Linux vs Pix vs ipsec

25 Jan 2005

      Hi all

пытаюсь спарить по ipsec linux с cisco pix
построил ipsec и racoon

-----------
uname -a
Linux blackhole.adamant.net 2.6.10-cko3 #1 Fri Jan 21 17:28:57 EET 2005 i686 i686 i386 GNU/Linux

-----------
#!/sbin/setkey -f

flush;
spdflush;

spdadd 10.100.102.0/24 10.100.101.0/24 any -P out ipsec esp/tunnel/10.0.0.2-10.0.0.1/require;
spdadd 10.100.101.0/24 10.100.102.0/24 any -P in ipsec esp/tunnel/10.0.0.1-10.0.0.2/require;
-----------
remote 10.0.0.1 {
        exchange_mode main;
        lifetime time 24 hour;
        proposal {
                encryption_algorithm 3des;
                hash_algorithm md5;
                authentication_method pre_shared_key;
                dh_group 1;
                }
}

sainfo address 10.100.102.0/24 any address 10.100.101.0/24 any {
        lifetime time 1 hour;
        encryption_algorithm 3des;
        authentication_algorithm non_auth;
        compression_algorithm deflate ;
        pfs_group 1;
}
--------------

на pix соответственно
access-list remote-net permit ip 10.100.101.0 255.255.255.0 10.100.102.0 255.255.255.0 
ip address outside 10.0.0.1 255.255.255.252
ip address inside 10.100.101.1 255.255.255.0
nat (inside) 0 0.0.0.0 0.0.0.0 0 0
route outside 10.100.102.0 255.255.255.0 10.0.0.2 1
sysopt connection tcpmss 1280
sysopt connection permit-ipsec
crypto ipsec transform-set simple esp-3des 
crypto map ipsec-map 10 ipsec-isakmp
crypto map ipsec-map 10 match address remote-net
crypto map ipsec-map 10 set pfs 
crypto map ipsec-map 10 set peer 10.0.0.2
crypto map ipsec-map 10 set transform-set simple
crypto map ipsec-map interface outside
isakmp enable outside
isakmp key ******** address 10.0.0.2 netmask 255.255.255.255 no-xauth no-config-mode 
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
---------------------------------

DH группу пробовал и 2, и 5
шифрование пробовал 3des и des
результат одинаковый

------------------------
инфа с pix
show crypto isakmp sa
Total     : 1
Embryonic : 0
        dst               src        state     pending     created
        10.0.0.1         10.0.0.2    QM_IDLE         0           1

show crypto ipsec sa

interface: outside
    Crypto map tag: ipsec-map, local addr. 10.0.0.1

   local  ident (addr/mask/prot/port): (10.100.101.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.100.102.0/255.255.255.0/0/0)
   current_peer: 10.0.0.2:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 5501, #pkts encrypt: 5501, #pkts digest 0
    #pkts decaps: 4939, #pkts decrypt: 4942, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 30, #recv errors 3

     local crypto endpt.: 10.0.0.1, remote crypto endpt.: 10.0.0.2
     path mtu 1500, ipsec overhead 44, media mtu 1500
     current outbound spi: 54eb4fb

     inbound esp sas:
      spi: 0x54b459b(88819099)
        transform: esp-3des ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 3, crypto map: ipsec-map
        sa timing: remaining key lifetime (k/sec): (4607864/2263)
        IV size: 8 bytes
        replay detection support: N

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x54eb4fb(89044219)
        transform: esp-3des ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 4, crypto map: ipsec-map
        sa timing: remaining key lifetime (k/sec): (4607874/2259)
        IV size: 8 bytes
        replay detection support: N

     outbound ah sas:

     outbound pcp sas:

------------------------

setkey -D на линуксе

10.0.0.2 10.0.0.1 
	esp mode=tunnel spi=88819099(0x054b459b) reqid=0(0x00000000)
	E: 3des-cbc  c02e061c ebb71f36 214a9740 fd0b9537 29d1e792 d5aa6e05
	seq=0x00000000 replay=4 flags=0x00000000 state=mature 
	created: Jan 25 13:38:53 2005	current: Jan 25 14:06:16 2005
	diff: 1643(s)	hard: 3600(s)	soft: 2880(s)
	last: Jan 25 13:38:54 2005	hard: 0(s)	soft: 0(s)
	current: 203360(bytes)	hard: 0(bytes)	soft: 0(bytes)
	allocated: 1640	hard: 0	soft: 0
	sadb_seq=1 pid=7380 refcnt=0
10.0.0.1 10.0.0.2 
	esp mode=tunnel spi=89044219(0x054eb4fb) reqid=0(0x00000000)
	E: 3des-cbc  ce0e427f 8f6c79e6 f166d527 d60c82b0 f3ed1031 0d4bce00
	seq=0x00000000 replay=4 flags=0x00000000 state=mature 
	created: Jan 25 13:38:53 2005	current: Jan 25 14:06:16 2005
	diff: 1643(s)	hard: 3600(s)	soft: 2880(s)
	last:                     	hard: 0(s)	soft: 0(s)
	current: 0(bytes)	hard: 0(bytes)	soft: 0(bytes)
	allocated: 0	hard: 0	soft: 0
	sadb_seq=0 pid=7380 refcnt=0

