EzDevInfo.com

ipsec interview questions

Top ipsec frequently asked interview questions

sendmsg fails with error code 3 (ESRCH )

OS: Linux 2.6.24 (x86)

My application runs on a server where several clients connects to it on UDP port 4500.
Intermittently, application fails to send UDP traffic to clients on UDP port 4500

This is because sendmsg system-call fails with error code 3 (ESRCH )
man page for sendmsg doesn't talk about error ESRCH

Problem doesn't resolve even after killing the application and relaunching it.
UDP traffic on other ports working fine

Rebooting the server is the only solution.

With kernel 2.6.11, I haven't seen issues like this.

Any idea on how to debug this issue ?


Source: (StackOverflow)

Difference between KLIPS and Netkey IPSEC stacks in Linux

I know both are IPSEC stacks in Linux kernel and that KLIPS is older and Netkey is newer but other than that I find no other documentation of them. I want to know the real technical differences between them. Is there any one here who can tell me the difference or share some documentation source?

Any help would be appreciated.


Source: (StackOverflow)

Advertisements

How to use ipsec on a LAN without vpn

Is it possible to transfer data between computers (Windows 7) in a LAN using IPSEC (for authentication and encryption) but without VPN? If yes how? All the information I found related to possible solutions include VPN.


Source: (StackOverflow)

IPSec vs OpenSSL vs PGP [closed]

IPSec is employed at the IP level, SSL at the transport level and PGP at the application level. In some lecture not it says:

IPSEC: Most general solution but least flexible SSL: Still very general and some flexibility PGP: Least general but very flexibel.

I guess the general refers to what kind of protocol I can secure. With IPSEC I can secure everything that uses TCP or UDP. PGP is the least general because it just encrypts emails and is therefore very specific. Is that understanding right?

However I have no idea for what the flexibilty refers in this context, anyone an idea? Has this to do with extensibility?

Thanks


Source: (StackOverflow)

shrewsoft command line interface to connect and terminate vpn on ubuntu

Shrewsoft [1] provides a command line interface for setting up the vpn tunnel automatically without any user intervention, such as by using the following command

ikec -u username -p password -r configuration -a

IS there any way to detect if the connect attempt was successful such as by reading live logs and how can we terminate the vpn tunnel after some time using the command line. Any help will be appreciable.


Source: (StackOverflow)

Create a L2TP/IPSec VPN connection programmatically in Android

I read that Android >=4 no longer include VPN Connection Profiles ( for eg: L2TP/IPSec ) and provided just a base handler VpnService.

Now that we have to implement everything ourselves, is there any java library which provides a basic L2TP/IPSec Communication Code ?

I want to be able to take this library, integrate it with VPN Service and use it in the android app.

Thanks in advance everyone.


Source: (StackOverflow)

Methods of programatically altering ipsec rules with C#?

The only method I know how to execute IPsec changes involves calling netsh to do the changes. Is there a method using System.Management and WMI objects directly? If so, what is it? I am having a hard time finding relevant WMI information with MSDN.

Or is there some other useful method someone out there has used?

EDIT: I am working in C#, and would prefer C# examples with regard to .NET System.Management based answers.

Thank you!


Source: (StackOverflow)

Adding custom Single-Block symmetric Cipher in 3.9.11 kernel's crypto API

I have developed a Single-Block symmetric Cipher [CIPHER] Algorithm for IPsec in kernel[3.9.11]'s crypto API. After loading the .ko module into the kernel I can see my algorithm's information provided in /proc/crypto.

Now the problem comes when I want to establish an IPsec tunnel between two linux machines and I get the error

"tun/1x1": requested kernel enc ealg_id=254 not present

When I searched the code to pinpoint the problem, found out that there is a function xfrm_probe_algs that its functionality is to check the availability of crypto algorithms. In this function the line

status = crypto_has_ablkcipher(ealg_list[i].name, 0, 0);

seems to check for "Asynchronous multi-block ciphers" only. However, the algorithm that I have written is of the type "Single-Block symmetric Cipher" And because of this problem my algorithm does not work properly. I would like to know is there any way that I can use my single-block symmetric cipher in IPsec tunnels in 3.9.11 kernel or not.

Best Regards


Source: (StackOverflow)

android - How to connect to a VPN programmatically that has been manually configured?

INTRODUCTION

Many questions have been asked about the configuration of the VPN connections. Probably the most famous with its important answer is this one. The closest question to my needs is the following one.

