HostedDB - Dedicated UNIX Servers
Securing-Optimizing-RH-Linux-1_2_313
Comments and suggestions concerning this book should be mailed to gmourani@videotron.ca © Copyright 1999-2000 Gerhard Mourani and Open Network Architecture ® 313 Feb 21 14:45:49 deep Pluto[432]: "deep-mail" #4: responding to Quick Mode Feb 21 14:45:50 deep Pluto[432]: "deep-mail" #4: IPsec SA established · On both gateways, the following entries should now exist in the “/proc/net/” directory: [root@deep /]# ls -l /proc/net/ipsec_* -r--r--r--   1 root     root            0 Feb  2 05:30 /proc/net/ipsec_eroute -r--r--r--   1 root     root            0 Feb  2 05:30 /proc/net/ipsec_klipsdebug -r--r--r--   1 root     root            0 Feb  2 05:30 /proc/net/ipsec_spi -r--r--r--   1 root     root            0 Feb  2 05:30 /proc/net/ipsec_spigrp -r--r--r--   1 root     root            0 Feb  2 05:30 /proc/net/ipsec_spinew -r--r--r--   1 root     root            0 Feb  2 05:30 /proc/net/ipsec_tncfg -r--r--r--   1 root     root            0 Feb  2 05:30 /proc/net/ipsec_version · The IPSEC interfaces should be attached on top of the specified physical interfaces. Confirm that with: [root@deep /]# cat /proc/net/ipsec_tncfg ipsec0 -> eth0 mtu=16260 -> 1500 ipsec1 -> NULL mtu=0 -> 0 ipsec2 -> NULL mtu=0 -> 0 ipsec3 -> NULL mtu=0 -> 0 · Now execute the following command to show minimal debugging information and see if the output looks something like this: [root@deep /]# ipsec look deep.openarch.com Fri Feb  4 17:25:17 EST 2000 ============-============ 192.168.1.1/32     -> 192.168.1.2/32     => tun0x106@192.168.1.2 esp0x4450894d@192.168.1.2 ah0x4450894c@192.168.1.2 ------------=------------ ah0x3350f551@192.168.1.1 AH_HMAC_MD5: dir=in ooowin=32 seq=115 bit=0xffffffff alen=128 aklen=16 life(c,s,h)=bytes(16140,0,0)add(51656,0,0)use(54068,0,0)packets(115,0,0) idle=499 ah0x4450894c@192.168.1.2 AH_HMAC_MD5: dir=out ooowin=32 seq=2828 alen=128 aklen=16 life(c,s,h)=bytes(449488,0,0)add(51656,0,0)use(51656,0,0)packets(2828,0,0) idle=6 esp0x3350f552@192.168.1.1 ESP_3DES: dir=in ooowin=32 seq=115 bit=0xffffffff eklen=24 life(c,s,h)=bytes(13380,0,0)add(51656,0,0)use(54068,0,0)packets(115,0,0) idle=499 esp0x4450894d@192.168.1.2 ESP_3DES: dir=out ooowin=32 seq=2828 eklen=24 life(c,s,h)=bytes(381616,0,0)add(51656,0,0)use(51656,0,0)packets(2828,0,0) idle=6 tun0x105@192.168.1.1 IPIP: dir=in 192.168.1.2 -> 192.168.1.1 life(c,s,h)=add(51656,0,0) tun0x106@192.168.1.2 IPIP: dir=out 192.168.1.1 -> 192.168.1.2 life(c,s,h)=bytes(327581,0,0)add(51656,0,0)use(51656,0,0)packets(2828,0,0) idle=6 192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 eth0 192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 ipsec0 192.168.1.1     0.0.0.0         255.255.255.255 UH        0 0          0 eth0 192.168.1.2     192.168.1.2     255.255.255.255 UGH       0 0          0 ipsec0 Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface · Try pinging 192.168.1.2 from the 192.168.1.1 client. If this works then you have set it up correctly. If it does not work check your network to make sure 208.164.186.1 can reach 208.164.186.2, and that TCP-IP forwarding is enabled, and make sure that no firewall rules are blocking the packets, or trying to masquerade them before the rules allowing IPSec related traffic. For this test to work, it is important to use pings that go from one subnet to the other. 208.164.186.1 ---- 205.151.222.250 ---- 205.151.222.251 ---- 208.164.186.2 |     |