Networking

Problems with IPSec policy on 11.2i/itanium2

 
Stephen Spenser
New Member

Problems with IPSec policy on 11.2i/itanium2

I am attempting to use IPSec to secure telnet (and later all IP-based communications) between HP-UX 11.2i/itanium2 and Windows XP. I have installed IPSec and configured policies following instructions in documents J4256-90009 (HP-UX IPSec version A.02.00 Administrator’s Guide HP-UX 11 v2), and J4256-90025 (Configuring Microsoft Windows IP Security to Operate with HP-UX IPSec). I am just trying to use a preshared key for testing purposes at this time but intend to transition to certificates later.

As far as I can tell, I have done everything correctly and am still not getting working results. Below I will place some (partial) log information - this is not my system - and I will have replaced occurrences of my IP and the server's IP with CLIENT and SERVER respectively. I have done this with search and replace, NOT by hand, so I KNOW that the addresses match and I did not accidentally change an example that had a different IP. This is the only policy on the system and while ipfilter is installed there are no filter rules whatsoever.

In fact, it looks like a policy which should match is configured, but it never works.

I will include a snip from the debug-equipped audit log at the bottom that shows the default policy being matched instead of mine. The master SA *is* established! But there is never any quick mode SA.


$ sudo ipsec_admin -s

----------------- IPSec Status Report -----------------
Time: Tue Oct 30 12:59:49 2007

secauditd program: Running and responding
secpolicyd program: Running and responding
ikmpd program: Running and responding
IPSec kernel: Up
IPSec Audit level: Debug
IPSec Audit file: /var/adm/ipsec/auditlogs/auditTue-Oct-30-12-52-51-2007.log
Max Audit file size: 9999 KBytes
Level 4 tracing: None
-------------- End of IPSec Status Report -------------

$ sudo ipsec_config show all
startup
-autoboot ON
-auditlvl DEBUG
-auditdir /var/adm/ipsec/auditlogs
-maxsize 999
-spi_min 0x12c
-spi_max 0x2625a0
-spd_soft 25
-spd_hard 50

auth mespinoz
-remote CLIENT/32
-preshared my_preshared_key
-exchange MM

ike mespinoz
-remote CLIENT/32
-priority 10
-authentication PSK
-group 2
-hash SHA1
-encryption 3DES
-life 28800
-maxqm 100

gateway default
-action FORWARD

host mespinoz
-source CLIENT/32/0
-destination SERVER/32/23
-protocol 6
-priority 10
-action ESP_3DES_HMAC_SHA1/28800/0
-flags NONE

host default
-action PASS





cab# ipsec_report -host conf

----------------- Configured Host Policy Rule -------------------
Rule Name: mespinoz ID: 3 Priority: 10
Src IP Addr: CLIENT Prefix: 32 Port number: 0
Dst IP Addr: SERVER Prefix: 32 Port number: 23
Network Protocol: TCP Action: Dynamic key SA
Number of SA(s) Needed: 1 Pair(s)
Proposal 1: Transform: ESP-3DES-HMAC-SHA1
Lifetime Seconds: 28800
Lifetime Kbytes: 0

----------------- Configured Host Policy Rule -------------------
Rule Name: default ID: 1 Action: Pass




cab# ipsec_policy -da SERVER -dp 23 -sa CLIENT -sp 65535 -p tcp -dir in

------------------- Active Host Policy Rule ---------------------
Rule Name: default ID: 1 Cookie: 1
Action: Pass




cab# ipsec_policy -da SERVER -dp 23 -sa CLIENT -p tcp -dir in

------------------- Active Host Policy Rule ---------------------
Rule Name: default ID: 1 Cookie: 1
Action: Pass



The following command was issued after the behavior that produced some logging output below its output.

$ sudo ipsec_report -mad
------------------------ IKE SA --------------------------
Sequence number: 1
Role: Responder
Local IP Address: SERVER
Remote IP Address: CLIENT
Oakley Group: 2 Authentication Method: Pre-shared Keys
Authentication Algorithm: HMAC-SHA1 Encryption Algorithm: 3DES-CBC
Quick Modes Processed: 0 Lifetime (seconds): 28800



Here are some relevant entries from the debug log as promised:

Msg: 903 From: SECPOLICYD Lvl: INFORMATIVE Date: Tue Oct 30 11:06:10 2007
Event: Policy query: IP addr: CLIENT-SERVER port# 0:23 proto: 6 dir: 0.
Msg: 904 From: SECPOLICYD Lvl: INFORMATIVE Date: Tue Oct 30 11:06:10 2007
Event: Found Policy rule: default Cookie: 1 Domain: 0 Action: 1 State: 1.
Msg: 905 From: SECPOLICYD Lvl: INFORMATIVE Date: Tue Oct 30 11:06:10 2007
Event: Successfully sent User Msg: 3 to 11 len: 552 status: 0.
Msg: 906 From: IKMPD Lvl: INFORMATIVE Date: Tue Oct 30 11:06:10 2007
Event: Received IPSEC_RULE: default for seq 38
Msg: 907 From: IKMPD Lvl: ERROR Date: Tue Oct 30 11:06:10 2007
Event: IPSEC_RULE: default doesn't require an IPSec SA
Msg: 908 From: IKMPD Lvl: ERROR Date: Tue Oct 30 11:06:10 2007
Event: Quick Mode processing failed (mess ID 0x381fb15b)


As you can see, a query was issued for my source and destination, apparently on the proper port and definitely with the proper protocol. I have a policy which should be matching (named 'mespinoz'.) This policy does not match in normal operation, and I do not get a match when using ipsec_policy either (as seen above.)

Am I doing something wrong? From where I'm sitting it looks like I've done it all correctly and it's IPSec that's blowing it.