Date: Sun, 14 Nov 2004 01:53:32 -0800 From: "Loren M. Lang" <lorenl@alzatex.com> To: FreeBSD Mailing list <freebsd-questions@freebsd.org> Subject: Bugs in IPSEC Section of Handbook Message-ID: <20041114095332.GA20277@alzatex.com>
next in thread | raw e-mail | index | archive | help
I recently was reading the handbook on setting up a VPN using IPSec and I believe I've found a couple of bugs in the handbook. The following line is used to enable IPSec over the IP in IP tunnel: spdadd A.B.C.D/32 W.X.Y.Z/32 ipencap -P out ipsec \ esp/tunnel/A.B.C.D-W.X.Y.Z/require When I changed esp to ah, I was able to monitor the actual communication and I noticed that this caused an IP in IP in AH in IP tunnel instead of just IP in AH in IP. I think the line should read: spdadd A.B.C.D/32 W.X.Y.Z/32 ipencap -P out ipsec \ esp/transport//require This seemed to generate the correct result when I was sniffing it with the AH protocol so I'm assuming it's the same situation with ESP. I think using the tunnel keyword is for a shortcut to setting up a gif tunnel which was already done and the ip address insides // should be the outer addresses where the first set of ip addresses is what is getting tunneled. Also, I needed to add the line gif_interfaces=3D"gif0" to rc.conf, but this seems to be omitted from the manual. The last problem was with the line for the vpn static route: route_vpn=3D"192.168.2.0 192.168.2.1 netmask 0xffffff00" The netmask keyword should not be there so the line reads: route_vpn=3D"192.168.2.0 192.168.2.1 0xffffff00" The handbook mentions AH which could be used with ESP, but does not say how. I think it would be convient for a quick example to be added like the following: spdadd A.B.C.D/32 W.X.Y.Z/32 ipencap -P in ipsec \ esp/transport//require ah/transport//require; I had to do a little research to figure out how to wrap then appropriately. --=20 I sense much NT in you. NT leads to Bluescreen. Bluescreen leads to downtime. Downtime leads to suffering. NT is the path to the darkside. Powerful Unix is. Public Key: ftp://ftp.tallye.com/pub/lorenl_pubkey.asc Fingerprint: B3B9 D669 69C9 09EC 1BCD 835A FAF3 7A46 E4A3 280C =20
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041114095332.GA20277>