From owner-freebsd-questions Sun Jan 19 13:24: 4 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B1AD437B401 for ; Sun, 19 Jan 2003 13:24:01 -0800 (PST) Received: from web41004.mail.yahoo.com (web41004.mail.yahoo.com [66.218.93.3]) by mx1.FreeBSD.org (Postfix) with SMTP id 6CB1643E4A for ; Sun, 19 Jan 2003 13:24:01 -0800 (PST) (envelope-from josepha48@yahoo.com) Message-ID: <20030119212401.14272.qmail@web41004.mail.yahoo.com> Received: from [68.164.18.86] by web41004.mail.yahoo.com via HTTP; Sun, 19 Jan 2003 13:24:01 PST Date: Sun, 19 Jan 2003 13:24:01 -0800 (PST) From: Joe Subject: ipsec bridging, natd, HELP! To: freebsd-questions@FreeBSD.ORG MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hello, I have set up a nice little gateway / router using FreeBSD. It works very nice so far. I desperatly need help with ipsec. I have searched the internet and read the faq's. My problem is that I have not found an easy way to tell if it is working. I am guessing it is not. Here is the setup. 3 interfaces: xl0, xl1, wi0 xl0 is the external interface. all trafic is natted through this interface xl1 is the internal wired interface wi0 is the wireless interface xl1 -> xl0 works fine wi0 -> xl1 are bridged (sysctl net.link.ether.bridge_cfg="wi0 xl1"), this also works fine I have enabled 128 bit wep, as a quick and dirty way of getting the network 'somewhat' secure. At least the data is not in clear text. There is little threat from a wireless hacker here too, as there is not sufficient range (tested, much concrete here) I now want to set up ipsec. So I read the handbook, and searched the net. Before ipsec ping wireless laptop to xl1 gives normal reply After ipsec ping wireless laptop to xl1 gives NO response I can access the internet though. I run netstat -sn -p ipsec on both machines and it seems that both are sending outbound packets correctly eg: 55 outbound packets processed successfully however I also see: eg: 35 inbound packets with no SA available I want to secure traffic between xl1 and my laptop. esp would be fine, as I have read that you cannot use ah with natd. I also want to use ipcomp. The basic setup is: ipsec.conf: add esp 7000 -E esp 17000 -E ipcomp 7002 -C deflate; add ipcomp 17002 -C deflate; spdadd -P out esp/transport//use ipcomp/transport//use; spdadd -P in esp/transport//use ipcomp/transport//use; the difference are the spdadd's on the machines the client is swithced the in and out statements. This is what I have read. So how do I tell is this is actually working, and why cannot I ping the machine after starting ipsec? Also shouldn't I be able to do this setup (bridging / nat) with ipsec? Thanks, Joe __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message