From owner-freebsd-net  Wed Sep  5 16:35:10 2001
Delivered-To: freebsd-net@freebsd.org
Received: from mine.kame.net (kame195.kame.net [203.178.141.195])
	by hub.freebsd.org (Postfix) with ESMTP id 87CBF37B403
	for <freebsd-net@freebsd.org>; Wed,  5 Sep 2001 16:35:05 -0700 (PDT)
Received: from localhost ([3ffe:501:4819:cafe:260:1dff:fe1e:f7d4])
	by mine.kame.net (8.11.1/3.7W) with ESMTP id f85NZCY83496;
	Thu, 6 Sep 2001 08:35:12 +0900 (JST)
To: matt@gsicomp.on.ca
Cc: freebsd-net@freebsd.org
Subject: Re: Help with IPSec VPN
In-Reply-To: Your message of "Fri, 31 Aug 2001 09:18:37 -0400"
	<003201c1321f$71de65e0$1200a8c0@gsicomp.on.ca>
References: <003201c1321f$71de65e0$1200a8c0@gsicomp.on.ca>
X-Mailer: Cue version 0.6 (010810-1737/sakane)
Mime-Version: 1.0
Content-Type: Text/Plain; charset=us-ascii
Message-Id: <20010906083441E.sakane@kame.net>
Date: Thu, 06 Sep 2001 08:34:41 +0900
From: Shoichi Sakane <sakane@kame.net>
X-Dispatcher: imput version 20000228(IM140)
Lines: 25
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org

>         8 outbound packets with no SA available

> Both boxes are running RELENG_4_3 (security release), and have 'options
> IPSEC' and 'options IPSEC_ESP' in the kernel.
> 
> Box A is 192.168.0.2/24, Box B is 192.168.0.3/24.
> 
> Here's what I'm doing on box A:
> 
> gabby# setkey -c << EOF
> add 10.0.2.1 10.0.3.1 esp 1000 -E 3des-cbc "goofgoofgoofgoofgoofgoof";
> add 10.0.3.1 10.0.2.1 esp 1001 -E 3des-cbc "foolfoolfoolfoolfoolfool";
> spdadd 10.0.2.0/24 10.0.3.0/24 any -P out ipsec
> esp/tunnel/192.168.0.2-192.168.0.3/require;
> spdadd 10.0.3.0/24 10.0.2.0/24 any -P in ipsec
> esp/tunnel/192.168.0.3-192.168.0.2/require;
> EOF

you want to establish the SA between 192.168.0.2 and 192.196.0.3
in ordert to protect the communication between 10.0.2.0/24 and 10.0.3.0/24,
don't you ?
you have to configure the SAD like following:

add 192.168.0.2 192.196.0.3 esp 1000 -E 3des-cbc "goofgoofgoofgoofgoofgoof";
add 192.168.0.3 192.196.0.2 esp 1001 -E 3des-cbc "foolfoolfoolfoolfoolfool";

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message