Hello,
I'm trying to set up multiple transport mode SAs between an OpenBSD 4.0 box
and a Cisco 7301 running IOS [ultimate reason is to load test multiple L2TP
over IPSEC tunnels].
Each SA is between the same two IP endpoints but specifies a different UDP
port pair.
I was able to get a single SA up using ipsecctl, after making this small fix:
--- sbin/ipsecctl/ike.c.orig Thu Nov 23 22:48:23 2006
+++ sbin/ipsecctl/ike.c Thu Nov 23 22:48:37 2006
@@ -526,7 +526,7 @@
fprintf(fd, SET "[lid-%s]:Port=%d force\n", src->name,
ntohs(sport));
if (dport)
- fprintf(fd, SET "[rid-%s]:Port=%d force\n", src->name,
+ fprintf(fd, SET "[rid-%s]:Port=%d force\n", dst->name,
ntohs(dport));
}
However, what I'm trying to do now is set up multiple SAs. Here's my test
config with 4 SAs, /etc/ipsec.conf.4 (the OpenBSD box is 10.1.1.6 and the
Cisco is 10.1.1.1)
ike esp transport proto udp from 10.1.1.6 port 10000 to 10.1.1.1 port 1701 \
main auth hmac-md5 enc 3des group modp1024 \
quick auth hmac-md5 enc 3des group none \
psk "mypresharedkey"
ike esp transport proto udp from 10.1.1.6 port 10001 to 10.1.1.1 port 1701 \
main auth hmac-md5 enc 3des group modp1024 \
quick auth hmac-md5 enc 3des group none \
psk "mypresharedkey"
ike esp transport proto udp from 10.1.1.6 port 10002 to 10.1.1.1 port 1701 \
main auth hmac-md5 enc 3des group modp1024 \
quick auth hmac-md5 enc 3des group none \
psk "mypresharedkey"
ike esp transport proto udp from 10.1.1.6 port 10003 to 10.1.1.1 port 1701 \
main auth hmac-md5 enc 3des group modp1024 \
quick auth hmac-md5 enc 3des group none \
psk "mypresharedkey"
Here's how I'm running isakmpd:
# isakmpd -K -4 -v -d -L
And here's how I trigger the process:
# ipsecctl -F; ipsecctl -vvf /etc/ipsec.conf.4
[output pasted below]
However, when I do this, only a single quick mode SA is set up. ipsecctl
shows this:
# ipsecctl -s all
FLOWS:
flow esp in proto udp from 10.1.1.1 port 1701 to 10.1.1.6 port 10003 peer
10.1.1.1 srcid 10.1.1.6/32 dstid 10.1.1.1/32 type use
flow esp out proto udp from 10.1.1.6 port 10003 to 10.1.1.1 port 1701 peer
10.1.1.1 srcid 10.1.1.6/32 dstid 10.1.1.1/32 type require
SAD:
esp transport from 10.1.1.6 to 10.1.1.1 spi 0x09b364d2 auth hmac-md5 enc
3des-cbc \
authkey 0x... \
enckey 0x...
esp transport from 10.1.1.1 to 10.1.1.6 spi 0x0a6994af auth hmac-md5 enc
3des-cbc \
authkey 0x... \
enckey 0x...
#
and the same SAs are shown on the Cisco side too. isakmpd says only:
093109.047718 Default isakmpd: phase 1 done: initiator id 0a010106: 10.1.1.6,
responder id 0a010101: 10.1.1.1, src: 10.1.1.6 dst: 10.1.1.1
093109.056238 Default isakmpd: quick mode done: src: 10.1.1.6 dst: 10.1.1.1
'tcpdump -nxr /var/log/isakmpd.pcap' shows that only one quick mode exchange
took place; crypto debug output on the Cisco shows the same.
Looking at this, it seems that the last entry in /etc/ipsec.conf has taken
precedence over the others.
Is there a way to achieve what I'm trying to do, either using ipsecctl, or
manually configuring isakmpd?
Thanks,
Brian Candler.
