Date: Tue, 26 Sep 2000 15:35:22 +0900 From: Jun-ichiro itojun Hagino <itojun@iijlab.net> To: Kris Kennaway <kris@FreeBSD.org> Cc: Sam Wun <swun@eSec.com.au>, "'freebsd-security@freebsd.org'" <freebsd-security@FreeBSD.org> Subject: Re: IPsec block my ssh remote login. Message-ID: <200009260635.e8Q6ZMK18900@ starfruit.itojun.org> In-Reply-To: kris's message of Mon, 25 Sep 2000 18:45:49 MST. <Pine.BSF.4.21.0009251841540.76875-100000@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
>> Here is the setkey policy I used:
>> setkey -c <<EOF
>> add 172.16.1.1 172.16.1.2 esp 9876 -E 3des-cbc "hogehogehogehogehogehoge";
>> add 172.16.1.2 172.16.1.1 esp 10000 -E 3des-cbc "mogamogamogamogamogamoga";
>> spdadd 172.16.1.1 172.16.1.2 any -P out ipsec esp/transport//use;
>I believe you also need a spd entry which matches the incoming packets
>i.e. coming in from 172.16.1.2 to 172.16.1.1
>spdadd 172.16.1.2 172.16.1.1 any -P in ipsec esp/transport//use;
>This says to apply the esp/transport//use transform to packets coming IN
>from 172.16.1.2 to 172.16.1.1, to go with your other policy which matches
>packets going OUT from 172.16.1.1 to 172.16.1.2.
actually, inbound policy is not required. If you get an encrypted
traffic and you have a matching IPsec SA (key) for them, that will
be used to decrypt the traffic. what inbound policy does is to
reject, or accept, based on how the traffic was encrypted.
For example, if you have the following:
>spdadd 172.16.1.2 172.16.1.1 any -P in ipsec esp/transport//require;
172.16.1.1 will accept traffic from 172.16.1.2, only if the traffic
was encrypted.
with the following,
>spdadd 172.16.1.2 172.16.1.1 any -P in ipsec esp/transport//use;
172.16.1.1 will accept traffic from 172.16.1.2, if the traffic was
encrypted, or if the traffic was not encrypted (= doesn't care).
>You may also find it beneficial to use racoon (/usr/ports/security/racoon)
>to manage the security associations instead of manually keying them with
>'add' entries (plus you'll get more random keys, periodic rekeying, etc).
if you would like to use racoon (or isakmpd) to negotiate IPsec
SAs (keys) and would like to really secure the traffic, I would
suggest the use of the following policy ("require" instead "use"):
>spdadd 172.16.1.1 172.16.1.2 any -P out ipsec esp/transport//require;
>spdadd 172.16.1.2 172.16.1.1 any -P in ipsec esp/transport//require;
outbound "use" policy means that we can emit unencrypted traffic
out to the wire, until key neogiation is finished, and it may not
be desirable behavior. outbound "require" will instruct the node
to emit encrypted traffic only.
"use" may make sense when encryption is optional, so it depends on
your goal which is one more suitable.
inbound "require" will reject unencrypted incoming traffic, and
requires the peer (172.16.1.2) to emit encrypted traffic to the node
(172.16.1.1).
itojun
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200009260635.e8Q6ZMK18900>