IPsec tunnel using racoon - Security

This is a discussion on IPsec tunnel using racoon - Security ; Hi all, I am trying to setup IPsec in tunnel mode between two linux hosts using racoon as the IKE daemon. It works well in transport mode but in tunnel mode the packets are visible seen both as ESP and ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: IPsec tunnel using racoon

  1. IPsec tunnel using racoon

    Hi all,

    I am trying to setup IPsec in tunnel mode between two linux hosts using
    racoon as the IKE daemon. It works well in transport mode but in tunnel
    mode the packets are visible seen both as ESP and without encryption.

    Both hosts are running RHEL 4.0, kernel version 2.6.9-34

    #cat racoon.conf
    path pre_shared_key "/root/dee/psk.txt" ;
    remote anonymous
    {
    exchange_mode aggressive,main,base;
    lifetime time 24 hour;
    proposal {
    encryption_algorithm 3des;
    hash_algorithm sha1;
    authentication_method pre_shared_key;
    dh_group 2;
    }
    }

    sainfo anonymous
    {
    pfs_group 2;
    lifetime time 12 hour ;
    encryption_algorithm 3des, blowfish 448, twofish, rijndael ;
    authentication_algorithm hmac_sha1, hmac_md5 ;
    compression_algorithm deflate ;
    }

    SPD on host A (set using setkey)
    spdadd 180.144.100.53/32 180.144.100.51/32 any
    -P out ipsec esp/tunnel/180.144.100.53-180.144.100.51/require ;

    spdadd 180.144.100.51/32 180.144.100.53/32 any
    -P in ipsec esp/tunnel/180.144.100.51-180.144.100.53/require ;

    SPD on host B (set using setkey)
    spdadd 180.144.100.51/32 180.144.100.53/32 any
    -P out ipsec esp/tunnel/180.144.100.51-180.144.100.53/require ;

    spdadd 180.144.100.53/32 180.144.100.51/32 any
    -P in ipsec esp/tunnel/180.144.100.53-180.144.100.51/require ;


    After the policies are loaded I did a ping from host A to host B and
    captured
    the packets using tcpdump. I found that for every ICMP request there were
    2 packets visibile on tcpdump, one with ESP and one without ESP.
    Why are the packets visible without ESP?
    output of tcpdump on host 1 (blrmtoyota)
    16:16:31.850237 IP 180.144.100.53 > 180.144.100.51:
    ESP(spi=0x0952b15c,seq=0x21)
    16:16:31.850418 IP 180.144.100.51 > 180.144.100.53:
    ESP(spi=0x0f9f7238,seq=0x21)
    16:16:31.850418 IP 180.144.100.51 > 180.144.100.53: icmp 64: echo reply seq
    0

    output of tcpdump on host (blrmjordan)
    10:43:14.612079 IP 180.144.100.53 > 180.144.100.51:
    ESP(spi=0x0952b15c,seq=0x21)
    10:43:14.612824 IP 180.144.100.53 > 180.144.100.51: icmp 64: echo request
    seq 0
    10:43:14.612877 IP 180.144.100.51 > 180.144.100.53:
    ESP(spi=0x0f9f7238,seq=0x21)

    Is there anything wrong in the policies? Or is it because the packets are
    visible since the
    tunnel endpoints are the same as the src and dst?

    Thanks in advance
    ~dee



  2. Re: IPsec tunnel using racoon

    "dee" writes:

    > Hi all,


    Hi.


    > I am trying to setup IPsec in tunnel mode between two linux hosts using
    > racoon as the IKE daemon. It works well in transport mode but in tunnel
    > mode the packets are visible seen both as ESP and without encryption.


    I already noticed this bug.

    You can notice that each peer only sees INCOMING traffic both with and
    without encryption (you'll also see a third UDP packet if you have
    NAT-Traversal).

    It looks like Linux's IPSec stack reinjects packets "somewhere" before
    libpcap can see them, so packets will be seen before and after IPSec
    process.

    You can just add a sniffing device between your IPSec gates to be sure
    that the traffic is correctly encryypted on the wire.


    Yvan.

  3. Re: IPsec tunnel using racoon

    > You can just add a sniffing device between your IPSec gates to be sure
    > that the traffic is correctly encryypted on the wire.

    Thanks yvan. I will check that

    >
    >
    > Yvan.




+ Reply to Thread