secure traffic in 1 direction

From: Matthias (matthias_at_blankenhaus.com)
Date: 10/28/04 

Date: 28 Oct 2004 14:29:13 -0700

Hello !

I am using IPSEC to implement security policies. I am trying to
secure ICMP traffic (for testing purposes) between two hosts in only
one direction using transport mode. In other words, I want the ICMP
request to be IPsec'ed and the ICMP reply not. Here is my
configuration:

Node 10.1.1.201:
{
        laddr 10.1.1.201
        raddr 10.1.1.200
        ulp icmp
        dir in
} ipsec {
        auth_algs SHA1
        sa unique
}

Node 10.1.1.200:
{
        saddr 10.1.1.200
        daddr 10.1.1.201
        ulp icmp
} apply {
       dir out
       auth_algs SHA1
       sa unique
}

On 10.1.1.200 when I issue a "ping 10.1.1.2001" it hangs ? Is my
config screwed up or is this in general not possible with IPSEC ?

Thanx a lot,
Matthias

Relevant Pages

  • Lost/dropped datagram when sending UDP/IPv6 message over IPsec - Solaris bug?
    ... I don't see the ICMP in wireshark nor in a raw socket (icmpd from Stevens ... I see the ICMP in a dtrace script as dropped incoming IPsec ... What is the reason for fragmentation longer packets automatically, ... called causing dropping packet and generating the ICMP. ...
    (comp.unix.solaris)
  • Re: Lost/dropped datagram when sending UDP/IPv6 message over IPsec - Solaris bug?
    ... sending UDP/IPv6 over IPsec. ... It has something to do with fragmentation: ... I see the ICMP in a dtrace script as dropped incoming ... is called causing dropping packet and generating the ICMP. ...
    (comp.unix.solaris)
  • Re: Lost/dropped datagram when sending UDP/IPv6 message over IPsec - Solaris bug?
    ... sending UDP/IPv6 over IPsec. ... It has something to do with fragmentation: ... I see the ICMP in a dtrace script as dropped incoming ... is called causing dropping packet and generating the ICMP. ...
    (comp.unix.solaris)
  • ICMP Error transmission/response over IPSec tunnels
    ... Today I looked into why I can not get a traceroute across a IPSec IPIP tunnel an came across an interesting piece of code. ... If I traceroute from node A to node B I never see the ICMP packet for the TTL exceeded generated by router b. ... It seems the check originated from the KAME project, as FreeBSD no longer uses the KAME IPSec implementation is check still required? ... I found the same check in the netbsd code, but could not find a similar check in openbsd (although the openbsd ipsec implementation is some what different from netbsd and freebsd). ...
    (freebsd-net)
  • ICMP error notification with IPsec in ip6_forward()
    ... The location of the packet size examination is not proper. ... then it will be tunneled without sending out ICMP packet too big error message to the source. ... Is there any RFC about ICMP notification and IPsec? ... is ICMP destination unreachable necessary if the inner destination is unreachable? ...
    (freebsd-net)