Per discussion in today's LSPP meeting, I am sending out
my basic IPSec configuration and the problems I encountered
trying to verify basic, unlabeled IPSec.
Last Friday morning, August 18, I installed the rawhide kernel
that was available that day on 2 ppc64 machines.
My system contained all defaults, thus targeted policy.
I enabled Permissive mode to rule out any policy issues.
I configured basic IPSec on both machines to verify nothing
regressed. Unfortunately, plain, unlabeled, IPSec would not work.
I ran into several problems, which I will list below.
My IPSec config on Machine A: ipaddress is x.x.x.206
add x.x.x.55 x.x.x.206 esp 35590
-m transport
-E 3des-cbc "06183223c23a21e8b36c566b"
-A hmac-md5 "TAHITEST89ABCDEF";
add x.x.x.206 x.x.x.55 esp 12360
-m transport
-E 3des-cbc "06183223c23a21e8b36c566b"
-A hmac-md5 "TAHITEST89ABCDEF";
spdadd x.x.x.55 x.x.x.206 any -P in ipsec
esp/transport//require;
spdadd x.x.x.206 x.x.x.55 any -P out ipsec
esp/transport//require;
My IPSec config on Machine B: ipaddress is x.x.x.55
add x.x.x.55 x.x.x.206 esp 35590
-m transport
-E 3des-cbc "06183223c23a21e8b36c566b"
-A hmac-md5 "TAHITEST89ABCDEF";
add x.x.x.206 x.x.x.55 esp 12360
-m transport
-E 3des-cbc "06183223c23a21e8b36c566b"
-A hmac-md5 "TAHITEST89ABCDEF";
spdadd x.x.x.55 x.x.x.206 any -P out ipsec
esp/transport//require;
spdadd x.x.x.206 x.x.x.55 any -P in ipsec
esp/transport//require;
You can cut & paste the above "add' and "spdadd" commands
into a file, for example, "setkey.example" on each machine.
Then run "setkey -f setkey.example" to add entries into the
IPSec databases and thus configure IPSec.
To see entries added to IPSec databases, just do a:
"setkey -D" - to see the SA database and
"setkey -DP" - to see the Policy database.
Now machines has basic, unlabeled, IPSec configured.
NOTE: To remove IPSec configuration from each machine do:
setkey -F
setkey -FP
This will flush the IPSec databases. You will need to run
both commands on each machine.
First Problem:
1. From machine A, ping machine B.
ping machineB
This does not work. I saw a "ping: sendmsg: Operation not permitted."
message.
Second Problem:
WARNING: THIS MAY CAUSE YOUR KERNEL TO OOPS!!
2. From Machine A, do an sftp to machine B:
sftp machineB
I received the following:
[jml]# sftp machineB
Connecting to machineB...
kernel BUG in skb_to_sgvec at net/xfrm/xfrm_algo.c:611!
cpu 0x0: Vector: 700 (Program Check) at [c000000047967250]
pc: c000000000369a38: .skb_to_sgvec+0x288/0x2ec
lr: d000000000b205f0: .esp_output+0x350/0x4e4 [esp4]
sp: c0000000479674d0
msr: 8000000000029032
current = 0xc000000002511270
paca = 0xc000000000494380
pid = 24005, comm = ssh
kernel BUG in skb_to_sgvec at net/xfrm/xfrm_algo.c:611!
enter ? for help
0:mon>t
[c0000000479675a0] d000000000b205f0 .esp_output+0x350/0x4e4 [esp4]
[c000000047967680] c000000000362358 .xfrm4_output_finish2+0x2d0/0x3ec
[c000000047967720] c000000000362628 .xfrm4_output+0x74/0x88
[c0000000479677a0] c000000000322af8 .ip_queue_xmit+0x4ac/0x544
[c0000000479678a0] c0000000003360f8 .tcp_transmit_skb+0x820/0x890
[c000000047967960] c0000000003392dc .tcp_connect+0x308/0x3b0
[c000000047967a00] c00000000033d95c .tcp_v4_connect+0x53c/0x6d4
[c000000047967b80] c00000000034c03c .inet_stream_connect+0x10c/0x358
[c000000047967c60] c0000000002e3ebc .sys_connect+0xd8/0x120
[c000000047967d90] c000000000305d2c .compat_sys_socketcall+0xdc/0x214
[c000000047967e30] c00000000000871c syscall_exit+0x0/0x40
--- Exception: c00 (System Call) at 0000000007aef8ec
SP (f969f230) is in userspace
Please let me know if there are any question on how to recreate these
problems or use IPSec. Also, if you do not encounter these or you
download a more recent rawhide and do not encounter these, PLEASE let me know.
In the meantime I will continue to debug.
Regards,
Joy Latten
--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp
