzLsjau1YBBqCragcVaysBSMjAs2y
+vo34E8PA4OvfVIaOkWF1H2wmZLODU0+SBZhhi7rYCzWGrkTWJ3Pt9axBuHowX6TnoC9pxMQG3LneF5v
LBzMpThZQi2vIhQ/YDc58OTUVT2w7ohcbn5O4IxbGP9alRMcySxJFEuKLNaAGDJwv7839Ot7muX7ILDC
hFxKbAO7LWqeqP+st+sIFV4GZf6TzS2I0hTGOEZM6glXVjJ43
        auto=start


B:

config setup
        # THIS SETTING MUST BE CORRECT or almost nothing will work;
        # %defaultroute is okay for most simple cases.
        interfaces="ipsec0=eth0"
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        klipsdebug=none
        plutodebug=none
        # Use auto= parameters in conn descriptions to control startup actions.
        plutoload=%search
        plutostart=%search
        # Close down old connection when new one using same ID shows up.
        uniqueids=yes

conn %default
        # How persistent to be in (re)keying negotiations (0 means very).
        keyingtries=0
        # How to authenticate gateways
        authby=rsasig

conn soekris
        left=192.168.27.1
        leftsubnet=10.0.0.0/24
        leftid=@xxxxxxxxxxxxxxxxxxxxx
        leftrsasigkey=0sAQNWalHcfKprLPGLAAXXJlSoS/Gou3v+F/bE9VWrUb+4Tch/Hw9a57fqVZkGDunzkhWleNiw2kJ84cRK6mQrL60FzjJuBY/Xy2PAINre0IsDvOm2tjP93bEedqDTOG6+D5H3y5QE+6/5/gFa12mgrFg8MfElNFhR3/5H6uP4U2JQOzNmJxAeYZ1AKjMk6IRbqZRT2yAU4BonHP4VzWBn5L4L1Q9OnokaCt8C1ok40ojN5v9qgXf9b4M0wejIAsX0b+FNQnK2h8XR7a2alRKlsuvNE2cIKGKrifalX6Hn/6H1fNb0KNkyQTfBO7HJnBqtx8xFudrsd8lUcMlRO7HvkUir
        right=192.168.27.70
        rightid=@xxxxxxxxxxxxxxxxxxxxxxxxx
        rightrsasigkey=0sAQPSEvktLMpkhiiGRMpUEAVFi4YAhbJdbMLHdQDxmIT1nG6dEiGEtx+fok02Ay2rCD3M5nJbGJN/qm0SRHTCYPXi0vVXRQZYN3oecBgKFjLzLsjau1YBBqCragcVaysBSMjAs2y+vo34E8PA4OvfVIaOkWF1H2wmZLODU0+SBZhhi7rYCzWGrkTWJ3Pt9axBuHowX6TnoC9pxMQG3LneF5vLBzMpThZQi2vIhQ/YDc58OTUVT2w7ohcbn5O4IxbGP9alRMcySxJFEuKLNaAGDJwv7839Ot7muX7ILDChFxKbAO7LWqeqP+st+sIFV4GZf6TzS2I0hTGOEZM6glXVjJ43
        auto=start


-- 
- Vegard Engen, member of the first RFC1149 implementation team.