'[openikev2-users] Bind error problem and some questions'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openikev2-users
Subject:    [openikev2-users] Bind error problem and some questions
From:       alejandro_perez () dif ! um ! es (Alejandro Perez Mendez)
Date:       2005-12-30 21:48:23
Message-ID: 1135976119.31778.15.camel () localhost ! localdomain
[Download RAW message or body]

El vie, 30--2005 a las 15:24 +0200, V?is?nen Teemu escribi?:
> Hi.
> 

Hi

> 2005/12/23, Alejandro Perez Mendez <alejandro_perez@dif.um.es>:
> > El vie, 23--2005 a las 11:04 +0200, V?is?nen Teemu escribi?:
> > > > You can use any file as PSK (JPG, AVI, txt, zip, ...) The PSK file is
> > > > read in binary mode.
> > > > i.e. if "key.txt" contains only the text "Hello" without any
> > > > end-of-line, then the PSK will be (in hexadecimal) = [48:65:6C:6C:6F]
> > > > but if you use a PNG file, then the PSK will be (in example)=
> > > > [89:50:4E:47:0D:0A:1A:0A:00:00:00:0D:49:48:44:52:00:00......]
> > > >
> > > > So you should have one file for each PSK you want to use.
> > >
> > > Sorry, I don't understand. In openikev2.conf there is preshared_key = "..."
> > > What key it excatly is? Does both end nodes have that same file?
> >
> > The key are the bytes contained in the file.
> >
> > Yes, they have the same file in both nodes.
> 
> I copied some jpg files to key.txt and anonymous.txt be used as keys
> in both nodes. Keys are same in both nodes.

Correct

> > > I'm testing first with two computers and IPsec transport mode, A and
> > > B: A <----> B
> > > A's IPv6 address is 3ffe::1/64 and B's is 3ffe::4/64.
> 
> > The documentation section says:
> >         << Remember to allow IKEv2 traffic (UDP 500) as the first IPSEC
> >         policy and, if you want to use IPv6, also allow ICMPv6 traffic
> >         (at least neighbour discovery). In other way IKEv2 messages
> >         cannot arrive to peer. >>
> >
> > So in the setkey file you must have (when using IPv6):
> >         flush;
> >         spdflush;
> >         spdadd 0::0/0[500] 0::0/0 udp -P out none;
> >         spdadd 0::0/0[500] 0::0/0 udp -P fwd none;
> >         spdadd 0::0/0[500] 0::0/0 udp -P in none;
> >         spdadd 0::0/0 0::0/0 ipv6-icmp -P out none;
> >         spdadd 0::0/0 0::0/0 ipv6-icmp -P fwd none;
> >         spdadd 0::0/0 0::0/0 ipv6-icmp -P in none;
> >
> >         spdadd 3ffe::1 3ffe::4 any -P out ipsec esp/transport//require;
> >         spdadd 3ffe::4 3ffe::1 any -P fwd ipsec esp/transport//require;
> >         spdadd 3ffe::4 3ffe::1 any -P in ipsec esp/transport//require;
> >
> > The "fwd" policies, when using the later versi?ns of setkey, are
> > automatically generated, but in the first versions they aren't.
> 
> I made changes and as you told, those fwd policies arent't needed and
> setkey just says that they already exist.
> 
> > > I tried to ping from A to B and B to A but they can't be reached when
> > > policies are created and openIKEv2 is running.
> > >
> > > Should I change 3ffe::1/64 to 3ffe::1/128 etc. because in openIKEv2
> > > outputs have those 128s?
> >
> > OpenIKEv2 output have 128 because the policies in SPD have 128. You
> > should have the following if you want /64 selectors in policies:
> >         ...
> >         spdadd 3ffe::/64 3ffe::/64 any -P in ipsec
> >         esp/transport//require;
> >         ...
> > But in your case, this is not needed and /128 is IMHO the best option.
> 
> I changed addresses length to 128, but it seems to work similarly with 64s.
> 
> Policies are created and openIKEv2 is running. When first time trying
> to ping key exchange (IKE_SA_INITs and IKE_AUTHs) are done and network
> is unreachable but after that ping goes fine.

> Problem is that messages are not protected with IPsec. What could be
> reason for that?

The policies
        spdadd 0::0/0 0::0/0 ipv6-icmp -P out none;
        spdadd 0::0/0 0::0/0 ipv6-icmp -P fwd none;
        spdadd 0::0/0 0::0/0 ipv6-icmp -P in none;

make that all ICMPv6 traffic will not be processed by IPSEC, so ping6
are not protected. Try making a "telnet 80"(in example) and that traffic
should be protected.

If you want to protect ping6 traffic also, you must to tune up the above
policies to allow only the "neighbour-discovery" ICMPv6 messages, not
all the ICMPv6 traffic.

> Happy New Year to all!

Thanks. Happy New Year !!!

> -Teemu V?is?nen

--
OpenIKEv2 team
_______________________________________________
> openikev2-users mailing list
> openikev2-users@dif.um.es
> https://correo.dif.um.es/cgi-bin/mailman/listinfo/openikev2-users

[prev in list] [next in list] [prev in thread] [next in thread] 