Hi I am trying to setup an IPsec VPN with AH in transport mode followed by ESP
in tunnel mode. i.e the encapsulation is as follows: IP-ESP-IP-AH-ULP
I followed the instructions on the solaris admin manual, but I have the
following problem.
In general all packets are being protected by ESP in tunnel mode, however AH is
only being applied to packet originating from the local interface of one
gateway to the local interface of the other gateway. Meaning that AH is not
being applied to packets originating from machines on the local network.
ifconfig:
elxl1: flags=201000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4,CoS> mtu 1500 index 3
inet 192.168.101.2 netmask ffffff00 broadcast 192.168.101.255
ether 0:1:2:b2:91:48
elxl2: flags=201100843<UP,BROADCAST,RUNNING,MULTICAST,ROUTER,IPv4,CoS> mtu 1500
index 4
inet 192.168.102.2 netmask ffffff00 broadcast 192.168.102.255
ether 0:b0:d0:e6:4c:16
ip.tun0:
flags=11028d1<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST,UNNUMBERED,ROUTER,IPv4>
mtu 1480 index 5
inet tunnel src 192.168.101.2 tunnel dst 192.168.101.1
tunnel security settings --> use 'ipsecconf -ln -i ip.tun0'
tunnel hop limit 60
inet 192.168.102.2 --> 192.168.103.1 netmask ffffff00
my policy is as follows:
# AH transport mode
{raddr 192.168.103.0/24} ipsec {auth_algs hmac-md5 sa shared}
# ESP Tunnel mode
{tunnel ip.tun0 negotiate tunnel raddr 192.168.103.0/24 laddr 192.168.102.0/24}
ipsec {encr_algs aes sa shared}
and the outgoing SAs on the same gateway are:
add ah spi 0x00000201 \
dst 192.168.103.40 \
auth_alg md5 \
authkey 123456789c123456789c123456789c12
add ah spi 0x00000205 \
dst 192.168.103.40 \
src 192.168.102.30 \
auth_alg md5 \
authkey 123456789f123456789f123456789f12
add esp spi 0x00000202 \
dst 192.168.101.1 \
idst 192.168.103.1/24 \
isrc loc-apollo/24 \
encr_alg aes \
encrkey 123456789d123456789d123456789d12
--
This message posted from opensolaris.org
_______________________________________________
sysadmin-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/sysadmin-discuss