But I have not found the answer I am looking for yet.

  1. I have manually configured a IPSEC Xauth PSK connection using the Android native VPN connection section (example image).
  2. I have established the connection for the first time to the VPN in order to check the "Save account information" checkbox, so I will always have credential saved without prompt the user to insert it anymore.

QUESTION

How can I connect programmatically to this VPN connection?

Because I have set everything I need, it's not obligatory to specify any host, username or password during the programmatical connection (because I have already done it manually in the above steps).


Source: (StackOverflow)

IKEv2 Rekeying of IKE_SA using CREATE_CHILD_SA message

I have a Confusion regarding rekeying Procedure of IKE_SA in IKEv2. MY confusion is when rekeying of IKE_SA is done whether its repective Keys of CHILD_SAs ie. ESP or AH SAs would be change or not. As per rfc 7296, in rekeying procedure of IKE_SA new SKEYSEED would be generate and then new set of {SK_d | SK_ai | SK_ar | SK_ei | SK_er | SK_pi | SK_pr} = prf+ (SKEYSEED, Ni | Nr | SPIi | SPIr). i.e. new Sk_d is generated.So, using these new values whether new keymat would be generated or not by this way, KEYMAT = prf+(SK_d, g^ir (new) | Ni | Nr). and would using this new ESP/AH Keys would be generated or enforced or not.. Does anyone can say something on this note..I need quick response.. Please Comment if you know about this..


Source: (StackOverflow)

What's the point of using L2TP together with IPSec?

According to my limited understanding, IPSec authenticates peers and encapsulates/encrypts IP packets in tunnel mode.

On another hand, L2TP itself does not offer authentication/encryption, but offers encapsulation, which is already achieved by IPSec.

In my application, I would like to secure end-to-end data transfer using IPSec. I am also considering "L2TP/IPSec" but cannot figure out which L2TP feature is not offered by IPSec? Why would I choose to use L2TP/IPSec rather than IPSec alone?


Source: (StackOverflow)

Amazon VPC to VPC connection

I have created an Amazon EC2 Linux instance running Racoon and this one is trying to connect other Amazon VPC IPSec interface. I use my Elastic IP address as a customer gateway but I'm getting these failures.

Does anyone have an idea regarding this?

2013-04-04 12:43:29: DEBUG: db :0x7f2583cda3b0: 169.254.255.93/30[0] 169.254.255.94/30[0] proto=any dir=fwd
2013-04-04 12:43:29: DEBUG: sub:0x7fff9bd61ba0: 169.254.255.93/30[0] 169.254.255.94/30[0] proto=any dir=in
2013-04-04 12:43:29: DEBUG: db :0x7f2583cda630: 169.254.255.93/30[0] 169.254.255.94/30[0] proto=any dir=in

2013-04-04 12:43:29: DEBUG: suitable inbound SP found: 169.254.255.93/30[0] 169.254.255.94/30[0] proto=any dir=in.


2013-04-04 12:43:29: DEBUG: new acquire 169.254.255.94/30[0] 169.254.255.93/30[0] proto=any dir=out

2013-04-04 12:43:29: [72.21.209.192] DEBUG: configuration "72.21.209.192[500]" selected.

2013-04-04 12:43:29: DEBUG: getsainfo params: loc='169.254.255.94/30' rmt='169.254.255.93/30' 
peer='NULL' client='NULL' id=0

2013-04-04 12:43:29: DEBUG: evaluating sainfo: loc='169.254.255.90/30', rmt='169.254.255.89/30', 
peer='ANY', id=0

2013-04-04 12:43:29: DEBUG: check and compare ids : value mismatch (IPv4_subnet)

2013-04-04 12:43:29: DEBUG: cmpid target: '169.254.255.94/30'

2013-04-04 12:43:29: DEBUG: cmpid source: '169.254.255.90/30'

2013-04-04 12:43:29: DEBUG: evaluating sainfo: loc='169.254.255.94/30', rmt='169.254.255.93/30', 
peer='ANY', id=0

2013-04-04 12:43:29: DEBUG: check and compare ids : values matched (IPv4_subnet)

2013-04-04 12:43:29: DEBUG: cmpid target: '169.254.255.94/30'

2013-04-04 12:43:29: DEBUG: cmpid source: '169.254.255.94/30'

