Hi,
> Now I have two questions:
> 1. I think the first test case will configure TN's test interface "rl0"
> as "2001:db8:f:1::1", am i right? while it set interface "lo1"as this
> address.
TN's rl0 should have "2001:db8:1:1::f" as TR1, your default gateway to Link X.
TN's lo1 should have "2001:db8:f:1::1" as TN1, IKEv2 peer.
> 2.It prompts "No SAD entries."and "No SPD entries.", do we need
> configure for TN or I miss some configuration for NUT?
No. They just show TN's status at that time.
SAD and SPD in TN are configured after IKEv2 exchange.
Best Regards,
--
Hiroki ENDO
On Wed, 25 Mar 2009 11:28:50 -0400
szhou <szhou@redhat.com> wrote:
> Hi, All
>
> I did configuration for NUT as below info1 and info2. There is no error
> when running spmd and iked, and you may refer to info 3 and info4 below
> after i clicked on command "setkey -D" and "setkey -DP". Then i test
> IKEv2_Self_Test_1-0-0 on TN, the first test case"Global Setup "passed,
> you may refer to info5 for ipv6 address information, and "rl0" is my
> test interface. Continue to the second case"Test IKEv2.EN.I.1.1.1.1:
> Sending IKE_SA_INIT request ", it prompt "No SAD entries."and "No SPD
> entries.",you may refer to attached log file"2.html".
>
> Now I have two questions:
> 1. I think the first test case will configure TN's test interface "rl0"
> as "2001:db8:f:1::1", am i right? while it set interface "lo1"as this
> address.
> 2.It prompts "No SAD entries."and "No SPD entries.", do we need
> configure for TN or I miss some configuration for NUT?
>
> I will appreciate if anyone give me some suggestions. Thanks in advance.
>
> info1. cat racoon2.conf:
> # $Id: racoon2.conf.in,v 1.34 2007/12/27 01:08:52 mk Exp $
>
> ## Edit vals.conf for your environment
> include "/usr/local/racoon2/etc/racoon2/vals.conf";
>
> # interface info
> interface
> {
> ike {
> 2001:db8:1:1::1234 port 500;
> ## Uncomment to enable NAT-T (both initiator and responder)
> # MY_IP port 4500;
> };
> #kink {
> # MY_IP;
> #};
> spmd {
> unix "/var/run/racoon2/spmif";
> };
> spmd_password "/usr/local/racoon2/etc/racoon2/spmd.pwd";
> };
>
> # resolver info
> resolver
> {
> resolver off;
> # resolver on;
> # nameserver {
> # WWW.XXX.YYY.ZZZ port 53;
> # };
> # dns_query {
> # 127.0.0.1 port 53;
> # ::1 port 53;
> # };
> };
>
>
>
>
> #
> # This line includes default configuration file;
> # Please don't touch this line (especially novice user);
> #
>
> include "/usr/local/racoon2/etc/racoon2/default.conf";
>
> #
> # These are examples of configuration for each peer.
> #
> # Uncomment following one 'include' line you want to use.
>
> ## Transport mode IKEv2 or IKEv1
> include "/usr/local/racoon2/etc/racoon2/transport_ike.conf";
>
> ## Tunnel mode IKEv2 or IKEv1 (initiator and responder)
> # include "/usr/local/racoon2/etc/racoon2/tunnel_ike.conf";
>
> ## Tunnel mode IKEv2 (responder; NAT-T support)
> ## Enable this if you're a responder in global net and
> ## the peer is an initiator behind NAT.
