From owner-freebsd-current@FreeBSD.ORG Thu Apr 24 01:57:48 2003 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B512537B401 for ; Thu, 24 Apr 2003 01:57:48 -0700 (PDT) Received: from fork.computel.sk (fork.computel.sk [195.28.96.96]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3F92843FBF for ; Thu, 24 Apr 2003 01:57:47 -0700 (PDT) (envelope-from lk@tempest.sk) Received: from lk.tempest.sk (lk.tempest.sk [195.28.100.47]) by fork.computel.sk with ESMTP id h3O8vkv8018716; Thu, 24 Apr 2003 10:57:46 +0200 Received: from lk.tempest.sk (localhost [127.0.0.1]) by lk.tempest.sk (8.12.5/8.12.5) with ESMTP id h3O8vjrL042191; Thu, 24 Apr 2003 10:57:45 +0200 (CEST) (envelope-from koren@lk.tempest.sk) Received: (from koren@localhost) by lk.tempest.sk (8.12.5/8.12.5/Submit) id h3O8vixJ042188; Thu, 24 Apr 2003 10:57:44 +0200 (CEST) Date: Thu, 24 Apr 2003 10:57:44 +0200 (CEST) Message-Id: <200304240857.h3O8vixJ042188@lk.tempest.sk> From: Ludo Koren To: larse@ISI.EDU In-reply-to: <3EA6781F.3030600@isi.edu> (message from Lars Eggert on Wed, 23 Apr 2003 07:25:19 -0400) cc: freebsd-current@freebsd.org Subject: Re: IPsec on FreeBSD 5.0-RELEASE-p7 X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Apr 2003 08:57:49 -0000 First of all, thank you very much for your answer. >>>>> Lars Eggert writes: > On 4/23/2003 6:16 AM, Ludo Koren wrote: >> After upgrading to FreeBSD 5.0-RELEASE-p7 (COMPAQ) #0: Sun Apr >> 20 21:50:49 CEST 2003 IPsec stopped working. >> >> I have the following options in the kernel configuration: >> >> options IPSEC #IP security options IPSEC_ESP #IP security >> (crypto; define w/ IPSEC) options IPSEC_DEBUG #debug for IP >> security >> >> and the IPsec configuration was working with FreeBSD 4.6: >> >> #! /bin/sh >> >> /sbin/ifconfig gif0 create tunnel 195.28.126.7 195.91.63.194 >> /usr/sbin/gifconfig gif0 inet 195.28.126.7 195.91.63.194 >> /sbin/ifconfig gif0 inet x.x.x.x netmask 255.255.255.255 >> y.y.y.0 netmask 255.255.255.0 up >> >> /usr/sbin/setkey -FP /usr/sbin/setkey -F /usr/sbin/setkey -c << >> EOF >> >> spdadd x.x.x.x/32 y.y.y.0/24 any -P out ipsec >> esp/tunnel/195.28.126.7-195.91.63.194/require; spdadd >> y.y.y.0/24 x.x.x.x/32 any -P in ipsec >> esp/tunnel/195.91.63.194-195.28.126.7/require; >> >> EOF >> >> /sbin/route add -net y.y.y.0 x.x.x.x 255.255.255.0 -iface >> /usr/local/sbin/racoon >> >> >> I can see via tcpdump on fxp0, ESP packets are going to the >> destination and back. But unfortunately, ping doesn't get the >> response. It seems, packets do not come back through gif0 >> interface, though tcpdump on fxp0 interface get them. > you're using IPsec tunnel mode together with a parallel IPIP > gif tunnel. This has been suggested in a bunch of online > "tutorials" on IPsec, but is a bad idea, with both -stable and > -current. The attached email message explains why. > In short, try this: > 1. remove IPSEC_DEBUG (not sure if this even still does > something) 2. don't configure the gif interface at all 3. don't > use the route command It is working now, but with my IP address of the ethernet interface only. What I would like to do (maybe based on the Cisco VPN client configuration) is to use private IP address when communicating with the other end of the IPsec tunnel. Even if I added esp/transport/x.x.x.x-y.y.y.0/use to the above configuration, it is not working. Is it possible at all or am I making something wrong? > i.e. just do the setkey commands you have above. > Alternatively, take a look at draft-touch-ipsec-vpn-05.txt, > which proposes an alternative that works with routing (but not > current IKE). I have read the document, thanks for the pointer. > Lars -- Lars Eggert USC Information Sciences > Institute ludo