What's wrong with my ipsec configuration?

Linusolaradm1 · February 18, 2019, 4:53pm

I want a lan encrypted with ipsec.
This is my /etc/inet/ike/config

p1_xform
  { auth_method preshared oakley_group 5 auth_alg sha256 encr_alg aes }
p2_pfs 2

this is my /etc/inet/secret/ike.preshared

# ike.preshared on hostA, 192.168.0.21
#...
{ localidtype IP
    localid 192.168.0.21
    remoteidtype IP
    remoteid 192.168.0.119
    key *****...

}

this is my /etc/inet/ipsecinit.conf

# LAN traffic to and from this host can bypass IPsec.
{laddr 192.168.0.21 dir both} bypass {}

# Lan encrypted
{laddr 10.4.0.0/24 dir both} apply {auth_algs sha256 encr_algs aes sa shared}

Services are actives

for i in ike ipsec/policy;do svcadm refresh $i; done
svcs -a|grep ipse
disabled       22:12:33 svc:/network/ipsec/manual-key:default
online         22:12:56 svc:/network/ipsec/ipsecalgs:default
online         22:50:34 svc:/network/ipsec/ike:default
online         22:50:34 svc:/network/ipsec/policy:default

Interface is active

ifconfig  e1000g1
e1000g1: flags=1100843<UP,BROADCAST,RUNNING,MULTICAST,ROUTER,IPv4> mtu 1500 index 3
        inet 10.4.0.1 netmask ffffff00 broadcast 10.4.0.255
        ether SE:CR:ET

But nothing work, no ping,no telnet,nothing.

dmesg said

[ID 726330 kern.error] ipsec_check_global_policy: Dropping inbound secure datagram because it does not match the policy; Source 010.004.000.001, Destination 010.004.000.001.

Linusolaradm1 · February 18, 2019, 6:28pm

Solution found, a lot of errors

First the file

/etc/inet/ike.preshared

must be like this,the ip
to use must be the ip of the tunnel not the ip
of "main" interface.

    # ike.preshared on hostA
    #...
    { localidtype IP
        localid 10.4.0.1
        remoteidtype IP
        remoteid 10.4.0.2
        key keyinhexformat
        # The preshared key can also be represented in hex
    # as in 0xf47cb0f432e14480951095f82b
    # key "This is an ASCII Cqret phrAz, use str0ng p@ssword tekniques"
    }

To generate the key in hex I use this command

    echo "mypassword" | od -t x1|head -1|tr -d ' '

The file /etc/inet/ike/config must be similar to this,even in this case use the ip of tunnel,not ip of main interface.

 p1_xform
      { auth_method preshared oakley_group 5 auth_alg sha encr_alg 3des }
    p2_pfs 2
    { label "test1-test2" local_addr 10.4.0.1 remote_addr 10.4.0.2 p1_xform { auth_method preshared oakley_group 5 auth_alg sha256 encr_alg aes } p2_pfs 5 }

Of course in hostB must be reverse 10.4.0.1 with 10.4.0.2
for both files.

Finally I edit the file /etc/inet/ipsecinit.conf

    {laddr 192.168.0.21 dir both} bypass {}
    {laddr 10.4.0.1 raddr 10.4.0.2} ipsec {encr_algs aes encr_auth_algs sha256 sa shared}

Of course in hostB must be reverse 10.4.0.1 with 10.4.0.2
and 192.168.0.21 must be changed with host main ip of hostB

Now run the script on hostA

 ifconfig ip.tun0 unplumb
    ifconfig ip.tun0 plumb
    ifconfig ip.tun0 10.4.0.1  10.4.0.2 netmask 255.255.255.0 tsrc 192.168.0.21 tdst 192.168.0.199 router up
    for i in ike ipsec/policy;do svcadm refresh $i; done

Now run the script on hostB

    ifconfig ip.tun0 unplumb
        ifconfig ip.tun0 plumb
        ifconfig ip.tun0 10.4.0.2  10.4.0.1 netmask 255.255.255.0 tsrc 192.168.0.199 tdst 192.168.0.21 router up
        for i in ike ipsec/policy;do svcadm refresh $i; done

And all works,tested with ping and snoop.