RSS

Paweł Goleń, blog

Zrzędzenie starego zgreda

Wednesday, October 11. 2006

Bug w filtrach IPSec w Windows?

Od pewnego czasu irytuje mnie pewna przypadłość IPSec, który wykorzystuje do zabezpieczenia komunikacji WiFi. Wszystko ładnie działa, ale po suspendzie komputera coś czasami nie działa tak jak powinno. I w końcu szukam tego czegoś...

W chwili, gdy wszysko jest OK ipseccmd show sas pokazuje mniej więcej taki zestaw:

Main Mode SAs ------------------------------

Main Mode SA #1: From 172.16.0.20 To 172.16.0.254 Policy Id : {6D5D6FA1-ED42-4F1C-9DB5-0BB6186EAD44} Offer Used : 3DES SHA1 DH Group 2 Quickmode limit : 0, Lifetime 0Kbytes/3600seconds Auth Used : RSA (Cert) Signature Initiator cookie 53439410ab55f3a1 Responder cookie d165e7f2e0a51cd5 Source UDP Encap port : 500 Dest UDP Encap port: 500

Quick Mode SAs ------------------------------

Quick Mode SA #1: Filter Id : {FBFDB18B-1949-41DC-A7FA-A95E8DAACB8F} Tunnel Filter From 172.16.0.20 To Any Protocol : 0 Src Port : 0 Des Port : 0 Direction : Outbound Tunnel From 172.16.0.20 Tunnel To 172.16.0.254 Policy Id : {E6D0A0CC-14FB-4547-85FD-EE57A08A754E} Offer Used : Algo #1 : Encryption 3DES SHA1 (24bytes/0rounds) (20secbytes/0secrounds)

MySpi 711827286 PeerSpi 3455121362 PFS : True (Group 2), Lifetime 100000Kbytes/1200seconds Initiator cookie 53439410ab55f3a1 Responder cookie d165e7f2e0a51cd5 Tak, świadomie ujawniam swoją konfiguracę i swoją adresację IP. I co z tego? Filtry (dla uproszczenia - transportowe) wyglądają wówczas tak: Generic Tunnel Filters ------------------------------

Generic Tunnel Filter #1: Name : 11 Filter Id : {C415DE3A-C3A7-4C3C-95F7-B49C0C638A6C} Policy Id : {E6D0A0CC-14FB-4547-85FD-EE57A08A754E} Name : 3DES-SHA1-PFS Policy Id : {E6D0A0CC-14FB-4547-85FD-EE57A08A754E} Flags : 1 (Tunnel) Offer #1 Algo #1 : Encryption 3DES SHA1 PFS : True (Group 2147483648), Lifetime 0Kbytes/1200seconds Src Addr : Any Des Addr : 172.16.0.20 Src Tunnel Addr : Any Des Tunnel Addr : 172.16.0.20 Protocol : 0 Src Port : 0 Des Port : 0 Mirrored : False Interface Type : LAN

Generic Tunnel Filter #2: Name : 12 Filter Id : {FBFDB18B-1949-41DC-A7FA-A95E8DAACB8F} Policy Id : {E6D0A0CC-14FB-4547-85FD-EE57A08A754E} Name : 3DES-SHA1-PFS Policy Id : {E6D0A0CC-14FB-4547-85FD-EE57A08A754E} Flags : 1 (Tunnel) Offer #1 Algo #1 : Encryption 3DES SHA1 PFS : True (Group 2147483648), Lifetime 0Kbytes/1200seconds Src Addr : 172.16.0.20 Des Addr : Any Src Tunnel Addr : Any Des Tunnel Addr : 172.16.0.254 Protocol : 0 Src Port : 0 Des Port : 0 Mirrored : False Interface Type : LAN

Specific Tunnel Filters ------------------------------

Specific Tunnel Filter #1: Name : 11 Filter Id : {C415DE3A-C3A7-4C3C-95F7-B49C0C638A6C} Policy Id : {E6D0A0CC-14FB-4547-85FD-EE57A08A754E} Src Addr : Any Des Addr : 172.16.0.20 Src Tunnel Addr : Any Des Tunnel Addr : 172.16.0.20 Protocol : 0 Src Port : 0 Des Port : 0 Direction : Inbound, Weight : 34615297 Interface Type : LAN

