# ipsec (2.6 kernel, ipsec-tools) transport mode, auto keying

## eightn

People, prompt me how to organize "ipsec transport mode connection" with automatic generation of keys between two hosts?

Let there are two hosts:

net (10.10.0.0/24 =10.0.0.1---10.0.0.2=net (10.20.0.0/24)

How between them to organize the ipsec connection in a transport mode? 

With the tunnel mode all right, in the elementary case for the left machine (10.0.0.1) configs look so:

/etc/ipsec.conf

spdadd 10.10.0.0/24 10.20.0.0/24 any -P out ipsec

            esp/tunnel/10.0.0.1-10.0.0.2/require;

spdadd 10.20.0.0/24 10.10.0.0/24 any -P in ipsec

            esp/tunnel/10.0.0.2-10.0.0.1/require;

/etc/racoon.conf

remote 10.0.0.2 {

        exchange_mode main;

        proposal {

                    encryption_algorithm 3des;

                    hash_algorithm sha1;

                    authentication_method pre_shared_key;

                    dh_group 5;

                  }

}

sainfo address 10.10.0.0/24 any address 10.20.0.0/24 any {

        encryption_algorithm 3des;

        authentication_algorithm hmac_sha1;

        compression_algorithm deflate;

}

For right machine (10.0.0.2) all it is mirror displayed. We start for a demon racoon, the tunnel up and the traffic goes through.

And as similar (with automatic generation of keys) to do for 

"transport mode ipsec connection"?

I make by analogy:

/etc/ipsec.conf

spdadd 10.0.0.1/32 10.0.0.2/32 any -P out ipsec

            esp/transport//require

            ah/transport//require;

spdadd 10.0.0.2/32 10.0.0.1/32 any -P in ipsec

            esp/transport//require

            ah/transport//require;

/etc/racoon.conf

remote 10.0.0.2 {

        exchange_mode main;

        proposal {

                    encryption_algorithm 3des;

                    hash_algorithm sha1;

                    authentication_method pre_shared_key;

                    dh_group 5;

                  }

}

sainfo address 10.0.0.1 any address 10.0.0.2 any {

        encryption_algorithm 3des;

        authentication_algorithm hmac_sha1;

        compression_algorithm deflate;

}

Unfortunately, on www.ipsec-howto.org about transport mode with auto keyed connection  it is told nothing.

In racoon logs it is written:

/usr/sbin/racoon -f /etc/racoon/racoon.conf -4 -F

INFO: @(#)ipsec-tools 0.3.3 (http://ipsec-tools.sourceforge.net)

INFO: @(#)This product linked OpenSSL 0.9.7d 17 Mar 2004 (http://www.openssl.org/)

INFO: IPsec-SA request for 10.0.0.2 queued due to no phase1 found.

INFO: initiate new phase 1 negotiation: 10.0.0.1[500]<=>10.0.0.2[500]

INFO: begin Identity Protection mode.

NOTIFY: the packet is retransmitted by 10.0.0.2[500].

ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 10.0.0.2->10.0.0.1

INFO: delete phase 2 handler.

INFO: request for establishing IPsec-SA was queued due to no phase1 found.

NOTIFY: the packet is retransmitted by 10.0.0.2[500].

NOTIFY: the packet is retransmitted by 10.0.0.2[500].

NOTIFY: the packet is retransmitted by 10.0.0.2[500].

ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 10.0.0.2->10.0.0.1

INFO: delete phase 2 handler.

INFO: request for establishing IPsec-SA was queued due to no phase1 found.

NOTIFY: the packet is retransmitted by 10.0.0.2[500].

ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 10.0.0.2->10.0.0.1

INFO: delete phase 2 handler.

INFO: request for establishing IPsec-SA was queued due to no phase1 found.

at 10.0.0.2 machine:

INFO: respond new phase 1 negotiation: 10.0.0.2[500]<=>10.0.0.1[500]

INFO: begin Identity Protection mode.

ERROR: phase1 negotiation failed due to time up. 894021715a4b0fba:0da61a7661898aa9

INFO: respond new phase 1 negotiation: 10.0.0.2[500]<=>10.0.0.1[500]

INFO: begin Identity Protection mode.

I.e. on what that it is braked at 1st phase, but where?

----------

## think4urs11

Hi!

1. You are using AH on 10.0.0.2 but not on 10.0.0.1, remove AH

2. you need to have a second sainfo entry with source and destination addresses switched, otherwise you can send traffic out but nothing is allowed to come in

3. (not sure) 'normally' 3DES/SHA1 is bundled with dh_group 2, not 5

HTH

T.