> # include "/usr/local/racoon2/etc/racoon2/tunnel_ike_natt.conf";
>
> ## Transport mode KINK
> # include "/usr/local/racoon2/etc/racoon2/transport_kink.conf";
>
> ## Tunnel mode KINK
> # include "/usr/local/racoon2/etc/racoon2/tunnel_kink.conf";
>
> ## For local test
> #include "/usr/local/racoon2/etc/racoon2/local-test.conf";
>
> info2. cat transport_ike.conf
> # $Id: transport_ike.conf,v 1.7 2007/12/26 08:00:53 sinoue Exp $
> # ike transport mode (esp/tcp)
> remote ike_trans_remote {
> acceptable_kmp { ikev2; };
> ikev2 {
> my_id ipaddr 2001:db8:1:1::1234;
> peers_id ipaddr 2001:db8:f:1::1;
> peers_ipaddr 2001:db8:f:1::1 port 500;
> ## Use Preshared Key
> kmp_auth_method { psk; };
> pre_shared_key "/usr/local/racoon2/etc/racoon2/psk/psk.trans";
> kmp_enc_alg {3des_cbc;};
> kmp_prf_alg {hmac_sha1;};
> kmp_dh_group {modp2048;};
> ## Use Certificate
> #kmp_auth_method { rsasig; };
> #my_public_key x509pem "${CERTDIR}/${MY_PUB_KEY}"
> "${CERTDIR}/${MY_PRI_KEY}";
> #peers_public_key x509pem "${CERTDIR}/${PEERS_PUB_KEY}" "";
> };
> selector_index ike_trans_sel_in;
> };
>
> selector ike_trans_sel_out {
> direction outbound;
> src 2001:db8:1:1::1234;
> dst 2001:db8:f:1::1;
> upper_layer_protocol "any";
> policy_index ike_trans_policy;
> };
>
> selector ike_trans_sel_in {
> direction inbound;
> dst 2001:db8:1:1::1234;
> src 2001:db8:f:1::1;
> upper_layer_protocol "any";
> policy_index ike_trans_policy;
> };
>
> policy ike_trans_policy {
> action auto_ipsec;
> remote_index ike_trans_remote;
> ipsec_mode transport;
> ipsec_index { ipsec_esp; };
> ipsec_level require;
> };
> ipsec ipsec_esp {
> sa_index { sa_esp;};
> };
> sa sa_esp {
> sa_protocol esp;
> esp_enc_alg { 3des_cbc; aes128_cbc;};
> esp_auth_alg { hmac_sha1; hmac_md5;};
> };
>
> info3. setkey -D
> ::1 ::1
> esp mode=transport spi=120578843(0x072fe31b) reqid=0(0x00000000)
> seq=0x00000000 replay=0 flags=0x00000000 state=larval
> created: Mar 24 22:57:19 2009 current: Mar 24 22:57:25 2009
> diff: 6(s) hard: 30(s) soft: 0(s)
> last: hard: 0(s) soft: 0(s)
> current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
> allocated: 0 hard: 0 soft: 0
> sadb_seq=0 pid=5532 refcnt=0
> info4. setkey -DP
> 2001:db8:f:1::1[any] 2001:db8:1:1::1[any] any
> in ipsec
> esp/transport//require
> created: Mar 24 21:23:52 2009 lastused:
> lifetime: 0(s) validtime: 0(s)
> spid=8 seq=8 pid=5529
> refcnt=1
> 10.0.1.0/24[any] 10.0.0.0/24[any] any
> in ipsec
> esp/tunnel/192.168.1.1-192.168.0.1/require
> created: Mar 24 21:23:52 2009 lastused:
> lifetime: 0(s) validtime: 0(s)
> spid=24 seq=7 pid=5529
> refcnt=1
> ::1[any] ::1[any] any
> in ipsec
> esp/transport//require
> created: Mar 24 21:23:52 2009 lastused:
> lifetime: 0(s) validtime: 0(s)
> spid=48 seq=6 pid=5529
> refcnt=1
> 2001:db8:1:1::1[any] 2001:db8:f:1::1[any] any
> out ipsec
> esp/transport//require
> created: Mar 24 21:23:52 2009 lastused:
> lifetime: 0(s) validtime: 0(s)
> spid=1 seq=5 pid=5529
> refcnt=1
> 10.0.0.0/24[any] 10.0.1.0/24[any] any
> out ipsec
> esp/tunnel/192.168.0.1-192.168.1.1/require
> created: Mar 24 21:23:52 2009 lastused:
