about freeswan connection

From: Jefferson ZHU (jefferson_zhu_at_sina.com)
Date: 02/26/04

• Next message: Dennis Jung: "Re: iptables initialization"
• Previous message: hiwa: "Re: Can't use "www" url to webserver on LAN?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

Date: 26 Feb 2004 01:42:49 -0800

hi, everyone

I have tried freeswan, and vpn connection works, but it seems
something goes wrong.

freeswan version: 1.99
linux version: Redhat 7.3

The environment is:

PC1 10.0.1.23 ---- 10.0.1.12 gateway A 192.168.0.12 --
                                                     |
                                                     |
PC2 10.0.2.23 ---- 10.0.2.12 gateway B 192.168.0.13 --

the ipsec.conf in gateway A is:
######################################################
config setup
        interfaces="ipsec0=eth0"
        klipsdebug=none
        plutodebug=all
        plutoload=%search
        plutostart=%search
        uniqueids=yes

conn %default
        keyingtries=0
        disablearrivalcheck=no
        authby=rsasig
        leftrsasigkey=%dnsondemand
        rightrsasigkey=%dnsondemand

conn dev1
        type=tunnel
        left=192.168.0.12
        leftsubnet=10.0.1.0/24
        right=192.168.0.13
        rightsubnet=10.0.2.0/24
        keyexchange=ike
        keylife=1h
        pfs=no
        auth=esp
        esp=3des-md5-96
        authby=secret
        keyingtries=0
        auto=start
######################################################

the ipsec.conf in gateway B is:
######################################################
config setup
        interfaces="ipsec0=eth0"
        klipsdebug=none
        plutodebug=all
        plutoload=%search
        plutostart=%search
        uniqueids=yes

conn %default
        keyingtries=0
        disablearrivalcheck=no
        authby=rsasig
        leftrsasigkey=%dnsondemand
        rightrsasigkey=%dnsondemand

conn dev2
        type=tunnel
        left=192.168.0.13
        leftsubnet=10.0.2.0/24
        right=192.168.0.12
        rightsubnet=10.0.1.0/24
        keyexchange=ike
        keylife=1h
        pfs=no
        auth=esp
        esp=3des-md5-96
        authby=secret
        keyingtries=0
        auto=start
######################################################

The dotconf file works well.

I change "esp=3des-md5-96" to "esp=3des-sha1-96" in gateway B's
dotconf file while not change the same parameter in gateway A's
dotconf file, then reboot two machine.
I surprise to see the connection also works?!

I have checked "ipsec spi" and get the following information:

tun0x1006@192.168.0.13 IPIP: dir=out src=192.168.0.12
life(c,s,h)=bytes(7440,0,0)addtime(93,0,0)usetime(92,0,0)packets(93,0,0)
idle=0
tun0x1005@192.168.0.12 IPIP: dir=in src=192.168.0.13
policy=10.0.2.0/24->10.0.1.0/24 flags=0x8<>
life(c,s,h)=bytes(7360,0,0)addtime(93,0,0)usetime(91,0,0)packets(92,0,0)
idle=0
tun0x1004@192.168.0.13 IPIP: dir=out src=192.168.0.12
life(c,s,h)=bytes(160,0,0)addtime(95,0,0)usetime(94,0,0)packets(2,0,0)
idle=93
tun0x1003@192.168.0.12 IPIP: dir=in src=192.168.0.13
policy=10.0.2.0/24->10.0.1.0/24 flags=0x8<>
life(c,s,h)=bytes(160,0,0)addtime(95,0,0)usetime(93,0,0)packets(2,0,0)
idle=92
tun0x1002@192.168.0.13 IPIP: dir=out src=192.168.0.12
life(c,s,h)=bytes(1280,0,0)addtime(110,0,0)usetime(110,0,0)packets(16,0,0)
idle=95
tun0x1001@192.168.0.12 IPIP: dir=in src=192.168.0.13
policy=10.0.2.0/24->10.0.1.0/24 flags=0x8<>
life(c,s,h)=bytes(1360,0,0)addtime(117,0,0)usetime(110,0,0)packets(17,0,0)
idle=94
esp0x6e0e8f7b@192.168.0.12 ESP_3DES_HMAC_MD5: dir=in src=192.168.0.13
iv_bits=64bits iv=0x28671ca350a8b436 ooowin=64 seq=92
bit=0xffffffffffffffff alen=128 aklen=128 eklen=192
life(c,s,h)=bytes(7360,0,0)addtime(93,0,0)usetime(91,0,0)packets(92,0,0)
idle=0
esp0x6e0e8f7a@192.168.0.12 ESP_3DES_HMAC_MD5: dir=in src=192.168.0.13
iv_bits=64bits iv=0x969100fec7469045 ooowin=64 seq=2 bit=0x3 alen=128
aklen=128 eklen=192 life(c,s,h)=bytes(160,0,0)addtime(95,0,0)usetime(93,0,0)packets(2,0,0)
idle=92
esp0x6e0e8f79@192.168.0.12 ESP_3DES_HMAC_MD5: dir=in src=192.168.0.13
iv_bits=64bits iv=0xf90911d581bcf48f ooowin=64 seq=17 bit=0x1ffff
alen=128 aklen=128 eklen=192
life(c,s,h)=bytes(1360,0,0)addtime(117,0,0)usetime(110,0,0)packets(17,0,0)
idle=94
esp0xab87e960@192.168.0.13 ESP_3DES_HMAC_MD5: dir=out src=192.168.0.12
iv_bits=64bits iv=0xe706fa96ea1268df ooowin=64 seq=93 alen=128
aklen=128 eklen=192 life(c,s,h)=bytes(10416,0,0)addtime(93,0,0)usetime(92,0,0)packets(93,0,0)
idle=0
esp0xab87e95f@192.168.0.13 ESP_3DES_HMAC_MD5: dir=out src=192.168.0.12
iv_bits=64bits iv=0x2f73c20d8b0b70be ooowin=64 seq=2 alen=128
aklen=128 eklen=192 life(c,s,h)=bytes(224,0,0)addtime(95,0,0)usetime(94,0,0)packets(2,0,0)
idle=93
esp0xab87e95e@192.168.0.13 ESP_3DES_HMAC_MD5: dir=out src=192.168.0.12
iv_bits=64bits iv=0x996cb93412db2cce ooowin=64 seq=16 alen=128
aklen=128 eklen=192 life(c,s,h)=bytes(1792,0,0)addtime(110,0,0)usetime(110,0,0)packets(16,0,0)
idle=95

I do not know where I have a mistake.
Thank you.

---

• Next message: Dennis Jung: "Re: iptables initialization"
• Previous message: hiwa: "Re: Can't use "www" url to webserver on LAN?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

• Security
• UNIX
• Linux
• Coding
• Usenet

• Mailing-Lists
• Newsgroups
• About
• Privacy
• Search
• Imprint

linux.derkeiler.com  > Newsgroups  > comp.os.linux.networking  > 2004-02