<< | Thread Index | >> ]    [ << | Date Index | >> ]

Subject: decrypt CRC error
From: Bram Dumolin <bram-cipe,AT,grmbl,DOT,net>
Date: Fri, 21 Sep 2001 07:51:14 +0200

I have sent this to the list before but there was something wrong with my 
subscription to the list.
Here goes again :)

--
hi,

Well, I've been hiding on this list for a while and didn't think I would need 
it since I've setup some cipe connections in the past.

But now that I need it to prove a point to the company I'm working for, it's 
failing on me.
(They wanted to go with an expensive Cisco "hardware" VPN solution but they 
only have a 128k line to the internet, go figure ;))

(And I don't want them to go with one of Cisco or M$ "solutions")

Anyway, here's my setup:

Linux 2.2.19 on alpha, cipe 1.5.2, let's refer to it as "toybox" 
Linux 2.2.14 on i686, cipe 1.5.2, let's refer to it as "frigo"

Machines are in different physical locations in the world (well, one in 
Belgium, one in Sri Lanka).

In the configs I use the ip addresses of course

Both compiled, standard, blowfish.

Here goes:
On frigo:

--
# The static key. Keep this file secret!
# The key is 128 bits in hexadecimal notation.
key 3248f234234234232342sdkfsdsdl3e4

## Network configuration
# Real stuff
me              frigo:7800
peer            toybox:7800

# virtual encrypted stuff
ipaddr 10.2.0.1
ptpaddr 10.2.0.2
--

On toybox:

--
 The static key. Keep this file secret!
# The key is 128 bits in hexadecimal notation.
key 3248f234234234232342sdkfsdsdl3e4

## Network configuration
# Real stuff
me      toybox:7800
peer    frigo:7800

# virtual encrypted stuff
ipaddr  10.2.0.2
ptpaddr 10.2.0.1

--

Fairly straightforward I would say.

Both interfaces came up with no problem, they each added a hostroute to the 
other side.

When I enabled debugging (modprobe cipcb cipe_debug=8), I got the following 
error on toybox:
Sep 18 13:40:54 toybox kernel: cipcb: CIPE driver vers 1.5.2 (c) Olaf Titz 
1996-2000, 100 channels, debug=8
Sep 18 13:41:27 toybox kernel: cipcb0: decrypt CRC error
Sep 18 13:41:34 toybox last message repeated 8 times
Sep 18 13:50:54 toybox kernel: cipcb0: decrypt CRC error
Sep 18 13:51:57 toybox kernel: cipcb0: decrypt CRC error

And on frigo:
Sep 18 17:46:47 frigo kernel: cipcb: CIPE driver vers 1.5.2 (c) Olaf Titz 
1996-2
000, 100 channels, debug=8 
Sep 18 17:46:51 frigo ciped-cb[941]: CIPE daemon vers 1.5.2 (c) Olaf Titz 
1996-2
000
Sep 18 17:46:51 frigo ciped-cb[941]: peer configuration info: proto=3, 
crypto=b,
 version=1.5, correct key parser
Sep 18 17:47:37 frigo kernel: cipcb: re-keying cryptpad 
Sep 18 17:47:37 frigo kernel: cipcb0: encrypt typ 0 pad 7 len 104 
Sep 18 17:47:37 frigo kernel: cipcb0: encrypt typ 2 pad 2 len 104 
Sep 18 17:47:38 frigo kernel: cipcb0: encrypt typ 0 pad 7 len 104 
Sep 18 17:47:48 frigo last message repeated 10 times
Sep 18 17:47:48 frigo kernel: cipcb0: encrypt typ 2 pad 5 len 120 
Sep 18 17:47:49 frigo kernel: cipcb0: encrypt typ 0 pad 7 len 104 
Sep 18 17:47:59 frigo last message repeated 10 times
Sep 18 17:47:59 frigo kernel: cipcb0: encrypt typ 2 pad 3 len 168 
Sep 18 17:48:00 frigo kernel: cipcb0: encrypt typ 0 pad 7 len 104 
Sep 18 17:48:09 frigo last message repeated 9 times
Sep 18 17:48:09 frigo kernel: cipcb0: encrypt typ 2 pad 4 len 304 
Sep 18 17:48:10 frigo kernel: cipcb0: encrypt typ 0 pad 7 len 104 
Sep 18 17:48:20 frigo last message repeated 10 times
Sep 18 17:48:20 frigo kernel: cipcb0: encrypt typ 2 pad 5 len 272 
Sep 18 17:48:21 frigo kernel: cipcb0: encrypt typ 0 pad 7 len 104 
Sep 18 17:48:31 frigo last message repeated 10 times

Anyone has a clue?

