ipsec interview questions
Top ipsec frequently asked interview questions
OS: Linux 2.6.24 (x86)
My application runs on a server where several clients connects to it on UDP port 4500.
Intermittently, application fails to send UDP traffic to clients on UDP port 4500
This is because sendmsg system-call fails with error code 3 (ESRCH )
man page for sendmsg doesn't talk about error ESRCH
Problem doesn't resolve even after killing the application and relaunching it.
UDP traffic on other ports working fine
Rebooting the server is the only solution.
With kernel 2.6.11, I haven't seen issues like this.
Any idea on how to debug this issue ?
Source: (StackOverflow)
I know both are IPSEC stacks in Linux kernel and that KLIPS is older and Netkey is newer but other than that I find no other documentation of them. I want to know the real technical differences between them. Is there any one here who can tell me the difference or share some documentation source?
Any help would be appreciated.
Source: (StackOverflow)
Is it possible to transfer data between computers (Windows 7) in a LAN using IPSEC (for authentication and encryption) but without VPN? If yes how? All the information I found related to possible solutions include VPN.
Source: (StackOverflow)
IPSec is employed at the IP level, SSL at the transport level and PGP at the application level. In some lecture not it says:
IPSEC: Most general solution but least flexible
SSL: Still very general and some flexibility
PGP: Least general but very flexibel.
I guess the general refers to what kind of protocol I can secure. With IPSEC I can secure everything that uses TCP or UDP. PGP is the least general because it just encrypts emails and is therefore very specific. Is that understanding right?
However I have no idea for what the flexibilty refers in this context, anyone an idea? Has this to do with extensibility?
Thanks
Source: (StackOverflow)
Shrewsoft [1] provides a command line interface for setting up the vpn tunnel automatically without any user intervention, such as by using the following command
ikec -u username -p password -r configuration -a
IS there any way to detect if the connect attempt was successful such as by reading live logs and how can we terminate the vpn tunnel after some time using the command line. Any help will be appreciable.
Source: (StackOverflow)
I read that Android >=4
no longer include VPN Connection Profiles ( for eg: L2TP/IPSec
) and provided just a base handler VpnService
.
Now that we have to implement everything ourselves, is there any java library which provides a basic L2TP/IPSec
Communication Code ?
I want to be able to take this library, integrate it with VPN Service and use it in the android app.
Thanks in advance everyone.
Source: (StackOverflow)
The only method I know how to execute IPsec changes involves calling netsh to do the changes. Is there a method using System.Management and WMI objects directly? If so, what is it? I am having a hard time finding relevant WMI information with MSDN.
Or is there some other useful method someone out there has used?
EDIT: I am working in C#, and would prefer C# examples with regard to .NET System.Management based answers.
Thank you!
Source: (StackOverflow)
I have developed a Single-Block symmetric Cipher [CIPHER] Algorithm for IPsec in kernel[3.9.11]'s crypto API. After loading the .ko module into the kernel I can see my algorithm's information provided in /proc/crypto.
Now the problem comes when I want to establish an IPsec tunnel between two linux machines and I get the error
"tun/1x1": requested kernel enc ealg_id=254 not present
When I searched the code to pinpoint the problem, found out that there is a function xfrm_probe_algs
that its functionality is to check the availability of crypto algorithms. In this function the line
status = crypto_has_ablkcipher(ealg_list[i].name, 0, 0);
seems to check for "Asynchronous multi-block ciphers" only. However, the algorithm that I have written is of the type "Single-Block symmetric Cipher" And because of this problem my algorithm does not work properly. I would like to know is there any way that I can use my single-block symmetric cipher in IPsec tunnels in 3.9.11 kernel or not.
Best Regards
Source: (StackOverflow)
INTRODUCTION
Many questions have been asked about the configuration of the VPN connections.
Probably the most famous with its important answer is this one.
The closest question to my needs is the following one.
But I have not found the answer I am looking for yet.
- I have manually configured a IPSEC Xauth PSK connection using the Android native VPN connection section (example image).
- I have established the connection for the first time to the VPN in order to check the "Save account information" checkbox, so I will always have credential saved without prompt the user to insert it anymore.
QUESTION
How can I connect programmatically to this VPN connection?
Because I have set everything I need, it's not obligatory to specify any host, username or password during the programmatical connection (because I have already done it manually in the above steps).
Source: (StackOverflow)
I have a Confusion regarding rekeying Procedure of IKE_SA in IKEv2. MY confusion is when rekeying of IKE_SA is done whether its repective Keys of CHILD_SAs ie. ESP or AH SAs would be change or not. As per rfc 7296, in rekeying procedure of IKE_SA new SKEYSEED would be generate and then new set of {SK_d | SK_ai | SK_ar | SK_ei | SK_er | SK_pi | SK_pr} =
prf+ (SKEYSEED, Ni | Nr | SPIi | SPIr).
i.e. new Sk_d is generated.So, using these new values whether new keymat would be generated or not by this way, KEYMAT = prf+(SK_d, g^ir (new) | Ni | Nr). and would using this new ESP/AH Keys would be generated or enforced or not..
Does anyone can say something on this note..I need quick response.. Please Comment if you know about this..
Source: (StackOverflow)
According to my limited understanding, IPSec authenticates peers and encapsulates/encrypts IP packets in tunnel mode.
On another hand, L2TP itself does not offer authentication/encryption, but offers encapsulation, which is already achieved by IPSec.
In my application, I would like to secure end-to-end data transfer using IPSec. I am also considering "L2TP/IPSec" but cannot figure out which L2TP feature is not offered by IPSec? Why would I choose to use L2TP/IPSec rather than IPSec alone?
