Hi, I want to setup following IPSec tunneling mode [IPHDR][IPoptions][AH][ESP][IPHDR2][IPoptions][TCP][data]
given in http://anoncvs.openbsd.lt/cgi-bin/viewcvs.cgi/www/faq/faq13.html?rev=1.6 Following is my network setup (or in attachment) Net-A: 192.3.20.0/24 Net-B: 192.3.40.0/24 Net-C: 195.85.10.32/27 (private network) open1: 192.3.20.238 gate: 192.3.20.1 and 192.3.40.1 open15:192.3.40.55 (Interface to B), 195.85.10.33 (interface to C) open3: 195.85.10.34 Setup IPSec tunnel mode: [IPHDR][IPoptions][AH][ESP][IPHDR2][IPoptions][TCP][data] I failed to achieve following 1. setup IPSec ESP and AH tunnel between open1 and open15 2. open1 able to access open15 and IP packets are IPSec ESP and AH tunnel 3. open1 able to access private network (195.85.10.32) and IP packets are IPSec tunnel I run "isakmpd -d -DA=99" in open1 and open15. >From open1, I ping open3 and ping command doesn't print reply message. Ethereal shows IP packet 174 bytes open1 to open3: [IP | ESP 116 bytes ] open3 to open1: [IP | AH | ESP 116 bytes] >From open3, I ping open 1 and no reply packet captured by Ethereal open3 to open1: [IP | AH | ESP 116 bytes] 1. Can this IPSec tunnel mode can be setup and valid ? 2. Why IP packet format from open1 to open3, and open3 to open1 is different? 3. Eventually I will connect open1 to GPRS network and setup IPSec in open1 and open15, so i have to achieve open1 to open15, and open1 to private network setup. Can this be done ? isampkd.conf and isakmpd.policy for open1: KeyNote-Version: 2 Comment: This policy accepts ESP SAs from a remote that uses the right password $OpenBSD: policy,v 1.4 2000/01/26 15:20:40 niklas Exp $ $EOM: policy,v 1.5 2000/01/26 14:03:07 niklas Exp $ Authorizer: "POLICY" Licensees: "passphrase:mekmitasdigoat" Conditions: app_domain == "IPsec policy" -> "true"; # $OpenBSD: singlehost-west.conf,v 1.8 2000/05/03 13:37:33 niklas Exp $ # $EOM: singlehost-west.conf,v 1.8 2000/05/03 13:25:25 niklas Exp $ # A configuration sample for the isakmpd ISAKMP/Oakley (aka IKE) daemon. [Phase 1] 192.3.40.55 = ISAKMP-open15 [Phase 2] Connections= IPsec-open15 [ISAKMP-open15] Phase= 1 Transport= udp Address= 192.3.40.55 Configuration= Default-main-mode Authentication= mekmitasdigoat [IPsec-open15] Phase= 2 ISAKMP-peer= ISAKMP-open15 Configuration= Default-quick-mode Local-ID= Net-open1 Remote-ID= Net-open15 [Net-open1] ID-type= IPV4_ADDR_SUBNET Network= 192.3.20.238 Netmask= 255.255.255.255 [Net-open15] ID-type= IPV4_ADDR_SUBNET Network= 195.85.10.32 Netmask= 255.255.255.224 [Default-main-mode] DOI= IPSEC EXCHANGE_TYPE= ID_PROT Transforms= 3DES-MD5 [3DES-MD5] ENCRYPTION_ALGORITHM= 3DES_CBC HASH_ALGORITHM= MD5 AUTHENTICATION_METHOD= PRE_SHARED GROUP_DESCRIPTION= MODP_1024 Life= LIFE_3600_SECS [DES-MD5] ENCRYPTION_ALGORITHM= DES_CBC HASH_ALGORITHM= MD5 AUTHENTICATION_METHOD= PRE_SHARED GROUP_DESCRIPTION= MODP_1024 Life= LIFE_3600_SECS [Default-quick-mode] DOI= IPSEC EXCHANGE_TYPE= QUICK_MODE Suites= QM-ESP-3DES-MD5-AH-MD5-SUITE # Quick mode protection suites ############################## # 3DES [QM-ESP-3DES-MD5-AH-MD5-SUITE] Protocols= QM-ESP-3DES-MD5,QM-AH-MD5 # Quick mode protocols ############################# # 3DES [QM-ESP-3DES-MD5] PROTOCOL_ID= IPSEC_ESP Transforms= QM-ESP-3DES-MD5-XF # AH [QM-AH-MD5] PROTOCOL_ID= IPSEC_AH Transforms= QM-AH-MD5-XF # Quick mode transforms ############################# # 3DES [QM-ESP-3DES-MD5-XF] TRANSFORM_ID= 3DES ENCAPSULATION_MODE= TUNNEL AUTHENTICATION_ALGORITHM= HMAC_MD5 GROUP_DESCRIPTION= MODP_1024 Life= LIFE_3600_SECS # AH Transform [QM-AH-MD5-XF] TRANSFORM_ID= MD5 ENCAPSULATION_MODE= TRANSPORT AUTHENTICATION_ALGORITHM= HMAC_MD5 GROUP_DESCRIPTION= MODP_1024 Life= LIFE_3600_SECS [LIFE_3600_SECS] LIFE_TYPE= SECONDS LIFE_DURATION= 3600,1800:7200 ///////////////////// isampkd.conf and isakmpd.policy for open15: KeyNote-Version: 2 Comment: This policy accepts ESP SAs from a remote that uses the right password $OpenBSD: policy,v 1.4 2000/01/26 15:20:40 niklas Exp $ $EOM: policy,v 1.5 2000/01/26 14:03:07 niklas Exp $ Authorizer: "POLICY" Licensees: "passphrase:mekmitasdigoat" Conditions: app_domain == "IPsec policy" -> "true"; # $OpenBSD: singlehost-west.conf,v 1.8 2000/05/03 13:37:33 niklas Exp $ # $EOM: singlehost-west.conf,v 1.8 2000/05/03 13:25:25 niklas Exp $ # A configuration sample for the isakmpd ISAKMP/Oakley (aka IKE) daemon. [Phase 1] 192.3.20.238= ISAKMP-open1 [Phase 2] Connections= IPsec-svr-open1 [ISAKMP-open1] Phase= 1 Transport= udp Address= 192.3.20.238 Configuration= Default-main-mode Authentication= mekmitasdigoat [IPsec-svr-open1] Phase= 2 ISAKMP-peer= ISAKMP-open1 Configuration= Default-quick-mode Local-ID= Net-open15 Remote-ID= Net-open1 [Net-open15] ID-type= IPV4_ADDR_SUBNET Network= 195.85.10.32 Netmask= 255.255.255.224 [Net-open1] ID-type= IPV4_ADDR_SUBNET Network= 192.3.20.238 Netmask= 255.255.255.255 [Default-main-mode] DOI= IPSEC EXCHANGE_TYPE= ID_PROT Transforms= 3DES-MD5 [Default-quick-mode] DOI= IPSEC EXCHANGE_TYPE= QUICK_MODE Suites= QM-ESP-3DES-MD5-AH-MD5-SUITE [3DES-MD5] ENCRYPTION_ALGORITHM= 3DES_CBC HASH_ALGORITHM= MD5 AUTHENTICATION_METHOD= PRE_SHARED GROUP_DESCRIPTION= MODP_1024 Life= LIFE_3600_SECS # Quick mode protection suites ############################## # ESP + AH [QM-ESP-3DES-MD5-AH-MD5-SUITE] Protocols= QM-ESP-3DES-MD5,QM-AH-MD5 # Quick mode protocols ############################# [QM-ESP-3DES-MD5] PROTOCOL_ID= IPSEC_ESP Transforms= QM-ESP-3DES-MD5-XF # AH [QM-AH-MD5] PROTOCOL_ID= IPSEC_AH Transforms= QM-AH-MD5-XF # Quick mode transforms ############################# # 3DES [QM-ESP-3DES-MD5-XF] TRANSFORM_ID= 3DES ENCAPSULATION_MODE= TUNNEL AUTHENTICATION_ALGORITHM= HMAC_MD5 GROUP_DESCRIPTION= MODP_1024 Life= LIFE_3600_SECS # AH Transform [QM-AH-MD5-XF] TRANSFORM_ID= MD5 ENCAPSULATION_MODE= TRANSPORT AUTHENTICATION_ALGORITHM= HMAC_MD5 GROUP_DESCRIPTION= MODP_1024 Life= LIFE_3600_SECS [LIFE_3600_SECS] LIFE_TYPE= SECONDS LIFE_DURATION= 3600,1800:7200 [demime 1.01d removed an attachment of type image/jpeg which had a name of network.jpg]