Maybe it's because the machine architecture is different?
Some stuff todo with big endian and things? I don't have any clue about those 
things but I know alpha is different.
With the "nokey" options it works without a problem, so it isn't a firewall 
problem.

Aha, another thing, when I test it internally (between i386 archs) it works 
without a glitch.

-- second part

It looks like one side is not ACKing the key...

I've put :
--
debug on
--
in the options file and now I get this when I ping across
(with keys)

On frigo:
KX: [NK_REQ] sending NK_IND 8DEC7F1C
KX: [NK_IND] sending NK_ACK C4C7A172
KX: [NK_REQ] sending NK_IND E851BB81
KX: [NK_IND] sending NK_ACK 40197F6B
KX: [NK_REQ] sending NK_IND 25E62589
KX: [NK_IND] sending NK_ACK B7C20A0D
KX: [NK_REQ] sending NK_IND 91F4CF54
KX: [NK_IND] sending NK_ACK 5A0978C1
KX: [NK_REQ] sending NK_IND 143779E1
KX: [NK_IND] sending NK_ACK 5C01CB14
KX: [NK_REQ] sending NK_IND A173AD33
KX: [NK_IND] sending NK_ACK 0AB0D557
KX: [NK_REQ] sending NK_IND 5B0D88B0
KX: [NK_IND] sending NK_ACK 87FBC651
KX: [NK_REQ] sending NK_IND 3D115E10
KX: [NK_IND] sending NK_ACK 7F83E49E
KX: [NK_REQ] sending NK_IND 9F96FBCA
KX: [NK_IND] sending NK_ACK E69CDEC4

On toybox:
KX: [NK_REQ] sending NK_IND 40821D7F
KX: [NK_REQ] sending NK_IND 273EB770
KX: [NK_REQ] sending NK_IND BA97B123
KX: [NK_REQ] sending NK_IND A90558C8
KX: [NK_REQ] sending NK_IND F4D76AAF
KX: [NK_REQ] sending NK_IND 4A216133
KX: [NK_REQ] sending NK_IND 94816710
KX: [NK_REQ] sending NK_IND 32B32592
KX: [NK_REQ] sending NK_IND 3088B63B
KX: [NK_REQ] sending NK_IND C4C7A172
KX: [NK_REQ] sending NK_IND 40197F6B
KX: [NK_REQ] sending NK_IND B7C20A0D
KX: [NK_REQ] sending NK_IND 5A0978C1
KX: [NK_REQ] sending NK_IND 5C01CB14
KX: [NK_REQ] sending NK_IND 0AB0D557
KX: [NK_REQ] sending NK_IND 87FBC651
KX: [NK_REQ] sending NK_IND 7F83E49E
KX: [NK_REQ] sending NK_IND E69CDEC4

Someone has a clue what might be wrong?
Everytime I put a key in the options file (the same key on both sides :P) I 
get this shit.
Without keys, no problem.
Both same version of cipe: 1.5.2

-- 
         People using html in email should be shot.

Large cats can be dangerous, but a little pussy never hurt anyone.

By US Code Title 47, Sec.227(a)(2)(B), a computer/modem/printer meets the 
definition of a telephone fax machine. By Sec.227(b)(1)(C), it is unlawful to 
send any unsolicited advertisement to such equipment. By Sec.227(b)(3)(C), a 
violation of the aforementioned Section is punishable by action to recover 
actual monetary loss, or $500, whichever is greater, for each violation.





<< | Thread Index | >> ]    [ << | Date Index | >> ]