P.S. I can paste the IOS config if you like, but I'm pretty sure it is
correct. I can set up multiple SAs from UDP port X to UDP port 1701 under
Linux using setkey and racoon from ipsec-tools, and run separate l2tpd
instances over them bound to separate ports.
Here is the output of ipsecctl:
# ipsecctl -F; ipsecctl -vvf /etc/ipsec.conf.4
@1 C set [Phase 1]:10.1.1.1=peer-10.1.1.1 force
C set [peer-10.1.1.1]:Phase=1 force
C set [peer-10.1.1.1]:Address=10.1.1.1 force
C set [peer-10.1.1.1]:Authentication=mypresharedkey force
C set [peer-10.1.1.1]:Configuration=mm-10.1.1.1 force
C set [mm-10.1.1.1]:EXCHANGE_TYPE=ID_PROT force
C add [mm-10.1.1.1]:Transforms=3DES-MD5-GRP2 force
C set [IPsec-10.1.1.6-10.1.1.1]:Phase=2 force
C set [IPsec-10.1.1.6-10.1.1.1]:ISAKMP-peer=peer-10.1.1.1 force
C set [IPsec-10.1.1.6-10.1.1.1]:Configuration=qm-10.1.1.6-10.1.1.1 force
C set [IPsec-10.1.1.6-10.1.1.1]:Local-ID=lid-10.1.1.6 force
C set [IPsec-10.1.1.6-10.1.1.1]:Remote-ID=rid-10.1.1.1 force
C set [qm-10.1.1.6-10.1.1.1]:EXCHANGE_TYPE=QUICK_MODE force
C set [qm-10.1.1.6-10.1.1.1]:Suites=QM-ESP-TRP-3DES-MD5-SUITE force
C set [lid-10.1.1.6]:ID-type=IPV4_ADDR force
C set [lid-10.1.1.6]:Address=10.1.1.6 force
C set [rid-10.1.1.1]:ID-type=IPV4_ADDR force
C set [rid-10.1.1.1]:Address=10.1.1.1 force
C set [lid-10.1.1.6]:Protocol=17 force
C set [rid-10.1.1.1]:Protocol=17 force
C set [lid-10.1.1.6]:Port=10000 force
C set [rid-10.1.1.1]:Port=1701 force
C add [Phase 2]:Connections=IPsec-10.1.1.6-10.1.1.1
@3 C set [Phase 1]:10.1.1.1=peer-10.1.1.1 force
C set [peer-10.1.1.1]:Phase=1 force
C set [peer-10.1.1.1]:Address=10.1.1.1 force
C set [peer-10.1.1.1]:Authentication=mypresharedkey force
C set [peer-10.1.1.1]:Configuration=mm-10.1.1.1 force
C set [mm-10.1.1.1]:EXCHANGE_TYPE=ID_PROT force
C add [mm-10.1.1.1]:Transforms=3DES-MD5-GRP2 force
C set [IPsec-10.1.1.6-10.1.1.1]:Phase=2 force
C set [IPsec-10.1.1.6-10.1.1.1]:ISAKMP-peer=peer-10.1.1.1 force
C set [IPsec-10.1.1.6-10.1.1.1]:Configuration=qm-10.1.1.6-10.1.1.1 force
C set [IPsec-10.1.1.6-10.1.1.1]:Local-ID=lid-10.1.1.6 force
C set [IPsec-10.1.1.6-10.1.1.1]:Remote-ID=rid-10.1.1.1 force
C set [qm-10.1.1.6-10.1.1.1]:EXCHANGE_TYPE=QUICK_MODE force
C set [qm-10.1.1.6-10.1.1.1]:Suites=QM-ESP-TRP-3DES-MD5-SUITE force
C set [lid-10.1.1.6]:ID-type=IPV4_ADDR force
C set [lid-10.1.1.6]:Address=10.1.1.6 force
C set [rid-10.1.1.1]:ID-type=IPV4_ADDR force
C set [rid-10.1.1.1]:Address=10.1.1.1 force
C set [lid-10.1.1.6]:Protocol=17 force
