Article 1144 at 09/03/25 12:29:00 From: szhou@redhat.com Subject: [users:01144] Re: issue about IKEv2 self test

Index: [Article Count Order] [Thread]
Date: Wed, 25 Mar 2009 11:28:50 -0400
From: szhou <szhou@redhat.com>
Subject: [users:01144] Re: issue about IKEv2 self test
To: Hiroki ENDO <velo@tahi.org>
Cc: users@tahi.org
Message-Id: <49CA4DB2.3090003@redhat.com>
In-Reply-To: <20090323114755.d9ccf7ce.velo@tahi.org>
References: <49C1A40D.5040705@redhat.com> <20090323114755.d9ccf7ce.velo@tahi.org>
X-Mail-Count: 01144

Hi, All

I did configuration for NUT as below info1 and info2. There is no error 
when running spmd and iked, and you may refer to info 3 and info4 below 
after i clicked on command "setkey -D" and "setkey -DP". Then i test 
IKEv2_Self_Test_1-0-0 on TN, the first test case"Global Setup "passed, 
you may refer to info5 for ipv6 address information, and "rl0" is my 
test interface. Continue to the second case"Test IKEv2.EN.I.1.1.1.1: 
Sending IKE_SA_INIT request ", it prompt "No SAD entries."and "No SPD 
entries.",you may refer to attached log file"2.html".

Now I have two questions:
1. I think the first test case will configure TN's test interface "rl0" 
as "2001:db8:f:1::1", am i right? while it set interface "lo1"as this 
address.
2.It prompts "No SAD entries."and "No SPD entries.", do we need 
configure for TN or I miss some configuration for NUT?

I will appreciate if anyone give me some suggestions. Thanks in advance.

info1. cat racoon2.conf:
# $Id: racoon2.conf.in,v 1.34 2007/12/27 01:08:52 mk Exp $

## Edit vals.conf for your environment
include "/usr/local/racoon2/etc/racoon2/vals.conf";

# interface info
interface
{
ike {
2001:db8:1:1::1234 port 500;
## Uncomment to enable NAT-T (both initiator and responder)
# MY_IP port 4500;
};
#kink {
# MY_IP;
#};
spmd {
unix "/var/run/racoon2/spmif";
};
spmd_password "/usr/local/racoon2/etc/racoon2/spmd.pwd";
};

# resolver info
resolver
{
resolver off;
# resolver on;
# nameserver {
# WWW.XXX.YYY.ZZZ port 53;
# };
# dns_query {
# 127.0.0.1 port 53;
# ::1 port 53;
# };
};




#
# This line includes default configuration file;
# Please don't touch this line (especially novice user);
#

include "/usr/local/racoon2/etc/racoon2/default.conf";

#
# These are examples of configuration for each peer.
#
# Uncomment following one 'include' line you want to use.

## Transport mode IKEv2 or IKEv1
include "/usr/local/racoon2/etc/racoon2/transport_ike.conf";

## Tunnel mode IKEv2 or IKEv1 (initiator and responder)
# include "/usr/local/racoon2/etc/racoon2/tunnel_ike.conf";

## Tunnel mode IKEv2 (responder; NAT-T support)
## Enable this if you're a responder in global net and
## the peer is an initiator behind NAT.
# include "/usr/local/racoon2/etc/racoon2/tunnel_ike_natt.conf";

## Transport mode KINK
# include "/usr/local/racoon2/etc/racoon2/transport_kink.conf";

## Tunnel mode KINK
# include "/usr/local/racoon2/etc/racoon2/tunnel_kink.conf";

## For local test
#include "/usr/local/racoon2/etc/racoon2/local-test.conf";

info2. cat transport_ike.conf
# $Id: transport_ike.conf,v 1.7 2007/12/26 08:00:53 sinoue Exp $
# ike transport mode (esp/tcp)
remote ike_trans_remote {
acceptable_kmp { ikev2; };
ikev2 {
my_id ipaddr 2001:db8:1:1::1234;
peers_id ipaddr 2001:db8:f:1::1;
peers_ipaddr 2001:db8:f:1::1 port 500;
## Use Preshared Key
kmp_auth_method { psk; };
pre_shared_key "/usr/local/racoon2/etc/racoon2/psk/psk.trans";
kmp_enc_alg {3des_cbc;};
kmp_prf_alg {hmac_sha1;};
kmp_dh_group {modp2048;};
## Use Certificate
#kmp_auth_method { rsasig; };
#my_public_key x509pem "${CERTDIR}/${MY_PUB_KEY}" 
"${CERTDIR}/${MY_PRI_KEY}";
#peers_public_key x509pem "${CERTDIR}/${PEERS_PUB_KEY}" "";
};
selector_index ike_trans_sel_in;
};

selector ike_trans_sel_out {
direction outbound;
src 2001:db8:1:1::1234;
dst 2001:db8:f:1::1;
upper_layer_protocol "any";
policy_index ike_trans_policy;
};

selector ike_trans_sel_in {
direction inbound;
dst 2001:db8:1:1::1234;
src 2001:db8:f:1::1;
upper_layer_protocol "any";
policy_index ike_trans_policy;
};

policy ike_trans_policy {
action auto_ipsec;
remote_index ike_trans_remote;
ipsec_mode transport;
ipsec_index { ipsec_esp; };
ipsec_level require;
};
ipsec ipsec_esp {
sa_index { sa_esp;};
};
sa sa_esp {
sa_protocol esp;
esp_enc_alg { 3des_cbc; aes128_cbc;};
esp_auth_alg { hmac_sha1; hmac_md5;};
};

