Re: IPSEC/ISAKMPD routing question

Mon, 10 Jan 2011 08:06:10 -0800 

2011/1/10, Christoph Leser <le...@sup-logistik.de>:
> Hello,
>
> I have an IPSEC VPNs in Tunnelmode, configured in ipsec.conf with a line
> like:
>
> ike active esp tunnel from <my_internal_net> to <his_internal_net> peer
> <his_gateway_address> <main_mode_parameters> <quick_mode_parameters>
> <preshared_key>
>
> My isakmpd.policy file is
>
> # cat /etc/isakmpd/isakmpd.policy
> Keynote-version: 2
> Authorizer: "POLICY"
> Conditions: app_domain == "IPsec policy" &&
>             esp_present == "yes" &&
>             esp_enc_alg != "null" -> "true";
>
>
> Every thing works fine.
>
> But today, one of the remote_gateways was replaced by a misconfigured
> new one, leading to the following phase-2 packet:
>
> 13:29:01.098526 <remote_gateway_ip>.500 > <my_gateway_ip>.500: [udp sum
> ok] isakmp v1.0 exchange QUICK_MODE
>         cookie: 70de03ee348066c9->76aabe706bed52c2 msgid: 301c68c8 len:
> 300
>         payload: HASH len: 24
>         payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY
>             payload: PROPOSAL len: 44 proposal: 1 proto: IPSEC_ESP
> spisz: 4 xforms: 1 SPI: 0xcb2d2b94
>                 payload: TRANSFORM len: 32
>                     transform: 1 ID: AES
>                         attribute LIFE_TYPE = SECONDS
>                         attribute LIFE_DURATION = 28800
>                         attribute ENCAPSULATION_MODE = TUNNEL
>                         attribute KEY_LENGTH = 128
>                         attribute AUTHENTICATION_ALGORITHM = HMAC_SHA
>                         attribute GROUP_DESCRIPTION = 2
>         payload: NONCE len: 20
>         payload: KEY_EXCH len: 132
>         payload: ID len: 16 type: IPV4_ADDR_SUBNET = 0.0.0.0/0.0.0.0
>         payload: ID len: 16 type: IPV4_ADDR_SUBNET = 0.0.0.0/0.0.0.0
> [ttl 0] (id 1, len 328)
>
>
> Please note that both ID parameters in this packet are 0.0.0.0.
>
> This lead to a routing entry ( made by isakmpd, I suppose ):
> # netstat -rn | grep his_ip
> default            0     default            0     0
> <remote_gateway_ip>/esp/use/in
> default            0     default            0     0
> <remote_gateway_ip>/esp/require/out
>
> This route virtually disconnected my gateway from the external and from
> the internal network, no ping to any address was successful.
>
> I would like to ask:
>
> 1. Is it true, that isakmpd is supposed to accept any ID parameter of
> type IPV4_ADDR_SUBNET ) in quick mode and set up a corresponing route,
> even when it is the 'default' route?
>
> 2. What would I have to change to only accept those remote network Ids
> that are configured in ipsec.conf?
>
> Thanks
>
>


--
Martin PelikC!n, Steadynet
E-mail: martin.peli...@gmail.com, gpg key  0x7176E4C9
Tel: +420 724 818 573
Jabber: sztor...@jabber.cz
web: http://cap.potazmo.cz/

Reply via email to