C set [rid-10.1.1.1]:Protocol=17 force
C set [lid-10.1.1.6]:Port=10001 force
C set [rid-10.1.1.1]:Port=1701 force
C add [Phase 2]:Connections=IPsec-10.1.1.6-10.1.1.1
@5 C set [Phase 1]:10.1.1.1=peer-10.1.1.1 force
C set [peer-10.1.1.1]:Phase=1 force
C set [peer-10.1.1.1]:Address=10.1.1.1 force
C set [peer-10.1.1.1]:Authentication=mypresharedkey force
C set [peer-10.1.1.1]:Configuration=mm-10.1.1.1 force
C set [mm-10.1.1.1]:EXCHANGE_TYPE=ID_PROT force
C add [mm-10.1.1.1]:Transforms=3DES-MD5-GRP2 force
C set [IPsec-10.1.1.6-10.1.1.1]:Phase=2 force
C set [IPsec-10.1.1.6-10.1.1.1]:ISAKMP-peer=peer-10.1.1.1 force
C set [IPsec-10.1.1.6-10.1.1.1]:Configuration=qm-10.1.1.6-10.1.1.1 force
C set [IPsec-10.1.1.6-10.1.1.1]:Local-ID=lid-10.1.1.6 force
C set [IPsec-10.1.1.6-10.1.1.1]:Remote-ID=rid-10.1.1.1 force
C set [qm-10.1.1.6-10.1.1.1]:EXCHANGE_TYPE=QUICK_MODE force
C set [qm-10.1.1.6-10.1.1.1]:Suites=QM-ESP-TRP-3DES-MD5-SUITE force
C set [lid-10.1.1.6]:ID-type=IPV4_ADDR force
C set [lid-10.1.1.6]:Address=10.1.1.6 force
C set [rid-10.1.1.1]:ID-type=IPV4_ADDR force
C set [rid-10.1.1.1]:Address=10.1.1.1 force
C set [lid-10.1.1.6]:Protocol=17 force
C set [rid-10.1.1.1]:Protocol=17 force
C set [lid-10.1.1.6]:Port=10002 force
C set [rid-10.1.1.1]:Port=1701 force
C add [Phase 2]:Connections=IPsec-10.1.1.6-10.1.1.1
@7 C set [Phase 1]:10.1.1.1=peer-10.1.1.1 force
C set [peer-10.1.1.1]:Phase=1 force
C set [peer-10.1.1.1]:Address=10.1.1.1 force
C set [peer-10.1.1.1]:Authentication=mypresharedkey force
C set [peer-10.1.1.1]:Configuration=mm-10.1.1.1 force
C set [mm-10.1.1.1]:EXCHANGE_TYPE=ID_PROT force
C add [mm-10.1.1.1]:Transforms=3DES-MD5-GRP2 force
C set [IPsec-10.1.1.6-10.1.1.1]:Phase=2 force
C set [IPsec-10.1.1.6-10.1.1.1]:ISAKMP-peer=peer-10.1.1.1 force
C set [IPsec-10.1.1.6-10.1.1.1]:Configuration=qm-10.1.1.6-10.1.1.1 force
C set [IPsec-10.1.1.6-10.1.1.1]:Local-ID=lid-10.1.1.6 force
C set [IPsec-10.1.1.6-10.1.1.1]:Remote-ID=rid-10.1.1.1 force
C set [qm-10.1.1.6-10.1.1.1]:EXCHANGE_TYPE=QUICK_MODE force
C set [qm-10.1.1.6-10.1.1.1]:Suites=QM-ESP-TRP-3DES-MD5-SUITE force
C set [lid-10.1.1.6]:ID-type=IPV4_ADDR force
C set [lid-10.1.1.6]:Address=10.1.1.6 force
C set [rid-10.1.1.1]:ID-type=IPV4_ADDR force
C set [rid-10.1.1.1]:Address=10.1.1.1 force
C set [lid-10.1.1.6]:Protocol=17 force
C set [rid-10.1.1.1]:Protocol=17 force
C set [lid-10.1.1.6]:Port=10003 force
C set [rid-10.1.1.1]:Port=1701 force
C add [Phase 2]:Connections=IPsec-10.1.1.6-10.1.1.1