setkey -DP на линуксе

10.100.101.0/24[any] 10.100.102.0/24[any] any
	in ipsec
	esp/tunnel/10.0.0.1-10.0.0.2/require
	created: Jan 25 13:38:52 2005  lastused:                     
	lifetime: 0(s) validtime: 0(s)
	spid=1000 seq=9 pid=7356
	refcnt=1
10.100.102.0/24[any] 10.100.101.0/24[any] any
	out ipsec
	esp/tunnel/10.0.0.2-10.0.0.1/require
	created: Jan 25 13:38:52 2005  lastused: Jan 25 14:05:26 2005
	lifetime: 0(s) validtime: 0(s)
	spid=993 seq=8 pid=7356
	refcnt=2
0.0.0.0/0[any] 0.0.0.0/0[any] any
	in none
	created: Jan 25 13:33:15 2005  lastused:                     
	lifetime: 0(s) validtime: 0(s)
	spid=963 seq=7 pid=7356
	refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
	in none
	created: Jan 25 13:33:15 2005  lastused:                     
	lifetime: 0(s) validtime: 0(s)
	spid=947 seq=6 pid=7356
	refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
	in none
	created: Jan 25 13:33:15 2005  lastused: Jan 25 13:39:21 2005
	lifetime: 0(s) validtime: 0(s)
	spid=931 seq=5 pid=7356
	refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
	in none
	created: Jan 25 13:33:15 2005  lastused:                     
	lifetime: 0(s) validtime: 0(s)
	spid=915 seq=4 pid=7356
	refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
	out none
	created: Jan 25 13:33:15 2005  lastused:                     
	lifetime: 0(s) validtime: 0(s)
	spid=972 seq=3 pid=7356
	refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
	out none
	created: Jan 25 13:33:15 2005  lastused:                     
	lifetime: 0(s) validtime: 0(s)
	spid=956 seq=2 pid=7356
	refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
	out none
	created: Jan 25 13:33:15 2005  lastused: Jan 25 13:38:53 2005
	lifetime: 0(s) validtime: 0(s)
	spid=940 seq=1 pid=7356
	refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
	out none
	created: Jan 25 13:33:15 2005  lastused:                     
	lifetime: 0(s) validtime: 0(s)
	spid=924 seq=0 pid=7356
	refcnt=1

-------------------------

в обоих концов на "внутренних" интерфейсах повесил по пингвину

таким образом - ключи согласовались

pix пакеты от linux-а видит получает и передает дальшеs
(их видно tcpdump-ом на оконечном пингвине)

полученные ответы pix шифрует и передает на linux
их ТОЖЕ видно tcpdump-ом
13:55:12.513078 IP 10.0.0.2 > 10.0.0.1: ESP(spi=0x054b459b,seq=0x3d2)
13:55:12.513516 IP 10.0.0.1 > 10.0.0.2: ESP(spi=0x054eb4fb,seq=0x0)
13:55:13.512954 IP 10.0.0.2 > 10.0.0.1: ESP(spi=0x054b459b,seq=0x3d3)
13:55:13.513387 IP 10.0.0.1 > 10.0.0.2: ESP(spi=0x054eb4fb,seq=0x0)
13:55:13.947616 IP 10.0.0.1 > 10.0.0.2: ESP(spi=0x054eb4fb,seq=0x0)
13:55:14.512815 IP 10.0.0.2 > 10.0.0.1: ESP(spi=0x054b459b,seq=0x3d4)
13:55:14.513245 IP 10.0.0.1 > 10.0.0.2: ESP(spi=0x054eb4fb,seq=0x0)
13:55:15.512682 IP 10.0.0.2 > 10.0.0.1: ESP(spi=0x054b459b,seq=0x3d5)
13:55:15.513117 IP 10.0.0.1 > 10.0.0.2: ESP(spi=0x054eb4fb,seq=0x0)
13:55:16.512551 IP 10.0.0.2 > 10.0.0.1: ESP(spi=0x054b459b,seq=0x3d6)
13:55:16.513068 IP 10.0.0.1 > 10.0.0.2: ESP(spi=0x054eb4fb,seq=0x0)
13:55:17.522446 IP 10.0.0.2 > 10.0.0.1: ESP(spi=0x054b459b,seq=0x3d7)
13:55:17.522887 IP 10.0.0.1 > 10.0.0.2: ESP(spi=0x054eb4fb,seq=0x0)

но linux эти пакеты или не дешифрует или фиг его знает, но на внутренний интерфейс ответы не уходят

единственно что смущает - линукс seq ставит, а pix нет

у кого-то есть идеи как это все заставить работать?

-- 
Best regard, Aleksander Trotsai aka MAGE-RIPE aka MAGE-UANIC
My PGP key at ftp://blackhole.adamant.ua/pgp/trotsai.key[.asc]
Печатаю со скоростью 1200 знаков в минуту. Такой бред получается...
===================================================================
uanog mailing list.
To Unsubscribe: send mail to majordomo@uanog.kiev.ua
with "unsubscribe uanog" in the body of the message

Alexander Trotsai

Alexander Trotsai

Alexander Trotsai

Vlad Zabolotny

Alexander Trotsai

Alexander Trotsai

Alexander Trotsai

Alexander Trotsai

vovka＠usr.al.lg.ua

Alexander Trotsai

vovka＠usr.al.lg.ua

Alexander Trotsai

tags

participants (3)