Date: Thu, 13 Sep 2001 15:32:18 -0500 From: Paul Root <proot@iaces.com> To: Brooks Davis <brooks@one-eyed-alien.net>, security@freebsd.org Subject: Re: IPSEC config Message-ID: <3BA117D2.ECF38713@iaces.com> References: <3BA10B3F.610E6FB3@iaces.com> <20010913124438.A19163@Odin.AC.HMC.Edu>
next in thread | previous in thread | raw e-mail | index | archive | help
Ok, I'm making progress. This is what I've come up with: #!/bin/sh # These commands need to be run on acesfbsd to # connect to lorax, in a IPSEC test # # Setup the tunnel device. #gifconfig gif0 10.20.30.4 172.28.56.82 ifconfig gif0 destroy ifconfig gif0 create tunnel 10.20.30.4 172.28.56.82 # # The next 2 lines delete all existing entries # from the SPD and SAD setkey -FP setkey -F # Add the policy setkey -c <<EOF spdadd 10.20.30.0/24 172.28.56.0/23 any -P out ipsec esp/transport/10.20.30.4-172.28.56.82/require; spdadd 172.28.56.0/23 10.20.30.0/24 any -P in ipsec esp/transport/172.28.56.82-10.20.30.4/require; EOF And it seems to work for the routing machines, here's some tcpdump output: tcpdump: listening on fxp0 15:23:36.388756 lorax.isakmp > acesfbsd.isakmp: isakmp: phase 1 I agg: [|sa] 15:23:36.439595 acesfbsd.isakmp > lorax.isakmp: isakmp: phase 1 R agg: [|sa] 15:23:36.744202 lorax.isakmp > acesfbsd.isakmp: isakmp: phase 1 I agg: (hash: len=20) 15:23:37.884653 lorax.isakmp > acesfbsd.isakmp: isakmp: phase 2/others I oakley- quick[E]: [|hash] 15:23:37.906233 acesfbsd.isakmp > lorax.isakmp: isakmp: phase 2/others R oakley- quick[E]: [|hash] 15:23:37.970725 lorax.isakmp > acesfbsd.isakmp: isakmp: phase 2/others I oakley- quick[E]: [|hash] 15:23:42.160046 lorax > acesfbsd: ESP(spi=0x0343e661,seq=0x1) 15:23:49.717717 acesfbsd > lorax: ESP(spi=0x0d914c06,seq=0x1) 15:23:49.718980 lorax > acesfbsd: ESP(spi=0x0343e661,seq=0x2) 15:23:50.725920 acesfbsd > lorax: ESP(spi=0x0d914c06,seq=0x2) 15:23:50.727104 lorax > acesfbsd: ESP(spi=0x0343e661,seq=0x3) 15:23:51.735860 acesfbsd > lorax: ESP(spi=0x0d914c06,seq=0x3) 15:23:51.737023 lorax > acesfbsd: ESP(spi=0x0343e661,seq=0x4) 15:24:14.698044 sunburn.42072 > acesfbsd.33435: udp 12 (DF) [ttl 1] 15:24:18.927721 sunburn > acesfbsd: icmp: echo request (DF) 15:24:19.923220 sunburn > acesfbsd: icmp: echo request (DF) So that's cool. Could it be I'm down to routing? My route table looks like this: Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default 10.20.30.1 UGSc 7 63 fxp0 10.20.30/24 link#1 UC 7 0 fxp0 10.20.30.1 0:c0:95:e0:b3:69 UHLW 7 0 fxp0 1191 10.20.30.3 8:0:20:7e:85:d4 UHLW 1 35 fxp0 796 10.20.30.5 8:0:20:ab:bb:69 UHLW 1 50 fxp0 937 10.20.30.13 0:4:76:2b:4a:92 UHLW 1 12 fxp0 1166 10.20.30.16 0:30:65:b2:87:ae UHLW 0 0 fxp0 745 10.20.30.50 0:2:b3:30:1f:ad UHLW 1 36 fxp0 987 10.20.30.255 ff:ff:ff:ff:ff:ff UHLWb 0 44 fxp0 127.0.0.1 127.0.0.1 UH 2 40 lo0 172.28.56/24 gif0 USc 0 0 gif0 and ifconfig: fxp0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500 inet 10.20.30.4 netmask 0xffffff00 broadcast 10.20.30.255 inet6 fe80::2a0:c9ff:fe08:1f21%fxp0 prefixlen 64 scopeid 0x1 ether 00:a0:c9:08:1f:21 media: Ethernet autoselect (100baseTX) status: active lp0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500 lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 inet 127.0.0.1 netmask 0xff000000 gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280 tunnel inet 10.20.30.4 --> 172.28.56.82 inet6 fe80::2a0:c9ff:fe08:1f21%gif0 prefixlen 64 scopeid 0x4 I'm not using ipv6, I guess I should take it out of the kernel. The other end does not have ipv6 in the kernel. Then I have two machines on these nets that have routing pointing to these machines. Is that right? Thanks, Paul. Brooks Davis wrote: > > On Thu, Sep 13, 2001 at 02:38:39PM -0500, Paul Root wrote: > > Hi, > > I'm trying to setup a IPSec tunnel and am having trouble. > > Both machines are 4.4 RC3 (I think, last week). And when I set it up > > for a transport between the two machines it works fine, so racoon > > must be fine. > > > > I'm following the IPsec mini-HOWTO from January 2001 daemonnews. > > Here's my config on one end: > > > > #!/bin/sh > > # These commands need to be run on acesfbsd to > > # connect to lorax, in a IPSEC test > > # > > # Setup the tunnel device. > > gifconfig gif0 10.20.30.4 172.28.56.82 > > This won't work in 4.4. There's no gif0 device at this point because gif > devices are now created at runtime. Also, while gifconfig still works, > it's obsolete. Instead use: > > ifconfig gif0 create tunnel 10.20.30.4 172.28.56.82 > > These addresses should be the local machine's address and the remote > machines address (is the local machine really a 10.x address?) > > -- Brooks > > -- > Any statement of the form "X is the one, true Y" is FALSE. > PGP fingerprint 655D 519C 26A7 82E7 2529 9BF0 5D8E 8BE9 F238 1AD4 > > ------------------------------------------------------------------------ > Part 1.2Type: application/pgp-signature -- Paul T. Root E/Mail: proot@iaces.com 600 Stinson Blvd, Fl 1S PAG: +1 (877) 693-7155 Minneapolis, MN 55413 WRK: +1 (612) 664-3385 NIC: PTR FAX: +1 (612) 664-4779 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3BA117D2.ECF38713>