I have a Solaris machine sitting out in the ether somewhere that I would like to make part of my network via IPsec. I have this working between Solaris machines but not between Solaris and Linux.
I think the basic problem is that Solaris only does IPsec tunnel mode in the same ways as Cisco IPsec Virtual Tunnel Interfaces - i.e. an IP-in-IP tunnel secured by IPsec. I don't really know how to replicate this on Linux. I do want the tunnel to have an IP address, because the remote host isn't routing a local network - just itself.
Solaris
The Solaris config looks like this:
# ipsecinit.conf
{tunnel ip.tun0 negotiate tunnel}
ipsec {encr_algs AES-CBC encr_auth_algs HMAC-SHA1 auth_algs HMAC-SHA1 sa shared}
# hsotname.ip.tun0
130.95.13.254 130.95.13.253 tsrc 192.168.13.20 tdst 130.95.13.20 router up
# ike.config
{ label "manduba192-musundo"
local_addr 192.168.13.20
remote_addr 130.95.13.20
p1_xform
{ auth_method preshared oakley_group 5 auth_alg sha1 encr_alg aes }
p2_pfs 5
}
This produces SAs that look like this:
SA: flags=0xc0038000 < X_USED X_PAIRED X_OUTBOUND X_UNIQUE X_TUNNEL >
SRC: Source address (proto=4/ipip)
SRC: AF_INET: port 0, 192.168.13.20 (manduba192.ucc.gu.uwa.edu.au).
DST: Destination address (proto=4/ipip)
DST: AF_INET: port 0, 130.95.13.20 (musundo.ucc.gu.uwa.edu.au).
INS: Inner source address (proto=0/<unspecified>)
INS: AF_INET: port 0, 0.0.0.0 <unspecified>.
IND: Inner destination address (proto=0/<unspecified>)
IND: AF_INET: port 0, 0.0.0.0 <unspecified>.
KMC: Protocol 1, cookie="manduba192-musundo" (3)
Linux
I don't really know how to replicate this in Linux. I've tried this:
spdadd 0.0.0.0/0 0.0.0.0/0 any -P out ipsec
esp/tunnel/130.95.13.126-192.168.13.20/use
ah/tunnel/130.95.13.126-192.168.13.20/use;
spdadd 0.0.0.0/0 0.0.0.0/0 any -P in ipsec
esp/tunnel/192.168.13.20-130.95.13.126/use
ah/tunnel/192.168.13.20-130.95.13.126/use;
which I can then presumably put an IPIP tunnel over the top of? But the IKE negotiation fails due to SPD mismatch.
Any ideas?
