[Click] A question about Click router supported IPsec/ESP

Li Yi halb44 at gmail.com
Mon Jan 18 22:24:37 EST 2010 

Hi,
I want to configure a Click Router supported IPsec/ESP. The topology is just
as the example described.
(18.26.7)<-->(Router1)<--IPsec/ESP-->(Router2)<-->(18.26.8)
I configure it as follow.
PC1(18.26.7.3)<-->(Router1)<--IPsec/ESP-->(Router2)<-->PC2(18.26.8.24)
Router1 addr:eth1 18.26.7.1;eth0 18.26.4.24
Router2 addr:eth0 18.26.4.1;eth1 18.26.8.1
IPsec/ESP router configuration are running on Router1 and Router2 in
linuxmodule, and there's no syntax error. But when I use PC1 as root:
ping 18.26.8.24
Or when I use PC2 as root like this:
ping 18.26.7.3
Click program just hangs and I have to do a hard reboot if I want to run
Click again. It is shown as follow:

Message from syslogd@ at (date)
localhost kernel: Oops: 0000 [#1] SMP

And, /click/messages shows like this:

No Ipsec tunnel for 18.26.8.24. Wrong tunnel setup

Script about ESP encapsulation in Router1 is like this:
-> espen :: IPsecESPEncap()//Do I have to set the SPI value? What's the
format?
        -> cauth :: IPsecAuthHMACSHA1(0)
        -> encr :: IPsecAES(1)
 ->ipencap :: IPsecEncap(50)
Thank you very much!
best regards,


Hal




The configuration script of Router1:
// simple-ipsec.click An IP Router Configuration with IPsec/ESP support

AddressInfo(eth0_addr 00:1A:64:B0:B4:20,
  eth1_addr 00:1A:64:B0:B4:22);

c0 :: Classifier(12/0806 20/0001,
                  12/0806 20/0002,
                  12/0800,
                  -);

c1 :: Classifier(12/0806 20/0001,
                  12/0806 20/0002,
                  12/0800,
                  -);

FromDevice(eth0) -> [0]c0;
FromDevice(eth1) -> [0]c1;

out0 :: Queue(200) -> ToDevice(eth0);
out1 :: Queue(200) -> ToDevice(eth1);
//This packet goes to linux stack

// An "ARP querier" for each interface.
arpq0 :: ARPQuerier(18.26.4.24, eth0_addr);
arpq1 :: ARPQuerier(18.26.7.1, eth1_addr);
// Deliver ARP responses to ARP queriers as well as Linux.
t :: Tee();
c0[1] -> t;
c1[1] -> t;
t[2] -> tol::ToHost();
t[0] ->[1]arpq0
t[1] ->[1]arpq1

// Connect ARP outputs to the interface queues.
arpq0 -> out0;
arpq1 -> out1;

// Proxy ARP on eth0 for 18.26.8, as well as cone's IP address.
ar0 :: ARPResponder(18.26.4.24 eth0_addr,
                    18.26.7.0/24 eth0_addr);
c0[0] ->ar0 -> out0;

// Ordinary ARP on eth1.
ar1 :: ARPResponder(18.26.7.1 eth1_addr);
c1[0] -> ar1 -> out1;

rt :: RadixIPsecLookup(18.26.4.24/32 0,
          18.26.4.1/32 2,
          18.26.7.1/32 4,
          18.26.7.0/24 18.26.7.3 3,
          18.26.8.0/24 18.26.4.1 1 );
//234 ABCDEFFF001DEFD2354550FE40CD708E 112233EE556677888877665544332211 300
64 Is it the SPI? What's the meaning?
// IPsec incoming packet IP table visit order
// rt[0]->rt[3]
// IPsec outgoing packet IP table visit order
// rt[1]->rt[2]

// Hand incoming IP packets to the routing table.
// CheckIPHeader checks all the lengths and length fields
// for sanity.
ip ::   Strip(14)
     -> CheckIPHeader(INTERFACES 18.26.4.24/24 18.26.7.1/24)
     -> [0]rt;
c0[2] -> Paint(1) -> ip;
c1[2] -> Paint(2) -> ip;

// IP packets for this machine.
// ToHost expects ethernet packets, so cook up a fake header.
rt[4] -> EtherEncap(0x0800, 1:1:1:1:1:1, 2:2:2:2:2:2) -> tol;

//1 entering the ipsec tunnel...
//ESP Encapsulate -> Authenticate -> Encrypt -> IP Encapsulate -> send back
to IP routing table
rt[1]   -> espen :: IPsecESPEncap()
        -> cauth :: IPsecAuthHMACSHA1(0)
        -> encr :: IPsecAES(1)
 ->ipencap :: IPsecEncap(50)
        -> [0]rt;

//0 packets arriving from a tunnel...
//Strip IP header -> Decrypt -> Authenticate -> Decapsulate ESP -> send back
to IP routing table
rt[0] -> StripIPHeader()
      -> decr :: IPsecAES(0)
      -> vauth :: IPsecAuthHMACSHA1(1)
      -> espuncap :: IPsecESPUnencap()
      -> CheckIPHeader()
      -> [0]rt;
elementclass Processing{
$colour,$IPAddress|
input -> DropBroadcasts
      -> cp :: PaintTee($colour)
      -> gio :: IPGWOptions($IPAddress)
      -> FixIPSrc($IPAddress)
      -> dt :: DecIPTTL
      -> fr :: IPFragmenter(1500)
      ->output;
dt[1] -> ICMPError($IPAddress, timeexceeded) -> [1]output;
fr[1] -> ICMPError($IPAddress, unreachable, needfrag) -> [1]output;
gio[1] -> ICMPError($IPAddress, parameterproblem) -> [1]output;
cp[1] -> ICMPError($IPAddress, redirect, host) -> [1]output;}
rt[2]->p1::Processing(1,18.26.4.24)->[0]arpq0;
rt[3]->p2::Processing(2,18.26.7.1)->[0]arpq1;
p1[1]->[0]rt;
p2[1]->[0]rt;


// Unknown ethernet type numbers.
c0[3] -> Discard;
c1[3] -> Discard;

More information about the click mailing list