Voila, problem solved thanks to several of you who pointed me out that the SPI numbers on both hosts of the tunnel have to be the same. In fact, it comes down to copying the /etc/inet/ipseckey.conf file from one machine to the other, so that they are identical (both the numbers, and the random keys used). Someone mentioned this to work on his Solaris-8 setup, in my Solaris-9 setup it does the job too. I still have an empty /etc/inet/ipsecinit.conf file, tough (thus no rules specified to restrict traffic, the man pages are correct: an empty file allows all traffic to go through) On top of that, the 'ifconfig' arguments to configure the tunnel have to be like this: ifconfig ip.tun0 192.168.1.1 192.168.1.2 tsrc 10.10.10.1 tdst 10.10.10.2 encr_algs des encr_auth_algs md5 It does not work with the following command: ifconfig ip.tun0 192.168.1.1 192.168.1.2 tsrc 10.10.10.1 tdst 10.10.10.2 auth_algs any Kind regards, Rob > -----Original Message----- > From: Rob De Langhe > Sent: dinsdag 11 maart 2003 16:11 > To: 'sunmanagers@sunmanagers.org' > Subject: IPsec tunnel only working in one direction > > > Hi all, > > we are trying to configure an IPsec tunnel between 2 > Solaris-9 servers, in > order to protect (via encryption and tunnelling) RPC-based > traffic (like NFS > and CDE-communications) between the two hosts. > > I would not post a question here is everything worked fine : > after setting > up the tunnel, when I "ping" from either machine to the > other, I can see > (with "snoop") the ESP packets leaving the machine and arriving on the > interface of the other machine. But no "echo reply" goes back (no such > packets coming out of the second machine). > > All recent recommended patches have been installed on both > machines, the > full OS bundle of packages is loaded, as well as (for 64-bit > operation) the > package SUNWcarx.u > > This is the procedure I applied: > 1) I created an empty file /etc/inet/ipsecinit.conf file, > which -according > to man page of ipsecconf- should result in all traffic being > allowed to go > in/out the machine. > > 2) I did the command "ipsecconf -a /etc/inet/ipsecinit.conf" > to load the > IPsec modules in the kernel > > 3) I checked the availability of the encryption algorithms with > ndd /dev/ipsecesp ipsecesp_status > which printed happily "Authentication algorithms = 2" and "Encryption > algorithms = 3" > > 4) on hostA, I create the following /etc/inet/ipseckey.conf file: > > add esp spi 5669538998 src 10.10.10.1 dst 10.10.10.2 \ > auth_alg md5 \ > authkey DE1B1C84D3F0731ABD24CB9D6BE4E982 \ > encr_alg des \ > encrkey 2E1E8CDCD08F759E > add esp spi 2516985906 src 10.10.10.2 dst 10.10.10.1 \ > auth_alg md5 \ > authkey BC62474CCC139ABC7979D28C871674FB \ > encr_alg des \ > encrkey B2CB681E04072B0E > > 5) on hostB, this is the following : > > add esp spi 4027242223 src 10.10.10.2 dst 10.10.10.1 \ > auth_alg md5 \ > authkey BC62474CCC139ABC7979D28C871674FB \ > encr_alg des \ > encrkey B2CB681E04072B0E > add esp spi 7195221808 src 10.10.10.1 dst 10.10.10.2 \ > auth_alg md5 \ > authkey DE1B1C84D3F0731ABD24CB9D6BE4E982 \ > encr_alg des \ > encrkey 2E1E8CDCD08F759E > > 6) on both hosts, I load this file with > > ipseckey -f /etc/inet/ipseckey.conf > > 7) I setup the tunnel on hostA : > > ifconfig ip.tun0 plumb > ifconfig ip.tun0 192.168.1.1 192.168.1.2 tsrc 10.10.10.1 tdst > 10.10.10.2 > encr_algs des encr_auth_algs md5 up > > 8) and similarly on hostB : > > ifconfig ip.tun0 plumb > ifconfig ip.tun0 192.168.1.2 192.168.1.1 tsrc 10.10.10.2 tdst > 10.10.10.1 > encr_algs des encr_auth_algs md5 up > > 9) I can see the host-routes to the remote end of the tunnels > being added in > the routing table of each host respectively > > 10) The PING to the other end of the tunnel goes out of the > originating > machine, and appears (as seen with "snoop") on the > destination machine, but > no reply packets are being sent back. > > So, finally the actual questions : > 1) what commands exist to monitor the behaviour of this ipsec > tunnel on > Solaris-9, e.g. to see any message why packets would be rejected > 2) from the above described configuration, is there anyone > who can tell > what's wrong ? > > Any suggestions are well appreciated ! > > R. De Langhe > _______________________________________________ > sunmanagers mailing list > sunmanagers@sunmanagers.org > http://www.sunmanagers.org/mailman/listinfo/sunmanagers _______________________________________________ sunmanagers mailing list sunmanagers@sunmanagers.org http://www.sunmanagers.org/mailman/listinfo/sunmanagersReceived on Wed Mar 12 01:55:35 2003
This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:05 EST