Date: Sun, 16 Jun 2002 23:55:39 +0200 From: Bernhard Schmidt <berni@birkenwald.de> To: freebsd-security@freebsd.org Subject: Too stupid for IPsec Message-ID: <20020616215539.GA3675@thor.birkenwald.de>
next in thread | raw e-mail | index | archive | help
Warning, this is quite long. I don't know whether there is a better
group for IPsec related things, if so please drop me a note.
I just tried to establish a secure connection with IPsec between my
router at home and my machine at work.
The machine at home (heimdall) is running FBSD 4.6-RELEASE, the other
one (lupus) is running FBSD 4.5-RELEASE-p4. Both have IPSEC, IPSEC_ESP
and IPSEC_DEBUG integrated in the kernel.
The structure of the network is as follows:
At home:
Windows ---+
| +----------+
Linux ---+----------------+ heimdall +------- (some routers) ------->
| +----------+
FreeBSD ---+ 195.143.230.217/29 195.143.230.215/32 (alias)
+-------+
<----------------+ lupus |
+-------+
195.143.155.4/32
At the moment I'm trying to encrypt/authenticate the data, when there is
a connection between frigg (a not-ipsec aware linux box in my /29 above)
and lupus. As far as I have understood the documentation, I need the
tunnel mode in this case.
My current approach looks like the following. I generated my spi
definitions into a file and copy&pasted them into "setkey -c" on both
sides.
add 195.143.230.215 195.143.155.4 esp 1000 -m tunnel -E rijndael-cbc
"1234567890123456" -A hmac-sha1 "12345678901234567890" ;
add 195.143.155.4 195.143.230.215 esp 2000 -m tunnel -E rijndael-cbc
"2345678901234567" -A hmac-sha1 "23456789012345678901" ;
then I created my SPDs by adding
spdadd 195.143.230.220/32 195.143.155.4/32 any -P out ipsec
esp/tunnel/195.143.230.215-195.143.155.4/require ;
on heimdall and
spdadd 195.143.155.4/32 195.143.230.220/32 any -P out ipsec
esp/tunnel/195.143.155.4-195.143.230.215/require ;
on lupus. When I ping/telnet lupus from frigg and vice versa I can see
ESP packets in tcpdump with the correct spi. But nothing more happens.
lupus does not react on anything it receives with ESP and heimdall does
not forward the (now unencrypted) packet to its second ethernet device.
net.inet.ipsec.debug is set to "1" and I'm logging *.* to my server, but
nothing shows up in the logfile (yes, syslog is set up correctly).
Any ideas what could be missing/wrong? Any help appreciated, I'm
probably just too blind to see the obvious solution.
--
bye bye
Bernhard
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020616215539.GA3675>