Date: Tue, 26 Sep 2000 13:12:28 +1100 From: Sam Wun <swun@eSec.com.au> To: Kris Kennaway <kris@FreeBSD.org> Cc: "'freebsd-security@freebsd.org'" <freebsd-security@FreeBSD.ORG> Subject: Re: IPsec block my ssh remote login. Message-ID: <39D0060C.230D7658@eSec.com.au> References: <Pine.BSF.4.21.0009251841540.76875-100000@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This makes much more sense now. Thanks Another question is, do I need to setup ipsec in rc.conf file like ipfilter just for convinently setting the IPSEC up when the machine in the booting stage? If so, I will need to modify the rc.network to reflect the change? Thanks Sam. Kris Kennaway wrote: > On Tue, 26 Sep 2000, Sam Wun wrote: > > > Here is the setkey policy I used: > > > > setkey -c <<EOF > > add 172.16.1.1 172.16.1.2 esp 9876 -E 3des-cbc "hogehogehogehogehogehoge"; > > add 172.16.1.2 172.16.1.1 esp 10000 -E 3des-cbc "mogamogamogamogamogamoga"; > > spdadd 172.16.1.1 172.16.1.2 any -P out ipsec esp/transport//use; > > I believe you also need a spd entry which matches the incoming packets > i.e. coming in from 172.16.1.2 to 172.16.1.1 > > spdadd 172.16.1.2 172.16.1.1 any -P in ipsec esp/transport//use; > > This says to apply the esp/transport//use transform to packets coming IN > from 172.16.1.2 to 172.16.1.1, to go with your other policy which matches > packets going OUT from 172.16.1.1 to 172.16.1.2. > > You may also find it beneficial to use racoon (/usr/ports/security/racoon) > to manage the security associations instead of manually keying them with > 'add' entries (plus you'll get more random keys, periodic rekeying, etc). > > Kris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?39D0060C.230D7658>