From: Rob De Langhe (rob.delanghe@telindus.be)
Date: Tue Mar 11 2003 - 10:10:49 EST
Hi all,
we are trying to configure an IPsec tunnel between 2 Solaris-9 servers, in
order to protect (via encryption and tunnelling) RPC-based traffic (like NFS
and CDE-communications) between the two hosts.
I would not post a question here is everything worked fine : after setting
up the tunnel, when I "ping" from either machine to the other, I can see
(with "snoop") the ESP packets leaving the machine and arriving on the
interface of the other machine. But no "echo reply" goes back (no such
packets coming out of the second machine).
All recent recommended patches have been installed on both machines, the
full OS bundle of packages is loaded, as well as (for 64-bit operation) the
package SUNWcarx.u
This is the procedure I applied:
1) I created an empty file /etc/inet/ipsecinit.conf file, which -according
to man page of ipsecconf- should result in all traffic being allowed to go
in/out the machine.
2) I did the command "ipsecconf -a /etc/inet/ipsecinit.conf" to load the
IPsec modules in the kernel
3) I checked the availability of the encryption algorithms with
ndd /dev/ipsecesp ipsecesp_status
which printed happily "Authentication algorithms = 2" and "Encryption
algorithms = 3"
4) on hostA, I create the following /etc/inet/ipseckey.conf file:
add esp spi 5669538998 src 10.10.10.1 dst 10.10.10.2 \
auth_alg md5 \
authkey DE1B1C84D3F0731ABD24CB9D6BE4E982 \
encr_alg des \
encrkey 2E1E8CDCD08F759E
add esp spi 2516985906 src 10.10.10.2 dst 10.10.10.1 \
auth_alg md5 \
authkey BC62474CCC139ABC7979D28C871674FB \
encr_alg des \
encrkey B2CB681E04072B0E
5) on hostB, this is the following :
add esp spi 4027242223 src 10.10.10.2 dst 10.10.10.1 \
auth_alg md5 \
authkey BC62474CCC139ABC7979D28C871674FB \
encr_alg des \
encrkey B2CB681E04072B0E
add esp spi 7195221808 src 10.10.10.1 dst 10.10.10.2 \
auth_alg md5 \
authkey DE1B1C84D3F0731ABD24CB9D6BE4E982 \
encr_alg des \
encrkey 2E1E8CDCD08F759E
6) on both hosts, I load this file with
ipseckey -f /etc/inet/ipseckey.conf
7) I setup the tunnel on hostA :
ifconfig ip.tun0 plumb
ifconfig ip.tun0 192.168.1.1 192.168.1.2 tsrc 10.10.10.1 tdst 10.10.10.2
encr_algs des encr_auth_algs md5 up
8) and similarly on hostB :
ifconfig ip.tun0 plumb
ifconfig ip.tun0 192.168.1.2 192.168.1.1 tsrc 10.10.10.2 tdst 10.10.10.1
encr_algs des encr_auth_algs md5 up
9) I can see the host-routes to the remote end of the tunnels being added in
the routing table of each host respectively
10) The PING to the other end of the tunnel goes out of the originating
machine, and appears (as seen with "snoop") on the destination machine, but
no reply packets are being sent back.
So, finally the actual questions :
1) what commands exist to monitor the behaviour of this ipsec tunnel on
Solaris-9, e.g. to see any message why packets would be rejected
2) from the above described configuration, is there anyone who can tell
what's wrong ?
Any suggestions are well appreciated !
R. De Langhe
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:25:58 EDT