> lifetime: 0(s) validtime: 0(s)
> spid=17 seq=4 pid=5529
> refcnt=1
> ::1[any] ::1[any] any
> out ipsec
> esp/transport//require
> created: Mar 24 21:23:52 2009 lastused: Mar 24 22:56:49 2009
> lifetime: 0(s) validtime: 0(s)
> spid=41 seq=3 pid=5529
> refcnt=4
> 10.0.1.0/24[any] 10.0.0.0/24[any] any
> fwd ipsec
> esp/tunnel/192.168.1.1-192.168.0.1/require
> created: Mar 24 21:23:52 2009 lastused:
> lifetime: 0(s) validtime: 0(s)
> spid=34 seq=2 pid=5529
> refcnt=1
> (per-socket policy)
> in none
> created: Mar 24 21:25:38 2009 lastused:
> lifetime: 0(s) validtime: 0(s)
> spid=1259 seq=1 pid=5529
> refcnt=1
> (per-socket policy)
> out none
> created: Mar 24 21:25:38 2009 lastused:
> lifetime: 0(s) validtime: 0(s)
> spid=1268 seq=0 pid=5529
> refcnt=1
>
> info5:
>
> rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> options=8<VLAN_MTU>
> inet6 fe80::221:27ff:fe9d:f569%rl0 prefixlen 64 scopeid 0x2
> inet6 fe80::f%rl0 prefixlen 64 scopeid 0x2
> inet6 2001:db8:1:1::f prefixlen 64
> ether 00:21:27:9d:f5:69
> media: Ethernet autoselect (100baseTX <full-duplex>)
> status: active
> plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT> mtu 1500
> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
> inet6 ::1 prefixlen 128
> inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
> inet 127.0.0.1 netmask 0xff000000
> lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
> inet6 2001:db8:f:1::1 prefixlen 64
>
> Shirley
> Hiroki ENDO wrote:
> > Hi,
> >
> > Self Test does not configure the NUT by default. Self Test configures
> > the TN automatically.
> > Currently, remote script for NUT configuration supports only racoon2
> > on FreeBSD. So you need to configure your NUT manually.
> >
> > Please configure your NUT as Test Specification said.
> > Basically, default setup for End-Node is as follows:
> >
> > NUT IKEv2 Address: 2001:db8:1:1:YOUR_IF_ID
> > NUT IKEv2 Port: 500
> > TN IKEv2 Address: 2001:db8:f:1::1/64
> > TN IKEv2 Port: 500
> > Authentication Method: Shared Key Message Integrity Code
> > Shared Key: IKETEST12345678!
> > NUT ID Type: ID_IPV6_ADDR:
> > NUT ID Data: 2001:db8:1:1:YOUR_IF_ID (same as NUT IKEv2 Address)
> > IKE_SA
> > Encryption Algorithm: ENCR_3DES
> > PRF: PRF_HMAC_SHA1
> > Integrity Algorithm: AUTH_HMAC_SHA1_96
> > Diffie-Hellman: 1024 MODP Group
> > CHILD_SA
> > Security Protocol: ESP
> > Transport Mode: transport mode (tunnel mode for SGW)
> > Encryption Algorithm: ENCR_3DES
> > Integrity Algorithm: AUTH_HMAC_SHA1_96
> > ESN: No ESN
> > NUT SPD
> > inbound
> > src: 2001:db8:f:1::1 (2001:db8:f:2::/64 for SGW)
> > dst: 2001:db8:1:1::1 (2001:db8:1:2::/64 for SGW)
> > upper layer protocol: any
> > outbound
> > src: 2001:db8:1:1::1 (2001:db8:1:2::/64 for SGW)
> > dst: 2001:db8:f:1::1 (2001:db8:f:2::/64 for SGW)
> > upper layer protocol: any
> > And you use ping6 to 2001:db8:f:1::1 to initiate IKEv2 exchange,
> > when you are Initiator.
> >
> > There might be many confusable and un-user-friendly points.
> > Please tell us the points for the future.
> >
> > Thanks,
> >
> >
> >
> >
> >
>
>