2013-04-04 12:43:29: DEBUG: check and compare ids : values matched (IPv4_subnet)

2013-04-04 12:43:29: DEBUG: cmpid target: '169.254.255.93/30'

2013-04-04 12:43:29: DEBUG: cmpid source: '169.254.255.93/30'

2013-04-04 12:43:29: DEBUG: selected sainfo: loc='169.254.255.94/30', rmt='169.254.255.93/30', 
peer='ANY', id=0

2013-04-04 12:43:29: DEBUG:  (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel 
reqid=0:0)

2013-04-04 12:43:29: DEBUG:   (trns_id=AES encklen=128 authtype=hmac-sha)

2013-04-04 12:43:29: DEBUG: in post_acquire

2013-04-04 12:43:29: [72.21.209.192] DEBUG: configuration "72.21.209.192[500]" selected.

2013-04-04 12:43:29: INFO: IPsec-SA request for 72.21.209.192 queued due to no phase1 found.

2013-04-04 12:43:29: DEBUG: ===

2013-04-04 12:43:29: INFO: initiate new phase 1 negotiation: 54.236.196.228[500]<=>72.21.209.192[500]

2013-04-04 12:43:29: INFO: begin Identity Protection mode.

2013-04-04 12:43:29: DEBUG: new cookie:
6d61a8ce6f870d1d

2013-04-04 12:43:29: DEBUG: add payload of len 52, next type 13

2013-04-04 12:43:29: DEBUG: add payload of len 16, next type 0

2013-04-04 12:43:29: ERROR: phase1 negotiation failed due to send error. 
6d61a8ce6f870d1d:0000000000000000

2013-04-04 12:43:29: ERROR: failed to begin ipsec sa negotication.

Source: (StackOverflow)

Openswan on EC2 VPC

I am working on establishing a VPN tunnel between our VPC on Amazon and a client network , the client uses public IP addresses behind their firewall and requested that our servers in the VPC to use public IPs also.

The purpose of the connection is that our application server and their application server to be able to communicate.

Here s what the topology looks like:

107.x.x.x <--> 107.y.y.y <--> AWS InternetGateway <--> Internet <--> 213.a.a.a <-->213.b.b.b

where:

107.x.x.x: Our Application server (internal ip 10.0.0.10)
107.y.y.y: Our Openswan server (internal ip 10.0.0.11)
213.a.a.a: The costumer VPN endpoint ip 
213.b.b.b: The customer Application Server 

We managed to bring the tunnel up, but whenever we try to ping 213.b.b.b we get Destination Host Unreachable

here is the ipsec.conf:

left=10.0.0.10
leftsubnet=107.x.x.x/32
leftid=107.y.y.y
leftsourceip=107.y.y.y
right=213.a.a.a
rightid=10.9.5.34
rightsubnet=213.b.b.b/32
authby=secret
keyingtries=3
rekey=no
keyexchange=ike
ikelifetime=86400s
phase2alg=3DES-MD5;modp1024
forceencaps=yes
pfs=no

Thanks in Advance


Source: (StackOverflow)

Using IPsec to ensure traffic between the peers is always encrypted

I have implemented a IPsec connection between two pairs using openswan (opens/wan) in CentOS 6. This is running fine and i can see the traffic is encrypted. However if for whatever reason the IPsec tunnel no longer exists (maybe someone turned it off, maybe it crashed, etc), traffic will still flow between the peers as unencrypted traffic.

How can I ensure that traffic between these two peers is always sent encrypted with IPsec or no traffic between the peers is accepted.

Iptables does not seem to help, as the packets go through the iptables rules twice once encrypted and once again unencrypted.

Thanks in advance.


Source: (StackOverflow)

Set up VPN programatically on android

I need to implement VPN IPsec on android programatically i.e. connecting, disconnecting on the click of button inside my own app, without asking user explicitly. I searched a lot but didn't find any answer. Came across VpnService(http://developer.android.com/reference/android/net/VpnService.html) and its implementation i.e. toyvpn (https://android.googlesource.com/platform/development/+/master/samples/ToyVpn/src/com/example/android/toyvpn/)

Some of the threads already discussing the same:

But didn't find any satisfactory answer. What I inferred is, either I have to write whole implementation by myself. Or something about hidden API in android. I really need to implement this whole thing quickly. Can anyone help me with that. Thanks in advance


Source: (StackOverflow)