Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 16 Nov 2001 04:54:07 -0700
From:      "Erik Norvelle" <norvelle@Ag.arizona.edu>
To:        "Lars Eggert" <larse@ISI.EDU>
Cc:        <freebsd-net@FreeBSD.ORG>
Subject:   RE: 4.4-CURRENT problems getting IPSec to function
Message-ID:  <JOENJHIIFAGEJMMJCHKFEEEBCDAA.norvelle@ag.arizona.edu>
In-Reply-To: <3BE84F94.1060304@isi.edu>
next in thread | previous in thread | raw e-mail | index | archive | help 

[-- Attachment #1 --]
Lars (and anyone else who can help):

I have attempted to follow your advice, by configuring my machines to use
IPSEC tunnel mode only.  However, I still can't get ping packets to go
between the two internal networks.  My /etc/ipsec.conf files on both
machines are as follows:

--- Begin included file ---
flush;
spdflush;

# Note that the add rules are the same as on Node B!
spdadd 10.20.0.0/24 192.168.1.0/24 any -P in ipsec
esp/tunnel/xxx.yyy.40.122-xxx.yyy.40.135/require;
spdadd 192.168.1.0/24 10.20.0.0/24 any -P out ipsec
esp/tunnel/xxx.yyy.40.135-xxx.yyy.40.122/require;
--- End included file ---

For the test situation, I have set up my ipfilter to allow everything to
pass, both in and out, on both the internal and external interfaces.
Also, I have turned off IPNAT completely.

I *have* been able to get transport mode working between the two external
interfaces.  Racoon successfully exchanged keys, and a perusal of
netstat -sn output showed that IPSEC packets were in fact being passed.
However, tunnel mode between the two internal networks does not produce
any IPSEC packets or key exchange traffic at all.

Thanks for your help.

-Erik

--------------------------------------------
Erik Norvelle
Support Systems Analyst, Sr.
Distributed Learning Laboratory
Educational Communications and Technologies
College of Agriculture and Life Sciences
The University of Arizona

Phone: 520-621-7663
Fax: 520-626-8688
email: norvelle@ag.arizona.edu
Address: 224 Forbes Bldg., Tucson, AZ 85721
--------------------------------------------
Credo in Unum Deum
--------------------------------------------

-----Original Message-----
From: owner-freebsd-net@FreeBSD.ORG
[mailto:owner-freebsd-net@FreeBSD.ORG]On Behalf Of Lars Eggert
Sent: Tuesday, November 06, 2001 2:01 PM
To: Erik Norvelle
Cc: freebsd-net@FreeBSD.ORG
Subject: Re: 4.4-CURRENT problems getting IPSec to function


Erik Norvelle wrote:

> My setup is as follows:
>
> Network #1 (192.168.1.0/24)
>             |
>             |
> Gateway #1 (inner interface [xl0] = 192.168.1.1)
>            (outer interface [fxp0] = xxx.yyy.40.122)
>             |
>             |
>         (internet)
>             |
>             |
> Gateway #2 (outer interface [fxp0] = xxx.yyy.40.135)
>            (inner interface [xl0] = 10.20.0.1)
>             |
>             |
> Network #2 (10.20.0.0/24)
>
> The result of my setup is that I get the gif0 interface created and
> configured properly (in tunnel mode, using ESP), and I setup my policy
> database using setkey.


You want to use *either* IPIP tunnels (i.e. gif interfaces) and IPsec
transport mode *or* IPsec tunnel mode. Don't mix them. I'd recommend
using the former.

If you use IPIP + IPsec transport, you will need to set up routes so
that traffic for the remote network is routed into the tunnel. If you
use IPsec tunnel mode, the SAs will do the encapsulation for you.

Also see http://www.isi.edu/~touch/pubs/draft-touch-ipsec-vpn-01.txt
(expired, -02 is in preparation for the next IETF).


> netstat -sn reveals that there is some UDP key exchange traffic going on
> (at least, once I start racoon).  However, there is *no* ESP traffic --
> all the counters are zero.


If you use racoon, you should read the KAME IMPLEMENTATION file on how
to use IKE with IPIP tunnels and IPsec.


> * Installed and setup IPFILTER and IPNAT.  These are working great on
> their own, however there may be conflicts with IPSec that are caused by
> how I have filtering/NAT setup.  IPFILTER is set up to allow ISAKMP
> traffic,


I'd recommend doing this step by step. The first step would be to get
IPsec working between your gateways. Once that works, I'd go on and set up
NAT. Doing both at the same time means you have many variables in your
setup.


Lars
--
Lars Eggert <larse@isi.edu>               Information Sciences Institute
http://www.isi.edu/larse/              University of Southern California


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message


[-- Attachment #2 --]
0	*H
010	+0	*H
00Ȋ0
	*H
010	UZA10UWestern Cape10U	Cape Town10
U
Thawte10UCertificate Services1(0&UPersonal Freemail RSA 2000.8.300
011003230832Z
021003230832Z0I10UThawte Freemail Member1&0$	*H
	norvelle@ag.arizona.edu00
	*H
0*3GlJ.DnGBR3M"k?Mjk-Q*w:_tisêGM%:i~CZM8ksBKAUx|
q
;Dǟ4020"U0norvelle@ag.arizona.edu0U00
	*H
"=7*Mu>Wh]ׄ03PdbĦ'F=έՍu<|X[3%
~ܤmQJieþ(M|oP9j	Ѕ)ˈ,fY}ۖ9[080fErtcvE.0
	*H
010	UZA10UWestern Cape10U	Cape Town10U
Thawte Consulting1(0&UCertification Services Division1$0"UThawte Personal Freemail CA1+0)	*H
	personal-freemail@thawte.com0
000830000000Z
040827235959Z010	UZA10UWestern Cape10U	Cape Town10
U
Thawte10UCertificate Services1(0&UPersonal Freemail RSA 2000.8.3000
	*H
032c	%E>nx'gڈD)c5*mp<ܮto034qmOe
KaU5u'rװ|CBPQ<9TIf-	kiN0L0)U"0 010UPrivateLabel1-2970U00U0
	*H
1KG]qSl]y=&b""I'{9$
*8PUl
LGlX1B	li+@]jy.%݊
Z<D&iHΥbb100010	UZA10UWestern Cape10U	Cape Town10
U
Thawte10UCertificate Services1(0&UPersonal Freemail RSA 2000.8.30Ȋ0	+0	*H
	1	*H
0	*H
	1
011116115406Z0#	*H
	1Q1XZt=
Rʽ0v	*H
	1i0g0
*H
0*H
0+0+0
*H
(0+0+0
*H
0
*H
0	+710010	UZA10UWestern Cape10U	Cape Town10
U
Thawte10UCertificate Services1(0&UPersonal Freemail RSA 2000.8.30Ȋ0
	*H
%:	ROzrz_8LbMגWz0ܚhndϬL#:zj6w]XJ2C*s&]ۙ&CT¾%rYl`^S[i|lh⥦

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?JOENJHIIFAGEJMMJCHKFEEEBCDAA.norvelle>