IPsec Over Tunnel

TheMSsForum.com: The Microsoft Software Forum

I am trying to encrypt my wireless traffic with IPsec. My
configuration is as follows:
OpenBSD 3.8 gateway (192.168.100.20) connected to Linksys accesspoint
via crossover cable.
Macintosh OS X 10.4 (192.168.100.200) AirPort
Windows XP SP2 (192.168.100.120) Intel PRO/Wireless 2200BG

I am using isakmpd on the OpenBSD computer, racoon on OS X and ipseccmd
on Windows. If I configure transport policies the setup works
correctly. However, if I use tunnel, the Macintosh works correctly,
but the Windows computer does not.

Below are the ipseccmd commands I am using for Windows.

Transport mode:
ipseccmd -u

ipseccmd -f 192.168.100.120=192.168.100.0/255.255.255.0 -n
ESP[3DES,MD5]1800s -a cert:"C=US, S=Missouri, L=Saint Louis, O=Home
LAN" -1s 3DES-SHA-2 -1k 1800s

ipseccmd -f 192.168.100.0/255.255.255.0=192.168.100.120 -n
ESP[3DES,MD5]1800s -a cert:"C=US, S=Missouri, L=Saint Louis, O=Home
LAN" -1s 3DES-SHA-2 -1k 1800s

After executing these commands, I can ping 192.168.100.20. After
several "Negotiating IP Security" messages, I receive replies from the
remote computer. I can ping from the OpenBSD computer to the Windows
computer as well.

Tunnel mode:
ipseccmd -u

ipseccmd -f 192.168.100.120=0.0.0.0/0.0.0.0 -t 192.168.100.20 -n
ESP[3DES,SHA]1800s -a cert:"C=US, S=Missouri, L=Saint Louis, O=Home
LAN" -1s 3DES-SHA-2 -1k 1800s

ipseccmd -f 0.0.0.0/0.0.0.0=192.168.100.120 -t 192.168.100.120 -n
ESP[3DES,SHA]1800s -a cert:"C=US, S=Missouri, L=Saint Louis, O=Home
LAN" -1s 3DES-SHA-2 -1k 1800s

After executing these commands and pinging 192.168.100.20 I receive
several "Negotiating IP Security" messages again. However, instead of
receiving replies, I now get "Request timed out". If I examine the
Oakley.log file, I can see that SA is successfuly netotiated. I would
expect that if firewalls or some other ICMP block was in place, that it
would affect both transport and tunnel mode.

Any suggestions?

thanks,
Michael
Top

Re: IPsec Over Tunnel by Steven

Steven
Wed May 17 18:54:50 CDT 2006

As your setup is described Windows XP should be using transport for host to
host ipsec and you say it works for that. When you try to use tunnel in a
host to host scenario it does not work which does not surprise me and maybe
it has something to do with the ipsec tunnel endpoint and IP filer list
being on the same network. I think your best bet is to get the Apple
computer to work in transport mode which is how ipsec should be configured
in a host to host network. --- Steve


<Desert.Bound@gmail.com> wrote in message
news:1147908856.114201.322600@38g2000cwa.googlegroups.com...
>I am trying to encrypt my wireless traffic with IPsec. My
> configuration is as follows:
> OpenBSD 3.8 gateway (192.168.100.20) connected to Linksys accesspoint
> via crossover cable.
> Macintosh OS X 10.4 (192.168.100.200) AirPort
> Windows XP SP2 (192.168.100.120) Intel PRO/Wireless 2200BG
>
> I am using isakmpd on the OpenBSD computer, racoon on OS X and ipseccmd
> on Windows. If I configure transport policies the setup works
> correctly. However, if I use tunnel, the Macintosh works correctly,
> but the Windows computer does not.
>
> Below are the ipseccmd commands I am using for Windows.
>
> Transport mode:
> ipseccmd -u
>
> ipseccmd -f 192.168.100.120=192.168.100.0/255.255.255.0 -n
> ESP[3DES,MD5]1800s -a cert:"C=US, S=Missouri, L=Saint Louis, O=Home
> LAN" -1s 3DES-SHA-2 -1k 1800s
>
> ipseccmd -f 192.168.100.0/255.255.255.0=192.168.100.120 -n
> ESP[3DES,MD5]1800s -a cert:"C=US, S=Missouri, L=Saint Louis, O=Home
> LAN" -1s 3DES-SHA-2 -1k 1800s
>
> After executing these commands, I can ping 192.168.100.20. After
> several "Negotiating IP Security" messages, I receive replies from the
> remote computer. I can ping from the OpenBSD computer to the Windows
> computer as well.
>
> Tunnel mode:
> ipseccmd -u
>
> ipseccmd -f 192.168.100.120=0.0.0.0/0.0.0.0 -t 192.168.100.20 -n
> ESP[3DES,SHA]1800s -a cert:"C=US, S=Missouri, L=Saint Louis, O=Home
> LAN" -1s 3DES-SHA-2 -1k 1800s
>
> ipseccmd -f 0.0.0.0/0.0.0.0=192.168.100.120 -t 192.168.100.120 -n
> ESP[3DES,SHA]1800s -a cert:"C=US, S=Missouri, L=Saint Louis, O=Home
> LAN" -1s 3DES-SHA-2 -1k 1800s
>
> After executing these commands and pinging 192.168.100.20 I receive
> several "Negotiating IP Security" messages again. However, instead of
> receiving replies, I now get "Request timed out". If I examine the
> Oakley.log file, I can see that SA is successfuly netotiated. I would
> expect that if firewalls or some other ICMP block was in place, that it
> would affect both transport and tunnel mode.
>
> Any suggestions?
>
> thanks,
> Michael
>


