Any IPSec experts?

We do have a set of wireless networks tied together at the central office via IPSec. The wireless nets are in separate buildings. All but one are behind Comcast static IPs, the last one has a dynamic IP.

Overall, things work well except for outages at the dynamic IP site. It usually takes a site visit to get that going again.

The IPSec network is built on Debian Squeeze and Lenny and uses self-signed certs for authentication.

Getting the first link operational took forever (same situation: it should work, but...), the rest are essentially clones. Debugging the thing is a PITA, although once you get the hang of the logs, it actually starts making sense...

Does that configuration sound like it may help out?

The main wrinkle is that I only want to encrypt memcached traffic (port 11211), and disallow any unencrypted traffic to that port. I can't figure out how to debug the connections, though.


# Configuration for 192.168.130.12/w01



# Flush the SAD and SPD

flush;

spdflush;



# AH SAs using 128 bit long keys

# w01 -> w02

add 192.168.130.12 192.168.130.30 ah 0x200 -A hmac-md5

        0xSMALLKEY1;

# w02 -> w01

add 192.168.130.30 192.168.130.12 ah 0x300 -A hmac-md5

        0xSMALLKEY1;

# w01 -> w03

add 192.168.130.12 192.168.130.53 ah 0x400 -A hmac-md5

        0xSMALLKEY1;

# w03 -> w01

add 192.168.130.53 192.168.130.12 ah 0x500 -A hmac-md5

        0xSMALLKEY1;



# ESP SAs using 192 bit long keys (168 + 24 parity)

# w01 -> w02

add 192.168.130.12 192.168.130.30 esp 0x201 -E 3des-cbc

        0xBIGKEY1;

# w01 -> w02

add 192.168.130.30 192.168.130.12 esp 0x301 -E 3des-cbc

        0xBIGKEY1;

# w01 -> w03

add 192.168.130.12 192.168.130.53 esp 0x401 -E 3des-cbc

        0xBIGKEY1;

# w01 -> w03

add 192.168.130.53 192.168.130.12 esp 0x501 -E 3des-cbc

        0xBIGKEY1;



# Security policies

# w01 -> w02

spdadd 192.168.130.12[11211] 192.168.130.30[any] any -P out ipsec

           esp/transport//require

           ah/transport//require;



# any -> w01

spdadd 0.0.0.0[any] 192.168.130.12[11211] any -P in ipsec

           esp/transport//require

           ah/transport//require;



# w01 -> w03

spdadd 192.168.130.12[11211] 192.168.130.53[any] any -P out ipsec

           esp/transport//require

           ah/transport//require;



# w03 -> w01

#spdadd 192.168.130.53 192.168.130.12 any -P in ipsec

#spdadd 192.168.130.53[any] 192.168.130.12[11211] any -P in ipsec

#           esp/transport//require

#           ah/transport//require;









# Configuration for 192.168.130.30



# Flush the SAD and SPD

flush;

spdflush;



# AH SAs using 128 bit long keys

# w01 -> w02

add 192.168.130.12 192.168.130.30 ah 0x200 -A hmac-md5

        0xSMALLKEY1;

# w02 -> w01

add 192.168.130.30 192.168.130.12 ah 0x300 -A hmac-md5

        0xSMALLKEY1;



# ESP SAs using 192 bit long keys (168 + 24 parity)

# w01 -> w02

add 192.168.130.12 192.168.130.30 esp 0x201 -E 3des-cbc

        0xBIGKEY1;

# w01 -> w02

add 192.168.130.30 192.168.130.12 esp 0x301 -E 3des-cbc

        0xBIGKEY1;



# Security policies

# w02 -> w01

spdadd 192.168.130.30[any] 192.168.130.12[11211] any -P out ipsec

           esp/transport//require

           ah/transport//require;



# w01 -> w02

spdadd 192.168.130.12[11211] 192.168.130.30[any] any -P in ipsec

           esp/transport//require

           ah/transport//require;







# Configuration for 192.168.130.53



# Flush the SAD and SPD

flush;

spdflush;



# AH SAs using 128 bit long keys

# w01 -> w03

add 192.168.130.12 192.168.130.53 ah 0x400 -A hmac-md5

        0xSMALLKEY1;

# w03 -> w01

add 192.168.130.53 192.168.130.12 ah 0x500 -A hmac-md5

        0xSMALLKEY1;



# ESP SAs using 192 bit long keys (168 + 24 parity)

# w01 -> w03

add 192.168.130.12 192.168.130.53 esp 0x401 -E 3des-cbc

        0xBIGKEY1;

# w01 -> w03

add 192.168.130.53 192.168.130.12 esp 0x501 -E 3des-cbc

        0xBIGKEY1;



# Security policies

# w03 -> w01

spdadd 192.168.130.53[any] 192.168.130.12[11211] any -P out ipsec

           esp/transport//require

           ah/transport//require;



# w01 -> w03

spdadd 192.168.130.12[11211] 192.168.130.53[any] any -P in ipsec

           esp/transport//require

           ah/transport//require;

