HPE Community
Operating System - HP-UX
1833201 Members
2816 Online
110051 Solutions
New Discussion

Problems with IPSec policy on 11.2i/itanium2

 
Stephen Spenser
New Member

‎10-30-2007 10:07 AM

‎10-30-2007 10:07 AM

Problems with IPSec policy on 11.2i/itanium2

I am attempting to use IPSec to secure telnet (and later all IP-based communications) between HP-UX 11.2i/itanium2 and Windows XP. I have installed IPSec and configured policies following instructions in documents J4256-90009 (HP-UX IPSec version A.02.00 Administrator’s Guide HP-UX 11 v2), and J4256-90025 (Configuring Microsoft Windows IP Security to Operate with HP-UX IPSec). I am just trying to use a preshared key for testing purposes at this time but intend to transition to certificates later.

As far as I can tell, I have done everything correctly and am still not getting working results. Below I will place some (partial) log information - this is not my system - and I will have replaced occurrences of my IP and the server's IP with CLIENT and SERVER respectively. I have done this with search and replace, NOT by hand, so I KNOW that the addresses match and I did not accidentally change an example that had a different IP. This is the only policy on the system and while ipfilter is installed there are no filter rules whatsoever.

In fact, it looks like a policy which should match is configured, but it never works.

I will include a snip from the debug-equipped audit log at the bottom that shows the default policy being matched instead of mine. The master SA *is* established! But there is never any quick mode SA.


$ sudo ipsec_admin -s

----------------- IPSec Status Report -----------------
Time: Tue Oct 30 12:59:49 2007

secauditd program: Running and responding
secpolicyd program: Running and responding
ikmpd program: Running and responding
IPSec kernel: Up
IPSec Audit level: Debug
IPSec Audit file: /var/adm/ipsec/auditlogs/auditTue-Oct-30-12-52-51-2007.log
Max Audit file size: 9999 KBytes
Level 4 tracing: None
-------------- End of IPSec Status Report -------------

$ sudo ipsec_config show all
startup
-autoboot ON
-auditlvl DEBUG
-auditdir /var/adm/ipsec/auditlogs
-maxsize 999
-spi_min 0x12c
-spi_max 0x2625a0
-spd_soft 25
-spd_hard 50

auth mespinoz
-remote CLIENT/32
-preshared my_preshared_key
-exchange MM

ike mespinoz
-remote CLIENT/32
-priority 10
-authentication PSK
-group 2
-hash SHA1
-encryption 3DES
-life 28800
-maxqm 100

gateway default
-action FORWARD

host mespinoz
-source CLIENT/32/0
-destination SERVER/32/23
-protocol 6
-priority 10
-action ESP_3DES_HMAC_SHA1/28800/0
-flags NONE

host default
-action PASS





cab# ipsec_report -host conf

----------------- Configured Host Policy Rule -------------------
Rule Name: mespinoz ID: 3 Priority: 10
Src IP Addr: CLIENT Prefix: 32 Port number: 0
Dst IP Addr: SERVER Prefix: 32 Port number: 23
Network Protocol: TCP Action: Dynamic key SA
Number of SA(s) Needed: 1 Pair(s)
Proposal 1: Transform: ESP-3DES-HMAC-SHA1
Lifetime Seconds: 28800
Lifetime Kbytes: 0

----------------- Configured Host Policy Rule -------------------
Rule Name: default ID: 1 Action: Pass




cab# ipsec_policy -da SERVER -dp 23 -sa CLIENT -sp 65535 -p tcp -dir in

------------------- Active Host Policy Rule ---------------------
Rule Name: default ID: 1 Cookie: 1
Action: Pass




cab# ipsec_policy -da SERVER -dp 23 -sa CLIENT -p tcp -dir in

------------------- Active Host Policy Rule ---------------------
Rule Name: default ID: 1 Cookie: 1
Action: Pass



The following command was issued after the behavior that produced some logging output below its output.

$ sudo ipsec_report -mad
------------------------ IKE SA --------------------------
Sequence number: 1
Role: Responder
Local IP Address: SERVER
Remote IP Address: CLIENT
Oakley Group: 2 Authentication Method: Pre-shared Keys
Authentication Algorithm: HMAC-SHA1 Encryption Algorithm: 3DES-CBC
Quick Modes Processed: 0 Lifetime (seconds): 28800



Here are some relevant entries from the debug log as promised:

Msg: 903 From: SECPOLICYD Lvl: INFORMATIVE Date: Tue Oct 30 11:06:10 2007
Event: Policy query: IP addr: CLIENT-SERVER port# 0:23 proto: 6 dir: 0.
Msg: 904 From: SECPOLICYD Lvl: INFORMATIVE Date: Tue Oct 30 11:06:10 2007
Event: Found Policy rule: default Cookie: 1 Domain: 0 Action: 1 State: 1.
Msg: 905 From: SECPOLICYD Lvl: INFORMATIVE Date: Tue Oct 30 11:06:10 2007
Event: Successfully sent User Msg: 3 to 11 len: 552 status: 0.
Msg: 906 From: IKMPD Lvl: INFORMATIVE Date: Tue Oct 30 11:06:10 2007
Event: Received IPSEC_RULE: default for seq 38
Msg: 907 From: IKMPD Lvl: ERROR Date: Tue Oct 30 11:06:10 2007
Event: IPSEC_RULE: default doesn't require an IPSec SA
Msg: 908 From: IKMPD Lvl: ERROR Date: Tue Oct 30 11:06:10 2007
Event: Quick Mode processing failed (mess ID 0x381fb15b)


As you can see, a query was issued for my source and destination, apparently on the proper port and definitely with the proper protocol. I have a policy which should be matching (named 'mespinoz'.) This policy does not match in normal operation, and I do not get a match when using ipsec_policy either (as seen above.)

Am I doing something wrong? From where I'm sitting it looks like I've done it all correctly and it's IPSec that's blowing it.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.