----------

## eightn

Mysticism... Now changed IP addresses on both computers and consequently has a little corrected (only addresses) in files

ipsec.conf and racoon.conf. 

After that all has worked (in transport mode) :-0

Probably last time I have made a mistake where that in syntax.

But I would like to receive some specifications under your message

 *Think4UrS11 wrote:*   

> 
> 
> 1. You are using AH on 10.0.0.2 but not on 10.0.0.1, remove AH
> 
> 

 

Has not understood a phrase. 

AH it is used  on both computers. On one of them it needs to be disabled? What for?

ipsec.conf at 10.0.0.1

```

spdadd 10.0.0.1/32 10.0.0.2/32 any -P out ipsec

            esp/transport//require

            ah/transport//require;

spdadd 10.0.0.2/32 10.0.0.1/32 any -P in ipsec

            esp/transport//require

            ah/transport//require;

```

ipsec.conf at 10.0.0.2

```

spdadd 10.0.0.2/32 10.0.0.1/32 any -P out ipsec

            esp/transport//require

            ah/transport//require;

spdadd 10.0.0.1/32 10.0.0.2/32 any -P in ipsec

            esp/transport//require

            ah/transport//require;

```

 *Quote:*   

> 
> 
> 2. you need to have a second sainfo entry with source and destination addresses switched, otherwise you can send traffic out but nothing is allowed to come in
> 
> 

 

in file racoon.conf?

The second sainfo unless should not be specified on the remote computer only?

racoon.conf at 10.0.0.1

```

remote 10.0.0.2 {

        exchange_mode main;

        proposal {

                    encryption_algorithm 3des;

                    hash_algorithm sha1;

                    authentication_method pre_shared_key;

                    dh_group 5;

                      }

}

sainfo address 10.0.0.1 any address 10.0.0.2 any {

        encryption_algorithm 3des;

        authentication_algorithm hmac_sha1;

        compression_algorithm deflate;

}

```

racoon.conf at 10.0.0.2

```

remote 10.0.0.1 {

        exchange_mode main;

        proposal {

                    encryption_algorithm 3des;

                    hash_algorithm sha1;

                    authentication_method pre_shared_key;

                    dh_group 5;

                      }

}

sainfo address 10.0.0.2 any address 10.0.0.1 any {

        encryption_algorithm 3des;

        authentication_algorithm hmac_sha1;

        compression_algorithm deflate;

}

```

At least with the above-stated configs all works correctly.

 *Quote:*   

> 
> 
> 3. (not sure) 'normally' 3DES/SHA1 is bundled with dh_group 2, not 5
> 
> 

 

Yes, thnx. I simply checked work ipsec on various parameters.

----------

## think4urs11

 *eightn wrote:*   

> Has not understood a phrase. 
> 
> AH it is used  on both computers. On one of them it needs to be disabled? What for?

 

Look at your first post - the racoon.confs differ a lot(!); thats why i mentioned it

 *Quote:*   

> 
> 
> At least with the above-stated configs all works correctly.

 

Maybe i'm wrong but i think it is only possible for connections with source 10.0.0.1 to go to 10.0.0.2, NOT from 10.10.0.0/x

What i understood from your first post was you want to tunnel between 10.10.0.0 and 10.20.0.0 networks.

----------

## eightn

 *Think4UrS11 wrote:*   

>  *eightn wrote:*   Has not understood a phrase. 
> 
> AH it is used  on both computers. On one of them it needs to be disabled? What for? 
> 
> Look at your first post - the racoon.confs differ a lot(!); thats why i mentioned it
> ...

 

I do not see differences between racoon.conf in the first message and in the last.

Though in the first message I have exampled tow different racoon.conf, the first - for tunnel mode, the second - for transport mode.

Or probably there are language complexities, at me translation of Russian into the English language poorly turns out, in the return side I understand much better:)

 *Quote:*   

> 
> 
> At least with the above-stated configs all works correctly.

 

Maybe i'm wrong but i think it is only possible for connections with source 10.0.0.1 to go to 10.0.0.2, NOT from 10.10.0.0/x

What i understood from your first post was you want to tunnel between 10.10.0.0 and 10.20.0.0 networks.[/quote]

Oh, my carelessness  :Sad: 

Sorry.  

Initially I want to make ipsec transport mode connection between 10.0.0.1 && 10.0.0.2

With networks behind these two hosts I have resulted a picture only as an example for tunnel mode.

And unless in general it is possible to make transport mode connection between 10.10.0.0/24 && 10.20.0.0/24, what ipsec would provide hosts 10.0.0.1 and 10.0.0.2? 

I believed, that transport mode works exclusively between two hosts only.

----------

