Hi there,
I'm using linux 2.6.5 and ipsec-tools 0.3.2 on Slackware 9.1. I'm trying
to use IPsec between my (wireless) laptop and my home server. Basically,
it seems to work but tcpdump and iptables see incoming traffic two times:
first the encrypted ESP traffic, and the on the same interface the
same traffic but now unencrypted. This is a problem, since now I can't
filter all traffic except ESP on the interfaces (ARP not counted).
The network layout is as follows:
calvin:
eth0: 192.168.1.1/24, internal wired LAN (switched)
eth1: 10.0.0.150/24, crosscable to an ADSL "modem" (10.0.0.138)
eth2: 192.168.2.1/24, crosscable to an access point (192.168.2.2)
ppp0: 213.84.70.4/32, result of a PPTP connection to 10.0.0.138
tracer:
ath0: 192.168.2.100/24, wireless NIC using madwifi driver
What I saw when issuing "ping -c 1 192.168.1.10" on tracer:
===========================================================
(on calvin:)
root@calvin:~# tcpdump -n -i eth2
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth2, link-type EN10MB (Ethernet), capture size 96 bytes
14:48:56.577595 IP 192.168.2.100 > 192.168.2.1: ESP(spi=0x00000301,seq=0x2b5d)
14:48:56.577595 IP 192.168.2.100 > 192.168.1.10: icmp 64: echo request seq 1
14:48:56.578698 IP 192.168.2.1 > 192.168.2.100: ESP(spi=0x00000201,seq=0x2b21)
3 packets captured
3 packets received by filter
0 packets dropped by kernel
(on tracer:)
root@tracer:~# tcpdump -n -i ath0
tcpdump: listening on ath0
14:48:46.854509 192.168.2.100 > 192.168.2.1: ESP(spi=0x00000301,seq=0x2b5d) (DF)
14:48:46.856588 192.168.2.1 > 192.168.2.100: ESP(spi=0x00000201,seq=0x2b21) (DF)
14:48:46.856588 192.168.1.10 > 192.168.2.100: icmp: echo reply (DF)
3 packets received by filter
0 packets dropped by kernel
What I expected to see:
=======================
I expected only ESP traffic in the tcpdump output.
How I configured IPsec:
=======================
(on calvin:)
flush;
spdflush;
add 192.168.2.1 192.168.2.100 esp 0x201 -m tunnel -E 3des-cbc 0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831 -A hmac-md5 0xc0291ff014dccdd03874d9e8e4cdf3e6;
add 192.168.2.100 192.168.2.1 esp 0x301 -m tunnel -E 3des-cbc 0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df -A hmac-md5 0x96358c90783bbfa3d7b196ceabe0536b;
spdadd 0.0.0.0/0 192.168.2.100/32 any -P out ipsec
esp/tunnel/192.168.2.1-192.168.2.100/require;
spdadd 192.168.2.100/32 0.0.0.0/0 any -P in ipsec
esp/tunnel/192.168.2.100-192.168.2.1/require;
(on tracer:)
flush;
spdflush;
add 192.168.2.1 192.168.2.100 esp 0x201 -m tunnel -E 3des-cbc 0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831 -A hmac-md5 0xc0291ff014dccdd03874d9e8e4cdf3e6;
add 192.168.2.100 192.168.2.1 esp 0x301 -m tunnel -E 3des-cbc 0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df -A hmac-md5 0x96358c90783bbfa3d7b196ceabe0536b;
spdadd 0.0.0.0/0 192.168.2.100/32 any -P in ipsec
esp/tunnel/192.168.2.1-192.168.2.100/require;
spdadd 192.168.2.100/32 0.0.0.0/0 any -P out ipsec
esp/tunnel/192.168.2.100-192.168.2.1/require;
(This is the exact configuration used. Bonus points if you recognize the keys.
:-) )
What I'm trying to accomplish:
==============================
Since I don't trust WEP I want to use IPsec on my wireless network. To do
that, I have connected the access point to a dedicated interface on calvin
where I can firewall it, and only let through IPsec-protected traffic.
On calvin, the traffic may be decrypted and sent on its way.
Questions:
==========
1. Is the observed behaviour to be expected?
2. Am I doing the right thing here?
3. If not, what should I do to use IPsec on the wireless segment?
Hopefully someone can help me here!
Thanks,
--
Jurjen Oskam
"Avoid putting a paging file on a fault-tolerant drive, such as a mirrored
volume or a RAID-5 volume. Paging files do not need fault-tolerance."-MS Q308417
-
: send the line "unsubscribe linux-net" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
