* 2.6 IPsec (Kame) appears to be working, but it isn't
@ 2004-01-06 17:12 martin f krafft
2004-01-06 18:14 ` [solved] " martin f krafft
0 siblings, 1 reply; 2+ messages in thread
From: martin f krafft @ 2004-01-06 17:12 UTC (permalink / raw)
To: linux kernel mailing list
[-- Attachment #1: Type: text/plain, Size: 2049 bytes --]
Hi all,
I am not sure this is the best place to ask, but I don't want to
feel the *BSD wrath against Linux at kame.net, and I could not find
a mailing list for Linux IPsec, so please feel free to point me
elsewhere, but don't shoot, okay?
I configured two 2.6.0 hosts to do simple manually keyed transport
IPsec, just like Ralf (thanks!) wrote at www.ipsec-howto.org. When
I now ping one end from the other, tcpdump reports successful packet
exchanges on both sides:
10.201.165.118 > 10.201.23.21:
AH(spi=0x00000200,seq=0x2d): ESP(spi=0x00000201,seq=0x2d) (DF)
10.201.23.21 > 10.201.165.118:
AH(spi=0x00000300,seq=0x6): ESP(spi=0x00000301,seq=0x6)
However, the ping application at 10.201.165.118 sees none of the
replies:
wall:~# ping 10.201.23.21
PING 10.201.23.21 (10.201.23.21) from 10.201.165.118 : 56(84) bytes of data.
--- 10.201.23.21 ping statistics ---
19 packets transmitted, 0 received, 100% loss, time 17997ms
The same applies to normal IP packets (e.g. TCP port 25):
10.201.165.118 > 10.201.23.21:
AH(spi=0x00000200,seq=0x2e): ESP(spi=0x00000201,seq=0x2e) (DF)
10.201.23.21 > 10.201.165.118:
AH(spi=0x00000300,seq=0x7): ESP(spi=0x00000301,seq=0x7) (DF)
10.201.165.118 > 10.201.23.21:
AH(spi=0x00000200,seq=0x2f): ESP(spi=0x00000201,seq=0x2f) (DF)
10.201.23.21 > 10.201.165.118:
AH(spi=0x00000300,seq=0x8): ESP(spi=0x00000301,seq=0x8) (DF)
10.201.23.21 > 10.201.165.118:
AH(spi=0x00000300,seq=0x9): ESP(spi=0x00000301,seq=0x9) (DF)
10.201.23.21 > 10.201.165.118:
AH(spi=0x00000300,seq=0xa): ESP(spi=0x00000301,seq=0xa) (DF)
Would you agree that this is weird? What am I doing wrong?
--
martin; (greetings from the heart of the sun.)
\____ echo mailto: !#^."<*>"|tr "<*> mailto:" net@madduck
invalid/expired pgp subkeys? use subkeys.pgp.net as keyserver!
"i love deadlines. i like the whooshing
sound they make as they fly by."
-- douglas adams
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
* [solved] 2.6 IPsec (Kame) appears to be working, but it isn't
2004-01-06 17:12 2.6 IPsec (Kame) appears to be working, but it isn't martin f krafft
@ 2004-01-06 18:14 ` martin f krafft
0 siblings, 0 replies; 2+ messages in thread
From: martin f krafft @ 2004-01-06 18:14 UTC (permalink / raw)
To: linux kernel mailing list
[-- Attachment #1: Type: text/plain, Size: 989 bytes --]
also sprach martin f krafft <madduck@madduck.net> [2004.01.06.1812 +0100]:
> I now ping one end from the other, tcpdump reports successful packet
> exchanges on both sides:
>
> 10.201.165.118 > 10.201.23.21:
> AH(spi=0x00000200,seq=0x2d): ESP(spi=0x00000201,seq=0x2d) (DF)
> 10.201.23.21 > 10.201.165.118:
> AH(spi=0x00000300,seq=0x6): ESP(spi=0x00000301,seq=0x6)
>
> However, the ping application at 10.201.165.118 sees none of the
> replies:
This was (of course) my bad. One of the AH keys was incorrect.
I guess I should first learn cut'n'paste before learning IPsec
and/or bothering y'all.
Sorry.
--
martin; (greetings from the heart of the sun.)
\____ echo mailto: !#^."<*>"|tr "<*> mailto:" net@madduck
invalid/expired pgp subkeys? use subkeys.pgp.net as keyserver!
"good advice is something a man gives
when he is too old to set a bad example.
-- la rouchefoucauld
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2004-01-06 18:15 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2004-01-06 17:12 2.6 IPsec (Kame) appears to be working, but it isn't martin f krafft
2004-01-06 18:14 ` [solved] " martin f krafft
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.