strange behavior of ipsec tunnel mode

[Michal Purzynski <albeiro@xxxxxxxxxxxxxxxxxxxxx>]

hello

i am trying to set up ipsec in my network, for now just between two hosts, using to use AH & ESP
in tunnel mode to get all of packet encrypted. keys are negotiated with racoon.
mayby using tunnel mode in this case can seems strange, but i know what i am doing.
after setting up everything i have done few tests with ping & tcpdump. but the results are very suprising.
bellow is what i got when trying to ping (ping -I 192.168.2.11 192.168.1)

16:09:36.289743 IP 192.168.2.11 > 192.168.2.10: AH(spi=0x00db7ebd,seq=0x3): IP 192.168.2.11 > 192.168.2.10: ESP(spi=0x05ec9334,seq=0x3) (ipip-proto-4)
16:09:36.289968 IP 192.168.2.10 > 192.168.2.11: AH(spi=0x02c8c78c,seq=0x3): IP 192.168.2.10 > 192.168.2.11: ESP(spi=0x043cdc13,seq=0x3) (ipip-proto-4)

so far so nice...

16:09:36.289968 IP 192.168.2.10 > 192.168.2.11: ESP(spi=0x043cdc13,seq=0x3)

yet another ESP ?

16:09:36.289968 IP 192.168.2.10 > 192.168.2.11: icmp 64: echo reply seq 2

???? (you do not exist. go away.)

16:09:37.290596 IP 192.168.2.11 > 192.168.2.10: AH(spi=0x00db7ebd,seq=0x4): IP 192.168.2.11 > 192.168.2.10: ESP(spi=0x05ec9334,seq=0x4) (ipip-proto-4)
16:09:37.290935 IP 192.168.2.10 > 192.168.2.11: AH(spi=0x02c8c78c,seq=0x4): IP 192.168.2.10 > 192.168.2.11: ESP(spi=0x043cdc13,seq=0x4) (ipip-proto-4)
16:09:37.290935 IP 192.168.2.10 > 192.168.2.11: ESP(spi=0x043cdc13,seq=0x4)
16:09:37.290935 IP 192.168.2.10 > 192.168.2.11: icmp 64: echo reply seq 3

so as you can see 192.168.2.10 responds with three packets on each ping. why is it so ?
what should i od to get proper ipsec configuration here ? i can add that same results are with other protocols as well.

bellow is my configuration:

on host 192.168.2.10:

raccon.conf

path include "/usr/local/etc/racoon";
path pre_shared_key "/usr/local/etc/racoon/psk.txt";
path certificate "/usr/local/etc/racoon/certs";

listen {
        isakmp 192.168.2.10;
        strict_address;
}

remote 192.168.2.11 {

        exchange_mode main;
        doi ipsec_doi;
        situation identity_only;
        my_identifier asn1dn;
        peers_identifier asn1dn;
        verify_identifier on;
        certificate_type x509 "mad.public" "mad.private";
        peers_certfile x509 "laptop.public";
        send_cert on;
        send_cr on;
        verify_cert on;
        lifetime time 300 sec;
        passive off;
        proposal_check strict;
        nonce_size 256;

        proposal {
                encryption_algorithm blowfish 448;
                hash_algorithm sha1 512;
                authentication_method rsasig;
                dh_group modp4096;
                lifetime time 300 sec;
        }
}

sainfo anonymous {

       pfs_group modp4096;
       lifetime time 300 sec;
       encryption_algorithm rijndael 256;
       authentication_algorithm hmac_sha1;
       compression_algorithm deflate;
}

padding {
        randomize on;
        randomize_length on;
        strict_check on;
}

script for setting up policy:


#!/usr/bin/setkey -f
flush;
spdflush;


spdadd 192.168.2.10/32 192.168.2.11/32 any -P out ipsec
            esp/tunnel/192.168.2.10-192.168.2.11/require
            ah/tunnel/192.168.2.10-192.168.2.11/require;

spdadd 192.168.2.11/32 192.168.2.10/32 any -P in ipsec
            esp/tunnel/192.168.2.11-192.168.2.10/require
            ah/tunnel/192.168.2.11-192.168.2.10/require;


configuration for host 192.168.2.11:

path include "/usr/local/etc/racoon";
path pre_shared_key "/usr/local/etc/racoon/psk.txt";
path certificate "/usr/local/etc/racoon/certs";

listen {
        isakmp 192.168.2.11;
        strict_address;
}

remote 192.168.2.10 {

        exchange_mode main;
        doi ipsec_doi;
        situation identity_only;
        my_identifier asn1dn;
        peers_identifier asn1dn;
        verify_identifier on;
        certificate_type x509 "laptop.public" "laptop.private";
        peers_certfile x509 "mad.public";
        send_cert on;
        send_cr on;
        verify_cert on;
        lifetime time 300 sec;
        passive off;
        proposal_check strict;
        nonce_size 256;

        proposal {
                encryption_algorithm blowfish 448;
                hash_algorithm sha1 512;
                authentication_method rsasig;
                dh_group modp4096;
                lifetime time 300 sec;
        }
}

sainfo anonymous {

       pfs_group modp4096;
       lifetime time 300 sec;
       encryption_algorithm rijndael 256;
       authentication_algorithm hmac_sha1;
       compression_algorithm deflate;
}

padding {
        randomize on;
        randomize_length on;
        strict_check on;
}


script for setting up policy:

#!/usr/bin/setkey -f
flush;
spdflush;


spdadd 192.168.2.11/32 192.168.2.10/32 any -P out ipsec
            esp/tunnel/192.168.2.11-192.168.2.10/require
            ah/tunnel/192.168.2.11-192.168.2.10/require;

spdadd 192.168.2.10/32 192.168.2.11/32 any -P in ipsec
            esp/tunnel/192.168.2.10-192.168.2.11/require
            ah/tunnel/192.168.2.10-192.168.2.11/require;


what have i done wrong ?

_______________________________________________
LARTC mailing list / LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/