From owner-freebsd-security  Mon Sep 25 19: 3:29 2000
Delivered-To: freebsd-security@freebsd.org
Received: from lynx.aba.net.au (lynx.esec.com.au [203.21.84.1])
	by hub.freebsd.org (Postfix) with SMTP id 8491837B424
	for <freebsd-security@FreeBSD.ORG>; Mon, 25 Sep 2000 19:03:21 -0700 (PDT)
Received: (qmail 23106 invoked from network); 26 Sep 2000 02:03:16 -0000
Received: from swun.esec.com.au (HELO eSec.com.au) (203.21.85.207)
  by lynx.esec.com.au with SMTP; 26 Sep 2000 02:03:16 -0000
Message-ID: <39D0060C.230D7658@eSec.com.au>
Date: Tue, 26 Sep 2000 13:12:28 +1100
From: Sam Wun <swun@eSec.com.au>
Organization: eSec
X-Mailer: Mozilla 4.74 [en] (X11; U; Linux 2.2.12 i386)
X-Accept-Language: en
MIME-Version: 1.0
To: Kris Kennaway <kris@FreeBSD.org>
Cc: "'freebsd-security@freebsd.org'" <freebsd-security@FreeBSD.ORG>
Subject: Re: IPsec block my ssh remote login.
References: <Pine.BSF.4.21.0009251841540.76875-100000@freefall.freebsd.org>
Content-Type: text/plain; charset=gb2312
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

This makes much more sense now. Thanks
Another question is, do I need to setup ipsec in rc.conf file like ipfilter just
for convinently setting the IPSEC up when the machine in the booting stage? If
so, I will need to modify the rc.network to reflect the change?

Thanks
Sam.

Kris Kennaway wrote:

> On Tue, 26 Sep 2000, Sam Wun wrote:
>
> > Here is the setkey policy I used:
> >
> > setkey -c <<EOF
> > add 172.16.1.1 172.16.1.2 esp 9876 -E 3des-cbc "hogehogehogehogehogehoge";
> > add 172.16.1.2 172.16.1.1 esp 10000 -E 3des-cbc "mogamogamogamogamogamoga";
> > spdadd 172.16.1.1 172.16.1.2 any -P out ipsec esp/transport//use;
>
> I believe you also need a spd entry which matches the incoming packets
> i.e. coming in from 172.16.1.2 to 172.16.1.1
>
> spdadd 172.16.1.2 172.16.1.1 any -P in ipsec esp/transport//use;
>
> This says to apply the esp/transport//use transform to packets coming IN
> from 172.16.1.2 to 172.16.1.1, to go with your other policy which matches
> packets going OUT from 172.16.1.1 to 172.16.1.2.
>
> You may also find it beneficial to use racoon (/usr/ports/security/racoon)
> to manage the security associations instead of manually keying them with
> 'add' entries (plus you'll get more random keys, periodic rekeying, etc).
>
> Kris



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message