IPsec tunnel using racoon

Hi all,

I am trying to setup IPsec in tunnel mode between two linux hosts using
racoon as the IKE daemon. It works well in transport mode but in tunnel
mode the packets are visible seen both as ESP and without encryption.

Both hosts are running RHEL 4.0, kernel version 2.6.9-34

#cat racoon.conf
path pre_shared_key "/root/dee/psk.txt" ;
remote anonymous
{
exchange_mode aggressive,main,base;
lifetime time 24 hour;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}

sainfo anonymous
{
pfs_group 2;
lifetime time 12 hour ;
encryption_algorithm 3des, blowfish 448, twofish, rijndael ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}

SPD on host A (set using setkey)
spdadd 180.144.100.53/32 180.144.100.51/32 any
-P out ipsec esp/tunnel/180.144.100.53-180.144.100.51/require ;

spdadd 180.144.100.51/32 180.144.100.53/32 any
-P in ipsec esp/tunnel/180.144.100.51-180.144.100.53/require ;

SPD on host B (set using setkey)
spdadd 180.144.100.51/32 180.144.100.53/32 any
-P out ipsec esp/tunnel/180.144.100.51-180.144.100.53/require ;

spdadd 180.144.100.53/32 180.144.100.51/32 any
-P in ipsec esp/tunnel/180.144.100.53-180.144.100.51/require ;


After the policies are loaded I did a ping from host A to host B and
captured
the packets using tcpdump. I found that for every ICMP request there were
2 packets visibile on tcpdump, one with ESP and one without ESP.
Why are the packets visible without ESP?
output of tcpdump on host 1 (blrmtoyota)
16:16:31.850237 IP 180.144.100.53 > 180.144.100.51:
ESP(spi=0x0952b15c,seq=0x21)
16:16:31.850418 IP 180.144.100.51 > 180.144.100.53:
ESP(spi=0x0f9f7238,seq=0x21)
16:16:31.850418 IP 180.144.100.51 > 180.144.100.53: icmp 64: echo reply seq
0

output of tcpdump on host (blrmjordan)
10:43:14.612079 IP 180.144.100.53 > 180.144.100.51:
ESP(spi=0x0952b15c,seq=0x21)
10:43:14.612824 IP 180.144.100.53 > 180.144.100.51: icmp 64: echo request
seq 0
10:43:14.612877 IP 180.144.100.51 > 180.144.100.53:
ESP(spi=0x0f9f7238,seq=0x21)

Is there anything wrong in the policies? Or is it because the packets are
visible since the
tunnel endpoints are the same as the src and dst?

Thanks in advance
~dee

"dee" <(E-Mail Removed)> writes:

> Hi all,

Hi.


> I am trying to setup IPsec in tunnel mode between two linux hosts using
> racoon as the IKE daemon. It works well in transport mode but in tunnel
> mode the packets are visible seen both as ESP and without encryption.

I already noticed this bug.

You can notice that each peer only sees INCOMING traffic both with and
without encryption (you'll also see a third UDP packet if you have
NAT-Traversal).

It looks like Linux's IPSec stack reinjects packets "somewhere" before
libpcap can see them, so packets will be seen before and after IPSec
process.

You can just add a sniffing device between your IPSec gates to be sure
that the traffic is correctly encryypted on the wire.


Yvan.

> You can just add a sniffing device between your IPSec gates to be sure
> that the traffic is correctly encryypted on the wire.
Thanks yvan. I will check that

>
>
> Yvan.