Date: Thu, 13 Sep 2001 15:54:09 -0400 (EDT) From: Michael Proto <echo.ranger@corp.earthlink.net> To: Paul Root <proot@iaces.com> Cc: <security@FreeBSD.ORG> Subject: Re: IPSEC config Message-ID: <Pine.LNX.4.33L2.0109131546200.982-100000@finch.netops.mindspring.net> In-Reply-To: <3BA10B3F.610E6FB3@iaces.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Paul, Have you used ifconfig to setup the inside points of your gif tunnel? gifconfig only sets the outside IP addresses of your security gateways. You still need to use ifconfig to set the point-to-point link on the inside. for ex: Gateway A: public IP: 199.54.21.1 private net IP: 10.0.0.1 Gateway B: public IP: 199.54.85.4 private net IP: 10.0.10.1 on Gateway A: gifconfig gif0 199.54.21.1 199.54.85.4 ifconfig gif0 inet 10.0.0.1 10.0.10.1 netmask 255.255.0.0 and vice versa on Gateway B. From the looks of it, you seem to be missing the 'inside IP' configuration of your gif tunnels. Good luck, Michael Proto On Thu, 13 Sep 2001, Paul Root wrote: > Hi, > I'm trying to setup a IPSec tunnel and am having trouble. > Both machines are 4.4 RC3 (I think, last week). And when I set it up > for a transport between the two machines it works fine, so racoon > must be fine. > > I'm following the IPsec mini-HOWTO from January 2001 daemonnews. > Here's my config on one end: > > #!/bin/sh > # These commands need to be run on acesfbsd to > # connect to lorax, in a IPSEC test > # > # Setup the tunnel device. > gifconfig gif0 10.20.30.4 172.28.56.82 > # > # The next 2 lines delete all existing entries > # from the SPD and SAD > setkey -FP > setkey -F > # Add the policy > setkey -c <<EOF > spdadd 10.20.30.0/24 172.28.56.0/23 any -P out ipsec > esp/tunnel/10.20.30.4-172.28.56.82/require; > spdadd 172.28.56.0/23 10.20.30.0/24 any -P in ipsec > esp/tunnel/172.28.56.82-10.20.30.4/require; > EOF > > > > The man page on gif and gifconfig are vague to me, but I think I've > got it, those are the actual addresses of the boxes right? Also, the > howto had transport instead of tunnel in the spdadd lines but > the man page suggests tunnel. > > I'm sure I'm doing something horribly wrong. > > Thanks, > Paul. > > -- Michael Proto | echo.ranger@corp.earthlink.net Security Engineer, EarthLink Inc. | (404)815-0770 x22114 ------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.33L2.0109131546200.982-100000>