RE: [Users] Starting IPsec6

From: Gessler Gerhard (Gessler_at_iabg.de)
Date: Fri Oct 04 2002 - 09:20:23 CEST

• Next message: Gessler Gerhard: "RE: [Users] ping6 problem."
• Previous message: ÀÌ¿µÁö: "[Users] ping unable"
• Maybe in reply to: Kaustubh.Kumbhalkar_at_lntinfotech.com: "[Users] Starting IPsec6"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

> -----Original Message-----
> From: Kaustubh.Kumbhalkar_at_lntinfotech.com
> [mailto:Kaustubh.Kumbhalkar_at_lntinfotech.com]
> Sent: Thursday, October 03, 2002 12:35 PM
> To: Gessler Gerhard; users_at_lists.freeswan.org
> Subject: RE: [Users] Starting IPsec6
>
>
> the installation is up now ,
> first problem was that IP compression was enabled.

We clearly state in our documentation that IP compression MUST
be turned off.

> this was fixed but then packets were shown as being
> truncated by tcpdump, i was getting the 'truncated packet'
> message whenever tcpdump was run on either one of the IPsec
> enabled machines that were communicating with each other.
> when the packets are observed on a third machine not
> involved in the communication of machine 1 and 2 the
> packets are shown properly . (why? )

This is a wellknown and also documented "feature" of libpcap.
See FreeSWAN documentation for details.
I can not tell you why this is happening, only that it happens and
how it looks like, but you have found that already.

One can not do anything about that, just run the sniffer on a third
machine (as you have already done). This way you realy see whats sent
on the wire.

Regards,

        Gerhard

>
> thanks and regards.
>
>
> Monday, 30 September 2002 1:18 PM
> To: <Kaustubh.Kumbhalkar_at_lntinfotech.com>,
> <users_at_lists.freeswan.org>
> cc:
> From: "Gessler Gerhard" <Gessler_at_iabg.de>
> Subject: RE: [Users] Starting IPsec6
>
>
>
> Hi,
>
> I need more information to tell whats going wrong.
>
> Used setup and IPv6 addresses, ipsec.conf, logging, SPD
> (via "ipsec spd6") etc.
>
> Gerhard
>
>
> > -----Original Message-----
> > From: Kaustubh.Kumbhalkar_at_lntinfotech.com
> > [mailto:Kaustubh.Kumbhalkar_at_lntinfotech.com]
> > Sent: Thursday, September 26, 2002 9:18 PM
> > To: Gessler Gerhard; users_at_lists.freeswan.org
> > Subject: RE: [Users] Starting IPsec6
> >
> >
> > in continuation with my previous mail . ...
> > it seems that the authentication is failing in all cases ( i.e
> > tunnel/transport with or without AH/ESP ).
> > the 2 machines keep sending packets to each other in a loop
> > for sometime
> > ,and everytime authentication fails at each end .
> > correpondingly the packet
> > size also keeps growing. i suppose these are ICMP messages
> > .(am i right?)
> >
> > any suggestions what could be causing this...
> >
> > thanks for ur suggestions i was able to get accross the ph
> > I and ph II
> > exchanges.
> >
> >
> > Friday, 27 September 2002 4:29 PM
> > To: <Kaustubh.Kumbhalkar_at_lntinfotech.com>,
> > <users_at_lists.freeswan.org>
> > cc:
> > From: "Gessler Gerhard" <Gessler_at_iabg.de>
> > Subject: RE: [Users] Starting IPsec6
> >
> >
> >
> > > -----Original Message-----
> > > From: Kaustubh.Kumbhalkar_at_lntinfotech.com
> > > [mailto:Kaustubh.Kumbhalkar_at_lntinfotech.com]
> > > Sent: Thursday, September 26, 2002 9:39 AM
> > > To: users_at_lists.freeswan.org
> > > Subject: [Users] Starting IPsec6
> > >
> > >
> >
> > Hi,
> >
> > [snipped some commands]
> >
> > your given commands look fine.
> >
> > > it proceeds upto STATE_MAIN_I3: expecting MR3
> > > but beyond that it starts retransmitting the message
> > > probably because the
> > > encrypted packet is not decrypted at machine2 and no
> > > response is recieved
> > > by machine 1.
> >
> > Please have a look at the logfile produced on machine2
> > (the responder) if you have logging enabled in Pluto.
> > It probably writes there that it can not authenticate
> > the message received from machine1.
> >
> > How are you doing ISAKMP authentication?
> > Pre-shared secret? RSA-Keys?
> >
> > If you use PSK then the two secrets in /etc/ipsec.secrets
> > do not match or the IPv6 addresses are not correct.
> > If you use RSA-Keys then
> > (1) something went probably wrong when you copied
> > the keys from ipsec.secrets to ipsec.conf
> > (2) the given id's in ipsec.conf do not match
> >
> > Hope this helps. If not then please give more us
> > information (used setup and addresses, ipsec.conf,
> > logging etc)
> >
> > Cheers,
> >
> > Gerhard
> >
> > > iam not able to proceed beyond this .
> > > is there a configuration step i have overlooked.?
> > >
> > > thanks and regards.
> > >
> > >
> > > _______________________________________________
> > > Users mailing list
> > > Users_at_lists.freeswan.org
> > > http://lists.freeswan.org/mailman/listinfo/users
> > >
> >
> > --------------------------------------------
> > Gerhard Geßler
> >
> > Communication Networks, IABG mbH
> > Einsteinstr. 20
> > 85521 Ottobrunn, Germany
> >
> > Telefon: +49 89 6088 - 2021
> > Fax: +49 89 6088 - 2845
> >
> > E-Mail: gessler_at_iabg.de
> >
> >
>
> --------------------------------------------
> Gerhard Geßler
>
> Communication Networks, IABG mbH
> Einsteinstr. 20
> 85521 Ottobrunn, Germany
>
> Telefon: +49 89 6088 - 2021
> Fax: +49 89 6088 - 2845
>
> E-Mail: gessler_at_iabg.de
>
>

--------------------------------------------
Gerhard Geßler

Communication Networks, IABG mbH
Einsteinstr. 20
85521 Ottobrunn, Germany

Telefon: +49 89 6088 - 2021
Fax: +49 89 6088 - 2845

E-Mail: gessler_at_iabg.de
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Next message: Gessler Gerhard: "RE: [Users] ping6 problem."
• Previous message: ÀÌ¿µÁö: "[Users] ping unable"
• Maybe in reply to: Kaustubh.Kumbhalkar_at_lntinfotech.com: "[Users] Starting IPsec6"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.5 : Sat Oct 05 2002 - 05:20:20 CEST