info3. setkey -D
::1 ::1
esp mode=transport spi=120578843(0x072fe31b) reqid=0(0x00000000)
seq=0x00000000 replay=0 flags=0x00000000 state=larval
created: Mar 24 22:57:19 2009 current: Mar 24 22:57:25 2009
diff: 6(s) hard: 30(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=0 pid=5532 refcnt=0
info4. setkey -DP
2001:db8:f:1::1[any] 2001:db8:1:1::1[any] any
in ipsec
esp/transport//require
created: Mar 24 21:23:52 2009 lastused:
lifetime: 0(s) validtime: 0(s)
spid=8 seq=8 pid=5529
refcnt=1
10.0.1.0/24[any] 10.0.0.0/24[any] any
in ipsec
esp/tunnel/192.168.1.1-192.168.0.1/require
created: Mar 24 21:23:52 2009 lastused:
lifetime: 0(s) validtime: 0(s)
spid=24 seq=7 pid=5529
refcnt=1
::1[any] ::1[any] any
in ipsec
esp/transport//require
created: Mar 24 21:23:52 2009 lastused:
lifetime: 0(s) validtime: 0(s)
spid=48 seq=6 pid=5529
refcnt=1
2001:db8:1:1::1[any] 2001:db8:f:1::1[any] any
out ipsec
esp/transport//require
created: Mar 24 21:23:52 2009 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1 seq=5 pid=5529
refcnt=1
10.0.0.0/24[any] 10.0.1.0/24[any] any
out ipsec
esp/tunnel/192.168.0.1-192.168.1.1/require
created: Mar 24 21:23:52 2009 lastused:
lifetime: 0(s) validtime: 0(s)
spid=17 seq=4 pid=5529
refcnt=1
::1[any] ::1[any] any
out ipsec
esp/transport//require
created: Mar 24 21:23:52 2009 lastused: Mar 24 22:56:49 2009
lifetime: 0(s) validtime: 0(s)
spid=41 seq=3 pid=5529
refcnt=4
10.0.1.0/24[any] 10.0.0.0/24[any] any
fwd ipsec
esp/tunnel/192.168.1.1-192.168.0.1/require
created: Mar 24 21:23:52 2009 lastused:
lifetime: 0(s) validtime: 0(s)
spid=34 seq=2 pid=5529
refcnt=1
(per-socket policy)
in none
created: Mar 24 21:25:38 2009 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1259 seq=1 pid=5529
refcnt=1
(per-socket policy)
out none
created: Mar 24 21:25:38 2009 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1268 seq=0 pid=5529
refcnt=1

info5:

rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=8<VLAN_MTU>
inet6 fe80::221:27ff:fe9d:f569%rl0 prefixlen 64 scopeid 0x2
inet6 fe80::f%rl0 prefixlen 64 scopeid 0x2
inet6 2001:db8:1:1::f prefixlen 64
ether 00:21:27:9d:f5:69
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT> mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
inet 127.0.0.1 netmask 0xff000000
lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet6 2001:db8:f:1::1 prefixlen 64

Shirley
Hiroki ENDO wrote:
> Hi,
>
> Self Test does not configure the NUT by default. Self Test configures
> the TN automatically.
> Currently, remote script for NUT configuration supports only racoon2
> on FreeBSD. So you need to configure your NUT manually.
>
> Please configure your NUT as Test Specification said.
> Basically, default setup for End-Node is as follows:
>
> NUT IKEv2 Address: 2001:db8:1:1:YOUR_IF_ID
> NUT IKEv2 Port: 500
> TN IKEv2 Address: 2001:db8:f:1::1/64
> TN IKEv2 Port: 500
> Authentication Method: Shared Key Message Integrity Code
> Shared Key: IKETEST12345678!
> NUT ID Type: ID_IPV6_ADDR:
> NUT ID Data: 2001:db8:1:1:YOUR_IF_ID (same as NUT IKEv2 Address)
> IKE_SA
>         Encryption Algorithm: ENCR_3DES
>         PRF: PRF_HMAC_SHA1
>         Integrity Algorithm: AUTH_HMAC_SHA1_96
>         Diffie-Hellman: 1024 MODP Group
> CHILD_SA
>         Security Protocol: ESP
>         Transport Mode: transport mode (tunnel mode for SGW)
>         Encryption Algorithm: ENCR_3DES
>         Integrity Algorithm: AUTH_HMAC_SHA1_96
>         ESN: No ESN
> NUT SPD
>         inbound
>                 src: 2001:db8:f:1::1 (2001:db8:f:2::/64 for SGW)
>                 dst: 2001:db8:1:1::1 (2001:db8:1:2::/64 for SGW)
>                 upper layer protocol: any
>         outbound
>                 src: 2001:db8:1:1::1 (2001:db8:1:2::/64 for SGW)
>                 dst: 2001:db8:f:1::1 (2001:db8:f:2::/64 for SGW)
>                 upper layer protocol: any
> And you use ping6 to 2001:db8:f:1::1 to initiate IKEv2 exchange,
> when you are Initiator.
>
> There might be many confusable and un-user-friendly points.
> Please tell us the points for the future.
>
> Thanks,
>
>
>
>
>   


	1144_2.html (attatchment)(tag is disabled)