Source: (StackOverflow)
I have created an Amazon EC2 Linux instance running Racoon and this one is trying to connect other Amazon VPC IPSec interface. I use my Elastic IP address as a customer gateway but I'm getting these failures.
Does anyone have an idea regarding this?
2013-04-04 12:43:29: DEBUG: db :0x7f2583cda3b0: 169.254.255.93/30[0] 169.254.255.94/30[0] proto=any dir=fwd
2013-04-04 12:43:29: DEBUG: sub:0x7fff9bd61ba0: 169.254.255.93/30[0] 169.254.255.94/30[0] proto=any dir=in
2013-04-04 12:43:29: DEBUG: db :0x7f2583cda630: 169.254.255.93/30[0] 169.254.255.94/30[0] proto=any dir=in
2013-04-04 12:43:29: DEBUG: suitable inbound SP found: 169.254.255.93/30[0] 169.254.255.94/30[0] proto=any dir=in.
2013-04-04 12:43:29: DEBUG: new acquire 169.254.255.94/30[0] 169.254.255.93/30[0] proto=any dir=out
2013-04-04 12:43:29: [72.21.209.192] DEBUG: configuration "72.21.209.192[500]" selected.
2013-04-04 12:43:29: DEBUG: getsainfo params: loc='169.254.255.94/30' rmt='169.254.255.93/30'
peer='NULL' client='NULL' id=0
2013-04-04 12:43:29: DEBUG: evaluating sainfo: loc='169.254.255.90/30', rmt='169.254.255.89/30',
peer='ANY', id=0
2013-04-04 12:43:29: DEBUG: check and compare ids : value mismatch (IPv4_subnet)
2013-04-04 12:43:29: DEBUG: cmpid target: '169.254.255.94/30'
2013-04-04 12:43:29: DEBUG: cmpid source: '169.254.255.90/30'
2013-04-04 12:43:29: DEBUG: evaluating sainfo: loc='169.254.255.94/30', rmt='169.254.255.93/30',
peer='ANY', id=0
2013-04-04 12:43:29: DEBUG: check and compare ids : values matched (IPv4_subnet)
2013-04-04 12:43:29: DEBUG: cmpid target: '169.254.255.94/30'
2013-04-04 12:43:29: DEBUG: cmpid source: '169.254.255.94/30'
2013-04-04 12:43:29: DEBUG: check and compare ids : values matched (IPv4_subnet)
2013-04-04 12:43:29: DEBUG: cmpid target: '169.254.255.93/30'
2013-04-04 12:43:29: DEBUG: cmpid source: '169.254.255.93/30'
2013-04-04 12:43:29: DEBUG: selected sainfo: loc='169.254.255.94/30', rmt='169.254.255.93/30',
peer='ANY', id=0
2013-04-04 12:43:29: DEBUG: (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel
reqid=0:0)
2013-04-04 12:43:29: DEBUG: (trns_id=AES encklen=128 authtype=hmac-sha)
2013-04-04 12:43:29: DEBUG: in post_acquire
2013-04-04 12:43:29: [72.21.209.192] DEBUG: configuration "72.21.209.192[500]" selected.
2013-04-04 12:43:29: INFO: IPsec-SA request for 72.21.209.192 queued due to no phase1 found.
2013-04-04 12:43:29: DEBUG: ===
2013-04-04 12:43:29: INFO: initiate new phase 1 negotiation: 54.236.196.228[500]<=>72.21.209.192[500]
2013-04-04 12:43:29: INFO: begin Identity Protection mode.
2013-04-04 12:43:29: DEBUG: new cookie:
6d61a8ce6f870d1d
2013-04-04 12:43:29: DEBUG: add payload of len 52, next type 13
2013-04-04 12:43:29: DEBUG: add payload of len 16, next type 0
2013-04-04 12:43:29: ERROR: phase1 negotiation failed due to send error.
6d61a8ce6f870d1d:0000000000000000
2013-04-04 12:43:29: ERROR: failed to begin ipsec sa negotication.
Source: (StackOverflow)
I am working on establishing a VPN tunnel between our VPC on Amazon and a client network , the client uses public IP addresses behind their firewall and requested that our servers in the VPC to use public IPs also.
The purpose of the connection is that our application server and their application server to be able to communicate.
Here s what the topology looks like:
107.x.x.x <--> 107.y.y.y <--> AWS InternetGateway <--> Internet <--> 213.a.a.a <-->213.b.b.b
where:
107.x.x.x: Our Application server (internal ip 10.0.0.10)
107.y.y.y: Our Openswan server (internal ip 10.0.0.11)
213.a.a.a: The costumer VPN endpoint ip
213.b.b.b: The customer Application Server
We managed to bring the tunnel up, but whenever we try to ping 213.b.b.b we get Destination Host Unreachable
here is the ipsec.conf:
left=10.0.0.10
leftsubnet=107.x.x.x/32
leftid=107.y.y.y
leftsourceip=107.y.y.y
right=213.a.a.a
rightid=10.9.5.34
rightsubnet=213.b.b.b/32
authby=secret
keyingtries=3
rekey=no
keyexchange=ike
ikelifetime=86400s
phase2alg=3DES-MD5;modp1024
forceencaps=yes
pfs=no
Thanks in Advance
Source: (StackOverflow)
I have implemented a IPsec connection between two pairs using openswan (opens/wan) in CentOS 6. This is running fine and i can see the traffic is encrypted. However if for whatever reason the IPsec tunnel no longer exists (maybe someone turned it off, maybe it crashed, etc), traffic will still flow between the peers as unencrypted traffic.
How can I ensure that traffic between these two peers is always sent encrypted with IPsec or no traffic between the peers is accepted.
Iptables does not seem to help, as the packets go through the iptables rules twice once encrypted and once again unencrypted.
Thanks in advance.
Source: (StackOverflow)