Specific Tunnel Filter #2: Name : 12 Filter Id : {FBFDB18B-1949-41DC-A7FA-A95E8DAACB8F} Policy Id : {E6D0A0CC-14FB-4547-85FD-EE57A08A754E} Src Addr : 172.16.0.20 Des Addr : Any Src Tunnel Addr : Any Des Tunnel Addr : 172.16.0.254 Protocol : 0 Src Port : 0 Des Port : 0 Direction : Outbound, Weight : 34615296 Interface Type : LAN Jak widać, z Generic Tunnel Filters ładnie tworzą się Specific TUnnel Filters, takie ANY->ME i ME->ANY. W tej chwili wszystko działa prawidłowo. Niestety, po suspendzie sytuacja będzie przedstawiała się (prawdopodobnie, bo nie ze 100% skutecznością) nieco inaczej... Tylko niestety teraz, jak na złość, nie udaje mi się wywołać tego efektu... Ale jeszcze nad tym popracuję... O, udało się: Main Mode SAs ------------------------------

Main Mode SA #1: From 172.16.0.20 To 172.16.0.254 Policy Id : {6D5D6FA1-ED42-4F1C-9DB5-0BB6186EAD44} Offer Used : 3DES SHA1 DH Group 2 Quickmode limit : 0, Lifetime 0Kbytes/3600seconds Auth Used : RSA (Cert) Signature Initiator cookie 51fca4bedbdb09fc Responder cookie 96c6ab93437420f9 Source UDP Encap port : 500 Dest UDP Encap port: 500

Quick Mode SAs ------------------------------

Quick Mode SA #1: Filter Id : {D93696BE-E4F6-42B8-9E51-FA4E4C5CA697} Tunnel Filter From 172.16.0.20 To 172.16.0.254 Protocol : 0 Src Port : 0 Des Port : 0 Direction : Outbound Tunnel From 172.16.0.20 Tunnel To 172.16.0.254 Policy Id : {E6D0A0CC-14FB-4547-85FD-EE57A08A754E} Offer Used : Algo #1 : Encryption 3DES SHA1 (24bytes/0rounds) (20secbytes/0secrounds)

MySpi 3798079402 PeerSpi 3148350209 PFS : True (Group 2), Lifetime 100000Kbytes/1200seconds Initiator cookie 51fca4bedbdb09fc Responder cookie 96c6ab93437420f9

Quick Mode SA #2: Filter Id : {FBFDB18B-1949-41DC-A7FA-A95E8DAACB8F} Tunnel Filter From 172.16.0.20 To Any Protocol : 0 Src Port : 0 Des Port : 0 Direction : Outbound Tunnel From 172.16.0.20 Tunnel To 172.16.0.254 Policy Id : {E6D0A0CC-14FB-4547-85FD-EE57A08A754E} Offer Used : Algo #1 : Encryption 3DES SHA1 (24bytes/0rounds) (20secbytes/0secrounds)

MySpi 1007940273 PeerSpi 2524848298 PFS : True (Group 2), Lifetime 100000Kbytes/1200seconds Initiator cookie 51fca4bedbdb09fc Responder cookie 96c6ab93437420f9

I filtry w tym przypadku są takie:

Generic Tunnel Filters ------------------------------

Generic Tunnel Filter #1: Name : 11 Filter Id : {C415DE3A-C3A7-4C3C-95F7-B49C0C638A6C} Policy Id : {E6D0A0CC-14FB-4547-85FD-EE57A08A754E} Name : 3DES-SHA1-PFS Policy Id : {E6D0A0CC-14FB-4547-85FD-EE57A08A754E} Flags : 1 (Tunnel) Offer #1 Algo #1 : Encryption 3DES SHA1 PFS : True (Group 2147483648), Lifetime 0Kbytes/1200seconds Src Addr : Any Des Addr : 172.16.0.20 Src Tunnel Addr : Any Des Tunnel Addr : 172.16.0.20 Protocol : 0 Src Port : 0 Des Port : 0 Mirrored : False Interface Type : LAN

