Hi,
I am trying to set a policy between 2 machines for all the ports except for 22 i.e. for tcp - basically I want to bypass ssh. But my policy doesn't seem to work. Here are the entries
spdadd 1.2.3.4[any] 4.3.2.1[any] any -P out prio 100 ipsec esp/transport//require ah/transport//require;
spdadd 4.3.2.1[any] 1.2.3.4[any] any -P in prio 100 ipsec esp/transport//require ah/transport//require;
spdadd 0.0.0.0[22] 0.0.0.0[22] tcp -P out prio 1000 none;
spdadd 0.0.0.0[22] 0.0.0.0[22] tcp -P in prio 1000 none;
Security associations are also there and they are fine. I am able to see the packets from 4.3.2.1 to 1.2.3.4 are encrypted through tcpdump. Not able to ssh from 4.3.2.1 to 1.2.3.4
1.2.3.4 => Linux ( Issue is in the Linux machine. ssh from solaris to linux is not working )
4.3.2.1 => Solaris ( Bypass for ssh is enabled in ipsecconf )
I tried with priority, without prio - nothing helps.
One thing I noticed is that, if I give specific ports in the ipsec policy then ssh is bypassed. eg
spdadd 1.2.3.4[20] 4.3.2.1[20] any -P out prio 100 ipsec esp/transport//require ah/transport//require;
spdadd 4.3.2.1[20] 1.2.3.4[20] any -P in prio 100 ipsec esp/transport//require ah/transport//require;
spdadd 0.0.0.0[22] 0.0.0.0[22] tcp -P out prio 1000 none;
spdadd 0.0.0.0[22] 0.0.0.0[22] tcp -P in prio 1000 none;
But If I give [any] for the port in ipsec policy then it is not bypassing the ssh.
I also tried inserting the bypass policy before ipsec, after ipsec. Didn't work
Any info on this will be of great help.
Thank You
Ahamed.
---------- Post updated at 03:20 AM ---------- Previous update was at 03:18 AM ----------
Figured out the issue!!!
We need not specify the port 22 for the source IP.
Corrected Policy
spdadd 1.2.3.4[any] 4.3.2.1[any] any -P out ipsec esp/transport//require ah/transport//require;
spdadd 4.3.2.1[any] 1.2.3.4[any] any -P in ipsec esp/transport//require ah/transport//require;
spdadd 0.0.0.0[22] 0.0.0.0 tcp -P out none;
spdadd 0.0.0.0 0.0.0.0[22] tcp -P in none;
regards,
Ahamed