From owner-freebsd-questions@FreeBSD.ORG Sun Nov 14 09:53:35 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3DDE316A4CE for ; Sun, 14 Nov 2004 09:53:35 +0000 (GMT) Received: from hosea.tallye.com (joel.tallye.com [216.99.199.78]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5959E43D49 for ; Sun, 14 Nov 2004 09:53:34 +0000 (GMT) (envelope-from lorenl@alzatex.com) Received: from hosea.tallye.com (hosea.tallye.com [127.0.0.1]) by hosea.tallye.com (8.12.8/8.12.10) with ESMTP id iAE9rXYs020672 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Sun, 14 Nov 2004 01:53:33 -0800 Received: (from sttng359@localhost) by hosea.tallye.com (8.12.8/8.12.10/Submit) id iAE9rXIF020670 for freebsd-questions@freebsd.org; Sun, 14 Nov 2004 01:53:33 -0800 X-Authentication-Warning: hosea.tallye.com: sttng359 set sender to lorenl@alzatex.com using -f Date: Sun, 14 Nov 2004 01:53:32 -0800 From: "Loren M. Lang" To: FreeBSD Mailing list Message-ID: <20041114095332.GA20277@alzatex.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable User-Agent: Mutt/1.4.1i X-GPG-Key: ftp://ftp.tallye.com/pub/lorenl_pubkey.asc X-GPG-Fingerprint: B3B9 D669 69C9 09EC 1BCD 835A FAF3 7A46 E4A3 280C Subject: Bugs in IPSEC Section of Handbook X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 Nov 2004 09:53:35 -0000 I recently was reading the handbook on setting up a VPN using IPSec and I believe I've found a couple of bugs in the handbook. The following line is used to enable IPSec over the IP in IP tunnel: spdadd A.B.C.D/32 W.X.Y.Z/32 ipencap -P out ipsec \ esp/tunnel/A.B.C.D-W.X.Y.Z/require When I changed esp to ah, I was able to monitor the actual communication and I noticed that this caused an IP in IP in AH in IP tunnel instead of just IP in AH in IP. I think the line should read: spdadd A.B.C.D/32 W.X.Y.Z/32 ipencap -P out ipsec \ esp/transport//require This seemed to generate the correct result when I was sniffing it with the AH protocol so I'm assuming it's the same situation with ESP. I think using the tunnel keyword is for a shortcut to setting up a gif tunnel which was already done and the ip address insides // should be the outer addresses where the first set of ip addresses is what is getting tunneled. Also, I needed to add the line gif_interfaces=3D"gif0" to rc.conf, but this seems to be omitted from the manual. The last problem was with the line for the vpn static route: route_vpn=3D"192.168.2.0 192.168.2.1 netmask 0xffffff00" The netmask keyword should not be there so the line reads: route_vpn=3D"192.168.2.0 192.168.2.1 0xffffff00" The handbook mentions AH which could be used with ESP, but does not say how. I think it would be convient for a quick example to be added like the following: spdadd A.B.C.D/32 W.X.Y.Z/32 ipencap -P in ipsec \ esp/transport//require ah/transport//require; I had to do a little research to figure out how to wrap then appropriately. --=20 I sense much NT in you. NT leads to Bluescreen. Bluescreen leads to downtime. Downtime leads to suffering. NT is the path to the darkside. Powerful Unix is. Public Key: ftp://ftp.tallye.com/pub/lorenl_pubkey.asc Fingerprint: B3B9 D669 69C9 09EC 1BCD 835A FAF3 7A46 E4A3 280C =20