Generic Tunnel Filter #2: Name : 12 Filter Id : {FBFDB18B-1949-41DC-A7FA-A95E8DAACB8F} Policy Id : {E6D0A0CC-14FB-4547-85FD-EE57A08A754E} Name : 3DES-SHA1-PFS Policy Id : {E6D0A0CC-14FB-4547-85FD-EE57A08A754E} Flags : 1 (Tunnel) Offer #1 Algo #1 : Encryption 3DES SHA1 PFS : True (Group 2147483648), Lifetime 0Kbytes/1200seconds Src Addr : 172.16.0.20 Des Addr : Any Src Tunnel Addr : Any Des Tunnel Addr : 172.16.0.254 Protocol : 0 Src Port : 0 Des Port : 0 Mirrored : False Interface Type : LAN

Generic Tunnel Filter #3: Name : 11 Filter Id : {80EDE640-78D5-4B2E-8C82-0C409C36D8E7} Policy Id : {E6D0A0CC-14FB-4547-85FD-EE57A08A754E} Name : 3DES-SHA1-PFS Policy Id : {E6D0A0CC-14FB-4547-85FD-EE57A08A754E} Flags : 1 (Tunnel) Offer #1 Algo #1 : Encryption 3DES SHA1 PFS : True (Group 2147483648), Lifetime 0Kbytes/1200seconds Src Addr : 172.16.0.254 Des Addr : 172.16.0.20 Src Tunnel Addr : Any Des Tunnel Addr : 172.16.0.20 Protocol : 0 Src Port : 0 Des Port : 0 Mirrored : False Interface Type : LAN

Generic Tunnel Filter #4: Name : 11 Filter Id : {D93696BE-E4F6-42B8-9E51-FA4E4C5CA697} Policy Id : {E6D0A0CC-14FB-4547-85FD-EE57A08A754E} Name : 3DES-SHA1-PFS Policy Id : {E6D0A0CC-14FB-4547-85FD-EE57A08A754E} Flags : 1 (Tunnel) Offer #1 Algo #1 : Encryption 3DES SHA1 PFS : True (Group 2147483648), Lifetime 0Kbytes/1200seconds Src Addr : 172.16.0.20 Des Addr : 172.16.0.254 Src Tunnel Addr : Any Des Tunnel Addr : 172.16.0.254 Protocol : 0 Src Port : 0 Des Port : 0 Mirrored : False Interface Type : LAN

Generic Tunnel Filter #5: Name : 11 Filter Id : {7F88316A-1E55-4224-BCF5-727C18E9A584} Policy Id : {E6D0A0CC-14FB-4547-85FD-EE57A08A754E} Name : 3DES-SHA1-PFS Policy Id : {E6D0A0CC-14FB-4547-85FD-EE57A08A754E} Flags : 1 (Tunnel) Offer #1 Algo #1 : Encryption 3DES SHA1 PFS : True (Group 2147483648), Lifetime 0Kbytes/1200seconds Src Addr : 172.16.254.1 Des Addr : 172.16.0.20 Src Tunnel Addr : Any Des Tunnel Addr : 172.16.0.20 Protocol : 0 Src Port : 0 Des Port : 0 Mirrored : False Interface Type : LAN

Generic Tunnel Filter #6: Name : 11 Filter Id : {0B3AD03B-5367-4A0E-A714-587BC580A994} Policy Id : {E6D0A0CC-14FB-4547-85FD-EE57A08A754E} Name : 3DES-SHA1-PFS Policy Id : {E6D0A0CC-14FB-4547-85FD-EE57A08A754E} Flags : 1 (Tunnel) Offer #1 Algo #1 : Encryption 3DES SHA1 PFS : True (Group 2147483648), Lifetime 0Kbytes/1200seconds Src Addr : 172.16.0.20 Des Addr : 172.16.254.1 Src Tunnel Addr : Any Des Tunnel Addr : 172.16.0.254 Protocol : 0 Src Port : 0 Des Port : 0 Mirrored : False Interface Type : LAN

Specific Tunnel Filters ------------------------------

Specific Tunnel Filter #1: Name : 11 Filter Id : {0B3AD03B-5367-4A0E-A714-587BC580A994} Policy Id : {E6D0A0CC-14FB-4547-85FD-EE57A08A754E} Src Addr : 172.16.0.20 Des Addr : 172.16.254.1 Src Tunnel Addr : Any Des Tunnel Addr : 172.16.0.254 Protocol : 0 Src Port : 0 Des Port : 0 Direction : Outbound, Weight : 69218305 Interface Type : LAN