Post #362,843 by malraux 9/22/12 7:37:48 PM Reply	Any IPSec experts? I'm trying to set it up on a private network between 3 machines to protect my memcache port. By all appearances what I have should work, but... not. Regards, -scott Welcome to Rivendell, Mr. Anderson.
Post #362,846 by scoenye 9/22/12 9:24:35 PM Reply	Far from calling myself an expert... We do have a set of wireless networks tied together at the central office via IPSec. The wireless nets are in separate buildings. All but one are behind Comcast static IPs, the last one has a dynamic IP. Overall, things work well except for outages at the dynamic IP site. It usually takes a site visit to get that going again. The IPSec network is built on Debian Squeeze and Lenny and uses self-signed certs for authentication. Getting the first link operational took forever (same situation: it should work, but...), the rest are essentially clones. Debugging the thing is a PITA, although once you get the hang of the logs, it actually starts making sense... Does that configuration sound like it may help out?
Post #362,847 by folkert 9/22/12 9:32:13 PM 9/22/12 11:18:53 PM Reply	Welp... Edit; You only want encrypted traffic to a port between one memcache server machine and two memcache clients. Beyond what I currently understand... Edited by folkert Sept. 22, 2012, 09:36:02 PM EDT Edited by folkert Sept. 22, 2012, 11:18:53 PM EDT Expand All History
Post #362,861 by malraux 9/23/12 1:07:32 PM Reply	Re: Welp... Weird... edits don't show up as new threads. I went with a full traffic encryption between all 3 machines. Seems to work. Regards, -scott Welcome to Rivendell, Mr. Anderson.
Post #362,848 by malraux 9/22/12 10:35:23 PM Reply	Conf files The main wrinkle is that I only want to encrypt memcached traffic (port 11211), and disallow any unencrypted traffic to that port. I can't figure out how to debug the connections, though. # Configuration for 192.168.130.12/w01 # Flush the SAD and SPD flush; spdflush; # AH SAs using 128 bit long keys # w01 -> w02 add 192.168.130.12 192.168.130.30 ah 0x200 -A hmac-md5 0xSMALLKEY1; # w02 -> w01 add 192.168.130.30 192.168.130.12 ah 0x300 -A hmac-md5 0xSMALLKEY1; # w01 -> w03 add 192.168.130.12 192.168.130.53 ah 0x400 -A hmac-md5 0xSMALLKEY1; # w03 -> w01 add 192.168.130.53 192.168.130.12 ah 0x500 -A hmac-md5 0xSMALLKEY1; # ESP SAs using 192 bit long keys (168 + 24 parity) # w01 -> w02 add 192.168.130.12 192.168.130.30 esp 0x201 -E 3des-cbc 0xBIGKEY1; # w01 -> w02 add 192.168.130.30 192.168.130.12 esp 0x301 -E 3des-cbc 0xBIGKEY1; # w01 -> w03 add 192.168.130.12 192.168.130.53 esp 0x401 -E 3des-cbc 0xBIGKEY1; # w01 -> w03 add 192.168.130.53 192.168.130.12 esp 0x501 -E 3des-cbc 0xBIGKEY1; # Security policies # w01 -> w02 spdadd 192.168.130.12[11211] 192.168.130.30[any] any -P out ipsec esp/transport//require ah/transport//require; # any -> w01 spdadd 0.0.0.0[any] 192.168.130.12[11211] any -P in ipsec esp/transport//require ah/transport//require; # w01 -> w03 spdadd 192.168.130.12[11211] 192.168.130.53[any] any -P out ipsec esp/transport//require ah/transport//require; # w03 -> w01 #spdadd 192.168.130.53 192.168.130.12 any -P in ipsec #spdadd 192.168.130.53[any] 192.168.130.12[11211] any -P in ipsec # esp/transport//require # ah/transport//require; # Configuration for 192.168.130.30 # Flush the SAD and SPD flush; spdflush; # AH SAs using 128 bit long keys # w01 -> w02 add 192.168.130.12 192.168.130.30 ah 0x200 -A hmac-md5 0xSMALLKEY1; # w02 -> w01 add 192.168.130.30 192.168.130.12 ah 0x300 -A hmac-md5 0xSMALLKEY1; # ESP SAs using 192 bit long keys (168 + 24 parity) # w01 -> w02 add 192.168.130.12 192.168.130.30 esp 0x201 -E 3des-cbc 0xBIGKEY1; # w01 -> w02 add 192.168.130.30 192.168.130.12 esp 0x301 -E 3des-cbc 0xBIGKEY1; # Security policies # w02 -> w01 spdadd 192.168.130.30[any] 192.168.130.12[11211] any -P out ipsec esp/transport//require ah/transport//require; # w01 -> w02 spdadd 192.168.130.12[11211] 192.168.130.30[any] any -P in ipsec esp/transport//require ah/transport//require; # Configuration for 192.168.130.53 # Flush the SAD and SPD flush; spdflush; # AH SAs using 128 bit long keys # w01 -> w03 add 192.168.130.12 192.168.130.53 ah 0x400 -A hmac-md5 0xSMALLKEY1; # w03 -> w01 add 192.168.130.53 192.168.130.12 ah 0x500 -A hmac-md5 0xSMALLKEY1; # ESP SAs using 192 bit long keys (168 + 24 parity) # w01 -> w03 add 192.168.130.12 192.168.130.53 esp 0x401 -E 3des-cbc 0xBIGKEY1; # w01 -> w03 add 192.168.130.53 192.168.130.12 esp 0x501 -E 3des-cbc 0xBIGKEY1; # Security policies # w03 -> w01 spdadd 192.168.130.53[any] 192.168.130.12[11211] any -P out ipsec esp/transport//require ah/transport//require; # w01 -> w03 spdadd 192.168.130.12[11211] 192.168.130.53[any] any -P in ipsec esp/transport//require ah/transport//require; Regards, -scott Welcome to Rivendell, Mr. Anderson.

Welcome to IWETHEY!