From owner-freebsd-current@FreeBSD.ORG Thu Jan 22 03:09:31 2004 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C18F316A4CE for ; Thu, 22 Jan 2004 03:09:31 -0800 (PST) Received: from gvr.gvr.org (gvr-gw.gvr.org [80.126.103.228]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6DD5A43D75 for ; Thu, 22 Jan 2004 03:09:30 -0800 (PST) (envelope-from guido@gvr.org) Received: by gvr.gvr.org (Postfix, from userid 657) id 78BF25C; Thu, 22 Jan 2004 12:09:29 +0100 (CET) Date: Thu, 22 Jan 2004 12:09:29 +0100 From: Guido van Rooij To: Andrew Thomson Message-ID: <20040122110929.GA767@gvr.gvr.org> References: <1074650025.701.82.camel@itouch-1011.prv.au.itouchnet.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1074650025.701.82.camel@itouch-1011.prv.au.itouchnet.net> cc: current@freebsd.org Subject: Re: ipsec changes in 5.2R X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Jan 2004 11:09:31 -0000 On Wed, Jan 21, 2004 at 12:53:46PM +1100, Andrew Thomson wrote: > I'm a little guilty as I upgraded my laptop from 5.0 to 5.2. So I'm > guessing things have changed a bit. > > However I used to encrypt my wireless connection using IPSEC. Since the > upgrade, things no longer work. > > My firewall is a 4.9p1 host which is at the other end of the IPSEC VPN > and wireless link. > > I previously used the following ipsec.conf to get things going (these > are from the firewall, obviously the reverse [out/in] is applied to my > laptop). > > 192.168.14.2[any] 0.0.0.0/0[any] any > in ipsec > esp/tunnel/192.168.14.2-192.168.14.1/require > spid=5 seq=1 pid=1409 > refcnt=1 > 0.0.0.0/0[any] 192.168.14.2[any] any > out ipsec > esp/tunnel/192.168.14.1-192.168.14.2/require > spid=6 seq=0 pid=1409 > refcnt=1 > > Now when I have those setkey entries enabled on my laptop, I can't even > ping my own host (192.168.14.2). > > Both tcpdump and ipfw add 100 log ip from any to any shows nothing on my > wireless link.. > > Not sure why this has now stopped working.. Any clues? I have seen the same. Somehow it looks like ISAKMP traffic, which used to go around the ipsec policy, is now included. The only workaround I know of is to replace "require" with "use". -Guido