Problems with IPSec policy on 11.2i/itanium2
- From: "martin.espinoza@xxxxxxxxx" <martin.espinoza@xxxxxxxxx>
- Date: Tue, 30 Oct 2007 20:12:49 -0000
I am attempting to use IPSec to secure telnet (and later all
communications) between HP-UX 11.2i/itanium2 and Windows XP. I have
installed IPSec and configured policies following instructions in
documents J4256-90009 (HP-UX IPSec version A.02.00 Administrator's
Guide HP-UX 11 v2), and J4256-90025 (Configuring Microsoft Windows IP
Security to Operate with HP-UX IPSec). I am just trying to use a
preshared key for testing purposes at this time.
As far as I can tell, I have done everything correctly and am still
not getting working results. Below I will place some (partial) log
information - this is not my system - and I will have replaced
occurrences of my IP and the server's IP with CLIENT and SERVER
respectively. I have done this with search and replace, NOT by hand,
so I KNOW that the addresses match and I did not accidentally change
an example that had a different IP. This is the only policy on the
system and while ipfilter is installed there are no filter rules
whatsoever.
In fact, it looks like a policy which should match is configured, but
it never works.
I will include a snip from the debug-equipped audit log at the bottom
that shows the default policy being matched instead of mine. The
master SA *is* established! But there is never any quick mode SA.
$ sudo ipsec_admin -s
----------------- IPSec Status Report -----------------
Time: Tue Oct 30 12:59:49 2007
secauditd program: Running and responding
secpolicyd program: Running and responding
ikmpd program: Running and responding
IPSec kernel: Up
IPSec Audit level: Debug
IPSec Audit file: /var/adm/ipsec/auditlogs/auditTue-
Oct-30-12-52-51-2007.log
Max Audit file size: 9999 KBytes
Level 4 tracing: None
-------------- End of IPSec Status Report -------------
$ sudo ipsec_config show all
startup
-autoboot ON
-auditlvl DEBUG
-auditdir /var/adm/ipsec/auditlogs
-maxsize 999
-spi_min 0x12c
-spi_max 0x2625a0
-spd_soft 25
-spd_hard 50
auth mespinoz
-remote CLIENT/32
-preshared my_preshared_key
-exchange MM
ike mespinoz
-remote CLIENT/32
-priority 10
-authentication PSK
-group 2
-hash SHA1
-encryption 3DES
-life 28800
-maxqm 100
gateway default
-action FORWARD
host mespinoz
-source CLIENT/32/0
-destination SERVER/32/23
-protocol 6
-priority 10
-action ESP_3DES_HMAC_SHA1/28800/0
-flags NONE
host default
-action PASS
cab# ipsec_report -host conf
----------------- Configured Host Policy Rule -------------------
Rule Name: mespinoz ID: 3 Priority: 10
Src IP Addr: CLIENT Prefix: 32 Port number: 0
Dst IP Addr: SERVER Prefix: 32 Port number: 23
Network Protocol: TCP Action: Dynamic key SA
Number of SA(s) Needed: 1 Pair(s)
Proposal 1: Transform: ESP-3DES-HMAC-SHA1
Lifetime Seconds: 28800
Lifetime Kbytes: 0
----------------- Configured Host Policy Rule -------------------
Rule Name: default ID: 1 Action: Pass
cab# ipsec_policy -da SERVER -dp 23 -sa CLIENT -sp 65535 -p tcp -dir
in
------------------- Active Host Policy Rule ---------------------
Rule Name: default ID: 1 Cookie: 1
Action: Pass
cab# ipsec_policy -da SERVER -dp 23 -sa CLIENT -p tcp -dir in
------------------- Active Host Policy Rule ---------------------
Rule Name: default ID: 1 Cookie: 1
Action: Pass
The following command was issued after the behavior that produced some
logging output below its output.
$ sudo ipsec_report -mad
------------------------ IKE SA --------------------------
Sequence number: 1
Role: Responder
Local IP Address: SERVER
Remote IP Address: CLIENT
Oakley Group: 2 Authentication Method: Pre-shared Keys
Authentication Algorithm: HMAC-SHA1 Encryption Algorithm: 3DES-CBC
Quick Modes Processed: 0 Lifetime (seconds): 28800
Here are some relevant entries from the debug log as promised:
Msg: 903 From: SECPOLICYD Lvl: INFORMATIVE Date: Tue Oct 30
11:06:10 2007
Event: Policy query: IP addr: CLIENT-SERVER port# 0:23 proto: 6
dir: 0.
Msg: 904 From: SECPOLICYD Lvl: INFORMATIVE Date: Tue Oct 30
11:06:10 2007
Event: Found Policy rule: default Cookie: 1 Domain: 0 Action: 1
State: 1.
Msg: 905 From: SECPOLICYD Lvl: INFORMATIVE Date: Tue Oct 30
11:06:10 2007
Event: Successfully sent User Msg: 3 to 11 len: 552 status: 0.
Msg: 906 From: IKMPD Lvl: INFORMATIVE Date: Tue Oct 30 11:06:10
2007
Event: Received IPSEC_RULE: default for seq 38
Msg: 907 From: IKMPD Lvl: ERROR Date: Tue Oct 30 11:06:10 2007
Event: IPSEC_RULE: default doesn't require an IPSec SA
Msg: 908 From: IKMPD Lvl: ERROR Date: Tue Oct 30 11:06:10 2007
Event: Quick Mode processing failed (mess ID 0x381fb15b)
As you can see, a query was issued for my source and destination,
apparently on the proper port and definitely with the proper protocol.
I have a policy which should be matching (named 'mespinoz'.) This
policy does not match in normal operation, and I do not get a match
when using ipsec_policy either (as seen above.)
Am I doing something wrong? From where I'm sitting it looks like I've
done it all correctly and it's IPSec that's blowing it.
Please send replies to my email address, I will summarize any useful
private-only responses back to the group.
.
- Prev by Date: Re: HPVM crashes a hole npar on a 8640
- Next by Date: Re: HPVM crashes a hole npar on a 8640
- Previous by thread: file ownership problem with Perl
- Next by thread: PARISC 1.x Porting Centre Archive?
- Index(es):
Relevant Pages
|
