Date: Wed, 29 Jan 2003 05:26:54 -0800 From: Peter Haight <peterh@sapros.com> To: Steve Bertrand <iaccounts@northnetworks.ca> Cc: freebsd-questions@freebsd.org Subject: Re: FreeBSD IPSEC tunnel stoped working. Message-ID: <200301291326.h0TDQsLG007646@wartch.sapros.com>
next in thread | raw e-mail | index | archive | help
> Looks like the 'spi' are out of sync on the 2 machines. This is after a
> quick glance, but I know on my IPSec setup, (with manual keys), the
> spi's have to be such:
>
> Stable in spi == Release out spi
> Release in spi == Stable out spi
>
> Are you using racoon? If not, post your ipsec script.
Here you go:
local_ip="XX.XX.XX.XX"
local_net_ip="10.10.1.1"
local_net_prefixlen="24"
remote_ip="YY.YY.YY.YY"
remote_net_ip="192.168.1.1"
remote_net_prefixlen="12"
remote_net_netmask="255.255.0.0"
ifconfig gif0 create
ifconfig gif0 tunnel ${local_ip} ${remote_ip}
ifconfig gif0 inet ${local_net_ip} ${remote_net_ip} netmask ${remote_net_netmask}
setkey -c << EOF
flush;
spdflush;
add XX.XX.XX.XX YY.YY.YY.YY esp 9991 -E blowfish-cbc "foobar";
add YY.YY.YY.YY XX.XX.XX.XX esp 9992 -E blowfish-cbc "foobar";
spdadd ${local_net_ip}/${local_net_prefixlen} ${remote_net_ip}/${remote_net_prefixlen} any -P out ipsec
esp/tunnel/${local_ip}-${remote_ip}/require; spdadd ${remote_net_ip}/${remote_net_prefixlen}
${local_net_ip}/${local_net_prefixlen} any -P in ipsec esp/tunnel/${remote_ip}-${local_ip}/require;
EOF
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200301291326.h0TDQsLG007646>