Date: Thu, 24 Apr 2003 10:57:44 +0200 (CEST) From: Ludo Koren <lk@tempest.sk> To: larse@ISI.EDU Cc: freebsd-current@freebsd.org Subject: Re: IPsec on FreeBSD 5.0-RELEASE-p7 Message-ID: <200304240857.h3O8vixJ042188@lk.tempest.sk> In-Reply-To: <3EA6781F.3030600@isi.edu> (message from Lars Eggert on Wed, 23 Apr 2003 07:25:19 -0400)
next in thread | previous in thread | raw e-mail | index | archive | help
First of all, thank you very much for your answer. >>>>> Lars Eggert <larse@ISI.EDU> writes: > On 4/23/2003 6:16 AM, Ludo Koren wrote: >> After upgrading to FreeBSD 5.0-RELEASE-p7 (COMPAQ) #0: Sun Apr >> 20 21:50:49 CEST 2003 IPsec stopped working. >> >> I have the following options in the kernel configuration: >> >> options IPSEC #IP security options IPSEC_ESP #IP security >> (crypto; define w/ IPSEC) options IPSEC_DEBUG #debug for IP >> security >> >> and the IPsec configuration was working with FreeBSD 4.6: >> >> #! /bin/sh >> >> /sbin/ifconfig gif0 create tunnel 195.28.126.7 195.91.63.194 >> /usr/sbin/gifconfig gif0 inet 195.28.126.7 195.91.63.194 >> /sbin/ifconfig gif0 inet x.x.x.x netmask 255.255.255.255 >> y.y.y.0 netmask 255.255.255.0 up >> >> /usr/sbin/setkey -FP /usr/sbin/setkey -F /usr/sbin/setkey -c << >> EOF >> >> spdadd x.x.x.x/32 y.y.y.0/24 any -P out ipsec >> esp/tunnel/195.28.126.7-195.91.63.194/require; spdadd >> y.y.y.0/24 x.x.x.x/32 any -P in ipsec >> esp/tunnel/195.91.63.194-195.28.126.7/require; >> >> EOF >> >> /sbin/route add -net y.y.y.0 x.x.x.x 255.255.255.0 -iface >> /usr/local/sbin/racoon >> >> >> I can see via tcpdump on fxp0, ESP packets are going to the >> destination and back. But unfortunately, ping doesn't get the >> response. It seems, packets do not come back through gif0 >> interface, though tcpdump on fxp0 interface get them. > you're using IPsec tunnel mode together with a parallel IPIP > gif tunnel. This has been suggested in a bunch of online > "tutorials" on IPsec, but is a bad idea, with both -stable and > -current. The attached email message explains why. > In short, try this: > 1. remove IPSEC_DEBUG (not sure if this even still does > something) 2. don't configure the gif interface at all 3. don't > use the route command It is working now, but with my IP address of the ethernet interface only. What I would like to do (maybe based on the Cisco VPN client configuration) is to use private IP address when communicating with the other end of the IPsec tunnel. Even if I added esp/transport/x.x.x.x-y.y.y.0/use to the above configuration, it is not working. Is it possible at all or am I making something wrong? > i.e. just do the setkey commands you have above. > Alternatively, take a look at draft-touch-ipsec-vpn-05.txt, > which proposes an alternative that works with routing (but not > current IKE). I have read the document, thanks for the pointer. > Lars -- Lars Eggert <larse@isi.edu> USC Information Sciences > Institute ludo
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200304240857.h3O8vixJ042188>