[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

about DHCP over IPsec

To: ipsec@lists.tislabs.com
Subject: about DHCP over IPsec
From: wzshi <wzshi@netrd.iii.org.tw>
Date: Wed, 06 Aug 2003 17:03:29 +0800
Importance: Normal
Sender: owner-ipsec@lists.tislabs.com

Hi J I have some problem about DHCP over IPsec. I designed a VPN gateway, and SSH Sentinel is peer. Now I want to add the function of DHCP over IPsec on this gateway. After IKE Phase 1 and Phase 2 success, SSH Sentinel sends DHCP discover packet. DHCP server reply DHCP offer packet. Gateway relay these packet between Sentinel and DHCP server. When Sentinel get DHCP offer packet, it sends ISAKMP information to delete IPsec SA. The problem is. RFC wrote that if the client delete SA, client should initiate the second Quick mode negotiation. But it does not happen. Would you please help me to find what and where it'd go wrong? Wish you a good day Sincerly, W.Z Hsu Sentinel log as below: Phase-2 [initiator] done bundle 1 with 2 SA's by rule 23:`ipsec ipv4(udp:68,[0..3]=140.92.60.131)<->ipv4_subnet(udp:67,[0..7]=0.0.0.0/0)(gw:ipv4(any:0,[0..3]=140.92.60.100))' SA ESP[10000001] alg [3des-cbc/24]+hmac[hmac-sha1-96] bundle [1,0] pri 0 opts src="" dst=ipv4_subnet(udp:67,[0..7]=0.0.0.0/0) SA ESP[842832d6] alg [3des-cbc/24]+hmac[hmac-sha1-96] bundle [1,0] pri 0 opts src="" dst=ipv4(udp:68,[0..3]=140.92.60.131) 0.0.0.0:500 (Initiator) <-> 140.92.60.100:500 QM; Encode packet, version = 1.0, flags = 0x00000001 0.0.0.0:500 (Initiator) <-> 140.92.60.100:500QM; Sending packet[52] = 0x32bdec80 c1000000 7048e07a d9db0f53 08102001 0d215563 00000034 36623125 13416536 b9f1b028 c1d44a68 c6fc8dff f26a23f2 0.0.0.0:500 (Initiator) <-> 140.92.60.100:500 QM; Connected 0.0.0.0:500 (Initiator) <-> 140.92.60.100:500 Info; Start delete negotiation 0.0.0.0:500 (Initiator) <-> 140.92.60.100:500 Info; Encode packet, version = 1.0, flags = 0x00000001 0.0.0.0:500 (Initiator) <-> 140.92.60.100:500Info; Encode HASH: hash[20] = 0x00000000 00000000 00000000 00000000 00000000 0.0.0.0:500 (Initiator) <-> 140.92.60.100:500 Info; enc->dec IV[8] = 0x8002c370 944bb2e6 0.0.0.0:500 (Initiator) <-> 140.92.60.100:500 Info; Sending packet[68] = 0x32bdec80 c1000000 7048e07a d9db0f53 08100501 96d206b9 00000044 f8bdfdbc 40ffbee7 bafec9d8 63a4f0c0 7f1e0204 f76cd92d bee5e22a 4c34aa01 8002c370 944bb2e6 0.0.0.0:500 (Initiator) <-> 140.92.60.100:500 Info; Deleting negotiation DHCP Over IPSEC status: BOUND ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ mean? 0.0.0.0:500 (Initiator) <-> 140.92.60.100:500 QM; Restart packet 0.0.0.0:500 (Initiator) <-> 140.92.60.100:500 QM; Version = 1.0, Input packet fields = 0037 SA KE ID HASH NONCE 0.0.0.0:500 (Initiator) <-> 140.92.60.100:500 QM; Connected 0.0.0.0:500 (Initiator) <-> 140.92.60.100:500 QM; Deleting negotiation DHCP Over IPSEC status: ABORTED

Prev by Date: [housley@vigilsec.com: Re: Please move AH, ESP, and ESN drafts to "Publication Requested"]
Next by Date: Re: NAT-T, IKEv2, Vendor ID, port floating??
Prev by thread: [housley@vigilsec.com: Re: Please move AH, ESP, and ESN drafts to "Publication Requested"]
Next by thread: ID regarding interactions of IPSec encryption devices and mobile-ip (and other protocols)
Index(es):
- Date
- Thread