From owner-freebsd-security Thu Sep 13 13:32:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from iaces.com (horton.iaces.com [204.147.87.98]) by hub.freebsd.org (Postfix) with ESMTP id EEAB637B413 for ; Thu, 13 Sep 2001 13:32:36 -0700 (PDT) Received: from iaces.com (ptroot.iaces.com [204.147.87.124]) by iaces.com (8.11.4/8.11.4) with ESMTP id f8DKWIO20125; Thu, 13 Sep 2001 15:32:18 -0500 (CDT) (envelope-from proot@iaces.com) Message-ID: <3BA117D2.ECF38713@iaces.com> Date: Thu, 13 Sep 2001 15:32:18 -0500 From: Paul Root X-Mailer: Mozilla 4.77 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Brooks Davis , security@freebsd.org Subject: Re: IPSEC config References: <3BA10B3F.610E6FB3@iaces.com> <20010913124438.A19163@Odin.AC.HMC.Edu> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Ok, I'm making progress. This is what I've come up with: #!/bin/sh # These commands need to be run on acesfbsd to # connect to lorax, in a IPSEC test # # Setup the tunnel device. #gifconfig gif0 10.20.30.4 172.28.56.82 ifconfig gif0 destroy ifconfig gif0 create tunnel 10.20.30.4 172.28.56.82 # # The next 2 lines delete all existing entries # from the SPD and SAD setkey -FP setkey -F # Add the policy setkey -c < acesfbsd.isakmp: isakmp: phase 1 I agg: [|sa] 15:23:36.439595 acesfbsd.isakmp > lorax.isakmp: isakmp: phase 1 R agg: [|sa] 15:23:36.744202 lorax.isakmp > acesfbsd.isakmp: isakmp: phase 1 I agg: (hash: len=20) 15:23:37.884653 lorax.isakmp > acesfbsd.isakmp: isakmp: phase 2/others I oakley- quick[E]: [|hash] 15:23:37.906233 acesfbsd.isakmp > lorax.isakmp: isakmp: phase 2/others R oakley- quick[E]: [|hash] 15:23:37.970725 lorax.isakmp > acesfbsd.isakmp: isakmp: phase 2/others I oakley- quick[E]: [|hash] 15:23:42.160046 lorax > acesfbsd: ESP(spi=0x0343e661,seq=0x1) 15:23:49.717717 acesfbsd > lorax: ESP(spi=0x0d914c06,seq=0x1) 15:23:49.718980 lorax > acesfbsd: ESP(spi=0x0343e661,seq=0x2) 15:23:50.725920 acesfbsd > lorax: ESP(spi=0x0d914c06,seq=0x2) 15:23:50.727104 lorax > acesfbsd: ESP(spi=0x0343e661,seq=0x3) 15:23:51.735860 acesfbsd > lorax: ESP(spi=0x0d914c06,seq=0x3) 15:23:51.737023 lorax > acesfbsd: ESP(spi=0x0343e661,seq=0x4) 15:24:14.698044 sunburn.42072 > acesfbsd.33435: udp 12 (DF) [ttl 1] 15:24:18.927721 sunburn > acesfbsd: icmp: echo request (DF) 15:24:19.923220 sunburn > acesfbsd: icmp: echo request (DF) So that's cool. Could it be I'm down to routing? My route table looks like this: Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default 10.20.30.1 UGSc 7 63 fxp0 10.20.30/24 link#1 UC 7 0 fxp0 10.20.30.1 0:c0:95:e0:b3:69 UHLW 7 0 fxp0 1191 10.20.30.3 8:0:20:7e:85:d4 UHLW 1 35 fxp0 796 10.20.30.5 8:0:20:ab:bb:69 UHLW 1 50 fxp0 937 10.20.30.13 0:4:76:2b:4a:92 UHLW 1 12 fxp0 1166 10.20.30.16 0:30:65:b2:87:ae UHLW 0 0 fxp0 745 10.20.30.50 0:2:b3:30:1f:ad UHLW 1 36 fxp0 987 10.20.30.255 ff:ff:ff:ff:ff:ff UHLWb 0 44 fxp0 127.0.0.1 127.0.0.1 UH 2 40 lo0 172.28.56/24 gif0 USc 0 0 gif0 and ifconfig: fxp0: flags=8943 mtu 1500 inet 10.20.30.4 netmask 0xffffff00 broadcast 10.20.30.255 inet6 fe80::2a0:c9ff:fe08:1f21%fxp0 prefixlen 64 scopeid 0x1 ether 00:a0:c9:08:1f:21 media: Ethernet autoselect (100baseTX) status: active lp0: flags=8810 mtu 1500 lo0: flags=8049 mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 inet 127.0.0.1 netmask 0xff000000 gif0: flags=8051 mtu 1280 tunnel inet 10.20.30.4 --> 172.28.56.82 inet6 fe80::2a0:c9ff:fe08:1f21%gif0 prefixlen 64 scopeid 0x4 I'm not using ipv6, I guess I should take it out of the kernel. The other end does not have ipv6 in the kernel. Then I have two machines on these nets that have routing pointing to these machines. Is that right? Thanks, Paul. Brooks Davis wrote: > > On Thu, Sep 13, 2001 at 02:38:39PM -0500, Paul Root wrote: > > Hi, > > I'm trying to setup a IPSec tunnel and am having trouble. > > Both machines are 4.4 RC3 (I think, last week). And when I set it up > > for a transport between the two machines it works fine, so racoon > > must be fine. > > > > I'm following the IPsec mini-HOWTO from January 2001 daemonnews. > > Here's my config on one end: > > > > #!/bin/sh > > # These commands need to be run on acesfbsd to > > # connect to lorax, in a IPSEC test > > # > > # Setup the tunnel device. > > gifconfig gif0 10.20.30.4 172.28.56.82 > > This won't work in 4.4. There's no gif0 device at this point because gif > devices are now created at runtime. Also, while gifconfig still works, > it's obsolete. Instead use: > > ifconfig gif0 create tunnel 10.20.30.4 172.28.56.82 > > These addresses should be the local machine's address and the remote > machines address (is the local machine really a 10.x address?) > > -- Brooks > > -- > Any statement of the form "X is the one, true Y" is FALSE. > PGP fingerprint 655D 519C 26A7 82E7 2529 9BF0 5D8E 8BE9 F238 1AD4 > > ------------------------------------------------------------------------ > Part 1.2Type: application/pgp-signature -- Paul T. Root E/Mail: proot@iaces.com 600 Stinson Blvd, Fl 1S PAG: +1 (877) 693-7155 Minneapolis, MN 55413 WRK: +1 (612) 664-3385 NIC: PTR FAX: +1 (612) 664-4779 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message