Date: Thu, 13 Sep 2001 15:32:18 -0500 From: Paul Root <proot@iaces.com> To: Brooks Davis <brooks@one-eyed-alien.net>, security@freebsd.org Subject: Re: IPSEC config Message-ID: <3BA117D2.ECF38713@iaces.com> References: <3BA10B3F.610E6FB3@iaces.com> <20010913124438.A19163@Odin.AC.HMC.Edu>
next in thread | previous in thread | raw e-mail | index | archive | help
Ok, I'm making progress. This is what I've come up with:
#!/bin/sh
# These commands need to be run on acesfbsd to
# connect to lorax, in a IPSEC test
#
# Setup the tunnel device.
#gifconfig gif0 10.20.30.4 172.28.56.82
ifconfig gif0 destroy
ifconfig gif0 create tunnel 10.20.30.4 172.28.56.82
#
# The next 2 lines delete all existing entries
# from the SPD and SAD
setkey -FP
setkey -F
# Add the policy
setkey -c <<EOF
spdadd 10.20.30.0/24 172.28.56.0/23 any -P out ipsec
esp/transport/10.20.30.4-172.28.56.82/require;
spdadd 172.28.56.0/23 10.20.30.0/24 any -P in ipsec
esp/transport/172.28.56.82-10.20.30.4/require;
EOF
And it seems to work for the routing machines, here's some
tcpdump output:
tcpdump: listening on fxp0
15:23:36.388756 lorax.isakmp > acesfbsd.isakmp: isakmp: phase 1 I agg:
[|sa]
15:23:36.439595 acesfbsd.isakmp > lorax.isakmp: isakmp: phase 1 R agg:
[|sa]
15:23:36.744202 lorax.isakmp > acesfbsd.isakmp: isakmp: phase 1 I agg:
(hash: len=20)
15:23:37.884653 lorax.isakmp > acesfbsd.isakmp: isakmp: phase 2/others I
oakley-
quick[E]: [|hash]
15:23:37.906233 acesfbsd.isakmp > lorax.isakmp: isakmp: phase 2/others R
oakley-
quick[E]: [|hash]
15:23:37.970725 lorax.isakmp > acesfbsd.isakmp: isakmp: phase 2/others I
oakley-
quick[E]: [|hash]
15:23:42.160046 lorax > acesfbsd: ESP(spi=0x0343e661,seq=0x1)
15:23:49.717717 acesfbsd > lorax: ESP(spi=0x0d914c06,seq=0x1)
15:23:49.718980 lorax > acesfbsd: ESP(spi=0x0343e661,seq=0x2)
15:23:50.725920 acesfbsd > lorax: ESP(spi=0x0d914c06,seq=0x2)
15:23:50.727104 lorax > acesfbsd: ESP(spi=0x0343e661,seq=0x3)
15:23:51.735860 acesfbsd > lorax: ESP(spi=0x0d914c06,seq=0x3)
15:23:51.737023 lorax > acesfbsd: ESP(spi=0x0343e661,seq=0x4)
15:24:14.698044 sunburn.42072 > acesfbsd.33435: udp 12 (DF) [ttl 1]
15:24:18.927721 sunburn > acesfbsd: icmp: echo request (DF)
15:24:19.923220 sunburn > acesfbsd: icmp: echo request (DF)
So that's cool. Could it be I'm down to routing?
My route table looks like this:
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif
Expire
default 10.20.30.1 UGSc 7 63 fxp0
10.20.30/24 link#1 UC 7 0 fxp0
10.20.30.1 0:c0:95:e0:b3:69 UHLW 7 0 fxp0
1191
10.20.30.3 8:0:20:7e:85:d4 UHLW 1 35 fxp0
796
10.20.30.5 8:0:20:ab:bb:69 UHLW 1 50 fxp0
937
10.20.30.13 0:4:76:2b:4a:92 UHLW 1 12 fxp0
1166
10.20.30.16 0:30:65:b2:87:ae UHLW 0 0 fxp0
745
10.20.30.50 0:2:b3:30:1f:ad UHLW 1 36 fxp0
987
10.20.30.255 ff:ff:ff:ff:ff:ff UHLWb 0 44 fxp0
127.0.0.1 127.0.0.1 UH 2 40 lo0
172.28.56/24 gif0 USc 0 0 gif0
and ifconfig:
fxp0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu
1500
inet 10.20.30.4 netmask 0xffffff00 broadcast 10.20.30.255
inet6 fe80::2a0:c9ff:fe08:1f21%fxp0 prefixlen 64 scopeid 0x1
ether 00:a0:c9:08:1f:21
media: Ethernet autoselect (100baseTX)
status: active
lp0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
inet 127.0.0.1 netmask 0xff000000
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
tunnel inet 10.20.30.4 --> 172.28.56.82
inet6 fe80::2a0:c9ff:fe08:1f21%gif0 prefixlen 64 scopeid 0x4
I'm not using ipv6, I guess I should take it out of the kernel. The
other
end does not have ipv6 in the kernel.
Then I have two machines on these nets that have routing pointing to
these machines. Is that right?
Thanks,
Paul.
Brooks Davis wrote:
>
> On Thu, Sep 13, 2001 at 02:38:39PM -0500, Paul Root wrote:
> > Hi,
> > I'm trying to setup a IPSec tunnel and am having trouble.
> > Both machines are 4.4 RC3 (I think, last week). And when I set it up
> > for a transport between the two machines it works fine, so racoon
> > must be fine.
> >
> > I'm following the IPsec mini-HOWTO from January 2001 daemonnews.
> > Here's my config on one end:
> >
> > #!/bin/sh
> > # These commands need to be run on acesfbsd to
> > # connect to lorax, in a IPSEC test
> > #
> > # Setup the tunnel device.
> > gifconfig gif0 10.20.30.4 172.28.56.82
>
> This won't work in 4.4. There's no gif0 device at this point because gif
> devices are now created at runtime. Also, while gifconfig still works,
> it's obsolete. Instead use:
>
> ifconfig gif0 create tunnel 10.20.30.4 172.28.56.82
>
> These addresses should be the local machine's address and the remote
> machines address (is the local machine really a 10.x address?)
>
> -- Brooks
>
> --
> Any statement of the form "X is the one, true Y" is FALSE.
> PGP fingerprint 655D 519C 26A7 82E7 2529 9BF0 5D8E 8BE9 F238 1AD4
>
> ------------------------------------------------------------------------
> Part 1.2Type: application/pgp-signature
--
Paul T. Root E/Mail: proot@iaces.com
600 Stinson Blvd, Fl 1S PAG: +1 (877) 693-7155
Minneapolis, MN 55413 WRK: +1 (612) 664-3385
NIC: PTR FAX: +1 (612) 664-4779
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3BA117D2.ECF38713>