From owner-freebsd-security  Mon Sep 25 18:24:51 2000
Delivered-To: freebsd-security@freebsd.org
Received: from lynx.aba.net.au (lynx.esec.com.au [203.21.84.1])
	by hub.freebsd.org (Postfix) with SMTP id EBBDB37B42C
	for <freebsd-security@FreeBSD.ORG>; Mon, 25 Sep 2000 18:24:38 -0700 (PDT)
Received: (qmail 31172 invoked from network); 26 Sep 2000 01:24:36 -0000
Received: from swun.esec.com.au (HELO eSec.com.au) (203.21.85.207)
  by lynx.esec.com.au with SMTP; 26 Sep 2000 01:24:35 -0000
Message-ID: <39CFFCFD.25452959@eSec.com.au>
Date: Tue, 26 Sep 2000 12:33:49 +1100
From: Sam Wun <swun@eSec.com.au>
Organization: eSec
X-Mailer: Mozilla 4.74 [en] (X11; U; Linux 2.2.12 i386)
X-Accept-Language: en
MIME-Version: 1.0
To: Kris Kennaway <kris@FreeBSD.org>
Cc: "'freebsd-security@freebsd.org'" <freebsd-security@FreeBSD.ORG>
Subject: Re: IPsec block my ssh remote login.
References: <Pine.BSF.4.21.0009251735300.48068-100000@freefall.freebsd.org>
Content-Type: text/plain; charset=gb2312
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Here is the setkey policy I used:

setkey -c <<EOF
add 172.16.1.1 172.16.1.2 esp 9876 -E 3des-cbc "hogehogehogehogehogehoge";
add 172.16.1.2 172.16.1.1 esp 10000 -E 3des-cbc "mogamogamogamogamogamoga";
spdadd 172.16.1.1 172.16.1.2 any -P out ipsec esp/transport//use;
EOF

172.16.1.2 is my client machine, system is FreeBSD 4.1 -stable, with the
following kernel options:

###############################################
options         COMPAT_LINUX
device          pcm

options         IPFILTER                #ipfilter support
options         IPFILTER_LOG            #ipfilter logging
options         IPSTEALTH               #support for stealth forwarding
# Statically Link in accept filters
options         ACCEPT_FILTER_DATA
options         ACCEPT_FILTER_HTTP
options         ICMP_BANDLIM

# enabling for IPSEC
options         IPSEC
options         IPSEC_ESP
###############################################

172.16.1.1 is my server machine, system is also FreeBSD 4.1 - stable, with the
same kernel configuration options compiled.

Thanks for your help
Sam.

Kris Kennaway wrote:

> On Tue, 26 Sep 2000, Sam Wun wrote:
>
> > I have just configured my 4.1 kernel with IPSEC enabled.
> > After executed setkey, it blocks all my network traffic accessing between my
> > client and server machines.
> > I can't even use ssh remote login. Then I used Tcpdump to listen on one of
> > the NIC which is dedicated for the network connection between my client and
> > server machine. I can see ESP packet going thru when I am runniing ssh
> > logging in to my client machine, but ssh seems waiting forever for the reply
> > from my client machine.
> >
> > How can I get some sort of packet go thru with IPSEC protected?
>
> Just configuring it in your kernel shouldn't block incoming packets (or
> change the behaviour of the system at all, in fact) - you need to
> configure the appropriate IPSEC security policies using setkey(8), and the
> security associations using the same tool (manually keyed SAs) or using
> the racoon port (IKE).
>
> It sounds like you're already sending out ESP packets from your other
> machine, but haven't configured the 4.1 machine with the corresponding
> setup.
>
> Kris



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message