# IPsec

## NeddySeagoon

Team,

I've spent a few days trying to get IPsec going.  Ever the optimist, I emerged everything, configured it and nothing happened.

I wasn't really surprised.  Now I'm trying to get transport mode to work between two nodes, using manual keying and i can't even get setkeys to work.   

One host is at eth0:1 192.168.3.20 (gentoo sources)

The other in an eth1:1 192.168.3.253 (hardened sources)

There is a firewall between them but anything to/from 192.168.3.0/24 is allowed. 

My /etc/ipsec-tools.conf is 

```
#!/usr/sbin/setkey -f

#

# THIS IS A SAMPLE FILE!

#

# This is a sample file to test Gentoo's ipsec-tools out of the box.

# Do not use it in production.  See: http://www.ipsec-howto.org/

#

# we are 192.168.3.253

flush;

spdflush;

# Security policies

spdadd 192.168.3.253 192.168.3.20 any -P in ipsec

        esp/transport//require

        ah/transport//require;

spdadd 192.168.3.20 192.168.3.253 any -P out ipsec

        esp/transport//require

        ah/transport//require;

# ESP SAs using 192 bit long keys (168 + 24 parity)

add 192.168.3.253 192.168.3.20 esp 0x201 -m transport

        -E 3des-cbc 0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831

        -A hmac-md5 0xc0291ff014dccdd03874d9e8e4cdf3e6;

add 192.168.3.20 192.168.3.253 esp 0x301 -m transport

        -E 3des-cbc 0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df

        -A hmac-md5 0x96358c90783bbfa3d7b196ceabe0536b;

```

Which I feed to 

```
# /usr/sbin/setkey -f /etc/ipsec-tools.conf

The result of line 31: (null)
```

So it doesn't like the last statement.

Copying the file to the other host and running 

```
/usr/sbin/setkey -f /etc/ipsec-tools.conf
```

did not return any errors the first time but subsequent runs produce 

```
The result of line 31: (null)
```

Google isn't being my friend and according to man setkeys, the file should at least parse correctly.

I know it won't work with both ends identical but its not even setting up keys yet, so there is no possibility of passing any traffic.

If it helps any, racoon stalls at setting up phase2.

What's wrong with my /etc/ipsec-tools.conf?

=== edit ===

Maybe its not my /etc/ipsec-tools.conf.  I've just thrown together a Vbox install, handbook, genkernel, the whole 9 yards.

It JustWorks there. That would point to some bits missing from the kernel but the ipsec-tools ebuild passes its kernel checks.

Thoughts?

----------

## schorsch_76

Maybe use the kernel config from the VirtualBox and add your needed drivers there. Test again ...

----------

## NeddySeagoon

schorsch_76,

The VBox kernel is genkerhel all - the first time I have ever used genkernel.

I was planning on doing a binary search of the differences between the kernels just ih the crypto and network areas.

I can also try IPv6 but the aim is to interoperate with windows behind NAT on IPv4.

Thank you for the pointer.

----------

## user

hi great user supporter NeddySeagoon  :Smile: 

maybe the last line needs a carriage return?

----------

## NeddySeagoon

Just to close off, it was several things.

a) The remains of the firewall getting in the way one way.

b) 3des, which is the illustrated encryption doesn't work for me unless I use genkernel. des is broken too but null and aes both work.

Null is not very secure :)

Once I got setkeys to work with manual keying, racoon worked too.  Not with des and 3des though.

That's for another day.

A good diagnostic aid was IPsec one way and clear traffic responses.  Its just no security association in one direction.

I can now run IPSec in transport mode between two systems on the same subnet.

That's not very useful but I can build on what works.

Next up, tunnel mode, then tunnel mode through NAT.

Then tunnel mode through a firewall.

Lastly, l2tp and Windows ... and android ... and ...

----------

## schorsch_76

Actually your IPsec attempt made me try it too.... I need to know more about it. I need to try and test  :Wink: 

Edit: net-misc/strongswan should be more easy to configure. It provides ipsec too  :Wink: 

----------

## NeddySeagoon

schorsch_76,

I need ipsec and l2tp to justwork.  

The idea is to open the network settings tool in Windows, set a VPN, and have it connect.

All the docs I have seen say that ipsec-tools is the way to go.  I'm aware of openswan and others.

Anyway, back to the original problem.  I'm at the network traversal stage and needed another box for testing.

I blew the dust off my Acer One netbook, which is a 32bit N270 CPU.

The default 3des just worked with setkey. Ouch.  

It appears that the 32 bit kernel forces on all the required crypto but the 64 bit kernel doesn't.

Its not that. Both systems have the same cpyto setup.

----------

## schorsch_76

Hi Neddy,

i setup strongswan on my laptop and a qemu vm (both gentoo, both 64 kit 4.x Kernels).

```
# /etc/ipsec.conf - strongSwan IPsec configuration file

config setup

conn %default

   ikelifetime=60m

   keylife=20m

   rekeymargin=3m

   keyingtries=1

   authby=secret

   keyexchange=ikev2

   mobike=no

   auto=start

conn net

   left=192.168.175.1

   leftsubnet=10.16.1.0/24

   right=192.168.175.22

   rightsubnet=10.16.1.0/24

```

I added on both machines an tap device to the tunneled subnet (10.16.1.x). Now i see on my internal bridge with wireshark just ESP packages. It is basicly this [3] setup

According to [1] strongswan can use all ipsec protocols. PSK and so on. Windows and strongswan see [2]

[1] https://en.wikipedia.org/wiki/StrongSwan

[2] http://www.csnc.ch/misc/files/publications/2009_scsII_andreas_steffen_VPNWindows7x.pdf

[3] https://www.strongswan.org/uml/testresults/ikev2/net2net-psk/

I hope especially the link [2] help you  :Smile: 

EDIT: For the traversal state, you need to use the tunnel mode as the AH mode doesnt support NAT. [4]

[4] https://en.wikipedia.org/wiki/IPsec#Modes_of_operation

----------

## schorsch_76

Hi Needy,

One reason for the creation of strongswan was that the setup should more easy. It uses the same kernel functions.

It is just a hint for you. I knew not much about ipsec prior to this experiment. 

Schorsch

----------

## NeddySeagoon

schorsch_76,

Thank you.  I clearly have a lot more reading to do.

My testing has been on a mix of physical (32bit and 64bit) and KVMs (64 bit hardened).

I've managed to break my test setup so that even racoon no longer works between two hosts on the same subnet.

Its back to manual keying, if I'm still going to try to do it the hard way.

I will probably give Strong Swan a try.  I like the certificates part and the Windows set up presentation.

That saves me needing to do my own instructions.

----------