Top

Re: IPsec Over Tunnel by Desert

Desert
Fri May 19 14:41:33 CDT 2006

Actually, the Mac OS X box works fine for both transport and tunnel.
The reason I'm trying to use tunnel is that the OpenBSD is a gateway
box. It will actually have two other interfaces in it (differnet
networks 192.168.200.0 and an external one - Internet connection). I'm
new at configuring IPsec, so maybe I'm misunderstanding, but I thought
that since I'm routing through the OpenBSD box, I want to use tunnel.

I'll try to illustrate:

Internet
|
| (unencrypted)
|
OpenBSD ------- local wired (192.168.200.0 unencrypted)
|
| (192.168.100.0 encrypted)
|
|
wireless AP - - (encrypted)- - - - - Mac OS X
:
: (encrypted)
:
Windows XP

where "|" = wired and ":" and " - " = wireless

The OpenBSD is not hosting any services beyond NAT and packet
filtering. And thus won't really be an endpoint. Rather it will be
one hop on the route. I am trying to encrypt my traffic between the
wireless clients (Mac OS X and Windows XP) and the OpenBSD box. In
other words trying to encrypt the wireless traffic.

thanks,
Michael

Top

Re: IPsec Over Tunnel by Steven

Steven
Fri May 19 15:42:26 CDT 2006

For what you want to do as far as I can see to you want to use transport
mode to secure your wireless traffic. That way ipsec will protect
communications from host to host and what is what I do on occasion on my
home network. Tunnel mode would be used in such cases as when I wanted to
access my Netgear VPN endpoint at home over the internet from work. In that
case I used ipsec in tunnel mode to connect to the Netgear ipsec endpoint
device so that my traffic would be encrypted over the internet and then into
my home network through it as normal network traffic. In tunnel mode the
ipsec traffic is decrypted at the endpoint and then goes onto the
destination network as clear text traffic. The links below may be helpful in
planning your ipsec implementation. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;816514
http://www.microsoft.com/technet/security/topics/architectureanddesign/ipsec/ipsecapa.mspx
http://www.microsoft.com/technet/security/topics/architectureanddesign/ipsec/ipsecch7.mspx

<Desert.Bound@gmail.com> wrote in message
news:1148067693.244692.303710@j55g2000cwa.googlegroups.com...
> Actually, the Mac OS X box works fine for both transport and tunnel.
> The reason I'm trying to use tunnel is that the OpenBSD is a gateway
> box. It will actually have two other interfaces in it (differnet
> networks 192.168.200.0 and an external one - Internet connection). I'm
> new at configuring IPsec, so maybe I'm misunderstanding, but I thought
> that since I'm routing through the OpenBSD box, I want to use tunnel.
>
> I'll try to illustrate:
>
> Internet
> |
> | (unencrypted)
> |
> OpenBSD ------- local wired (192.168.200.0 unencrypted)
> |
> | (192.168.100.0 encrypted)
> |
> |
> wireless AP - - (encrypted)- - - - - Mac OS X
> :
> : (encrypted)
> :
> Windows XP
>
> where "|" = wired and ":" and " - " = wireless
>
> The OpenBSD is not hosting any services beyond NAT and packet
> filtering. And thus won't really be an endpoint. Rather it will be
> one hop on the route. I am trying to encrypt my traffic between the
> wireless clients (Mac OS X and Windows XP) and the OpenBSD box. In
> other words trying to encrypt the wireless traffic.
>
> thanks,
> Michael
>


Top