Specific Tunnel Filter #2: Name : 11 Filter Id : {7F88316A-1E55-4224-BCF5-727C18E9A584} Policy Id : {E6D0A0CC-14FB-4547-85FD-EE57A08A754E} Src Addr : 172.16.254.1 Des Addr : 172.16.0.20 Src Tunnel Addr : Any Des Tunnel Addr : 172.16.0.20 Protocol : 0 Src Port : 0 Des Port : 0 Direction : Inbound, Weight : 69218305 Interface Type : LAN

Specific Tunnel Filter #3: Name : 11 Filter Id : {D93696BE-E4F6-42B8-9E51-FA4E4C5CA697} Policy Id : {E6D0A0CC-14FB-4547-85FD-EE57A08A754E} Src Addr : 172.16.0.20 Des Addr : 172.16.0.254 Src Tunnel Addr : Any Des Tunnel Addr : 172.16.0.254 Protocol : 0 Src Port : 0 Des Port : 0 Direction : Outbound, Weight : 69218305 Interface Type : LAN

Specific Tunnel Filter #4: Name : 11 Filter Id : {80EDE640-78D5-4B2E-8C82-0C409C36D8E7} Policy Id : {E6D0A0CC-14FB-4547-85FD-EE57A08A754E} Src Addr : 172.16.0.254 Des Addr : 172.16.0.20 Src Tunnel Addr : Any Des Tunnel Addr : 172.16.0.20 Protocol : 0 Src Port : 0 Des Port : 0 Direction : Inbound, Weight : 69218305 Interface Type : LAN

Specific Tunnel Filter #5: Name : 11 Filter Id : {C415DE3A-C3A7-4C3C-95F7-B49C0C638A6C} Policy Id : {E6D0A0CC-14FB-4547-85FD-EE57A08A754E} Src Addr : Any Des Addr : 172.16.0.20 Src Tunnel Addr : Any Des Tunnel Addr : 172.16.0.20 Protocol : 0 Src Port : 0 Des Port : 0 Direction : Inbound, Weight : 34615297 Interface Type : LAN

Specific Tunnel Filter #6: Name : 12 Filter Id : {FBFDB18B-1949-41DC-A7FA-A95E8DAACB8F} Policy Id : {E6D0A0CC-14FB-4547-85FD-EE57A08A754E} Src Addr : 172.16.0.20 Des Addr : Any Src Tunnel Addr : Any Des Tunnel Addr : 172.16.0.254 Protocol : 0 Src Port : 0 Des Port : 0 Direction : Outbound, Weight : 34615296 Interface Type : LAN

Gdy tak się stanie zaczyna się robić nieciekawie. W zależności od "wagi" tunelu pakiety trafiają do różnych "kanałów", z czego najczęściej te, które nie są "Any" nie działają... No i dlaczego tak się dzieje? W szczególności dlaczego przy tej samej konfiguracji, lista filtrów może różnić się tak radykalnie?

Ślady
Brak Śladów
Komentarze
Brak komentarzy
Autor nie zezwolił na komentowanie tego wpisu

Najnowsze wpisy

Jak powstaje elektrozłom
Sunday, 21 July 2024
Cluster
Monday, 15 July 2024
Sponsorem przebudowy placu zabaw jest...
Sunday, 30 June 2024
Po lewej stronie drogi
Sunday, 19 May 2024
Nie lubię, gdy jest płasko
Sunday, 18 February 2024
Nowy iPad - wrażenia z przesiadki
Wednesday, 24 January 2024
Jak nie wiesz, to nie wiesz
Sunday, 14 January 2024
Z microk8s na k3s
Wednesday, 8 November 2023
Rajesh Penetrator
Saturday, 2 September 2023
random(random())
Tuesday, 1 August 2023

Losowe wpisy

Akademia Jakości
Tuesday, 2 April 2013
Ciągle musisz znać swój kontekst
Thursday, 24 November 2022
Postęp (w sieci)
Sunday, 2 March 2014
Kto mi to wytłumaczy?
Wednesday, 27 February 2008
Nowa wersja win32dd
Thursday, 6 November 2008
Zamykam jedno oko i...
Tuesday, 27 March 2012
Testy penetracyjne: widzieć las mimo drzew
Tuesday, 4 March 2008
Podatności stają się oczywiste III
Monday, 19 October 2009
Mój pierwszy plugin do Fiddlera
Wednesday, 19 September 2007
Kilka wyzwań na świąteczną nudę
Friday, 2 April 2010