From owner-freebsd-questions Sun Oct 15 15:11: 9 2000 Delivered-To: freebsd-questions@freebsd.org Received: from ns1.springwoodsys.com (ns1.springwoodsys.com [12.38.17.16]) by hub.freebsd.org (Postfix) with ESMTP id 7116C37B66D for ; Sun, 15 Oct 2000 15:11:03 -0700 (PDT) Received: from hq4.hq.springwoodsys.com (springwoodsys.erols.com [208.58.154.69]) by ns1.springwoodsys.com (8.9.3/8.9.3) with ESMTP id SAA20111; Sun, 15 Oct 2000 18:27:02 -0400 (EDT) (envelope-from bill@springwoodsys.com) Message-ID: X-Mailer: XFMail 1.4.0 on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <00b301c036d7$c3b288e0$65010180@lojasobino.com.br> Date: Sun, 15 Oct 2000 18:09:25 -0400 (EDT) From: "Bill O'Connell" To: Fabrizzio Batista Subject: Re: Problems with IPSEC Cc: freebsd-questions@freebsd.org Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On 15-Oct-00 Fabrizzio Batista wrote: > > Thanks for help me, I´m very lost. Do you make IPSEC works ??? > > So, see the configuration and setkey output. > > * LAN A - Subnet 192.168.1.0/24 -> IP: 200.248.23.134 > > IPSEC.CONF: > > flush; > spdflush; > spdadd 192.168.1.0/24 128.1.1.0/24 any -P out ipsec > ah/tunnel/200.248.23.134-200.248.23.150/require; > spdadd 128.1.1.0/24 192.168.1.0/24 any -P in ipsec > ah/tunnel/200.248.23.150-200.248.23.134/require; > add 200.248.23.134 200.248.23.150 ah-old 0xd10003 -m any -A > keyed-md5 > "this is the test"; > add 200.248.23.150 200.248.23.134 ah-old 0xd10004 -m any -A > keyed-md5 > "this is the test"; > > setkey -D: > > 200.248.23.150 200.248.23.134 > ah mode=any spi=13697028(0x00d10004) reqid=0(0x00000000) > A: md5 74686973 20697320 74686520 74657374 > replay=0 flags=0x00000041 state=mature seq=1 pid=390 > created: Oct 15 16:26:57 2000 current: Oct 15 16:33:30 2000 > diff: 393(s) hard: 0(s) soft: 0(s) > last: hard: 0(s) soft: 0(s) > current: 0(bytes) hard: 0(bytes) soft: 0(bytes) > allocated: 0 hard: 0 soft: 0 > refcnt=1 > > 200.248.23.134 200.248.23.150 > ah mode=any spi=13697027(0x00d10003) reqid=0(0x00000000) > A: md5 74686973 20697320 74686520 74657374 > replay=0 flags=0x00000041 state=mature seq=0 pid=390 > created: Oct 15 16:26:57 2000 current: Oct 15 16:33:30 2000 > diff: 393(s) hard: 0(s) soft: 0(s) > last: hard: 0(s) soft: 0(s) > current: 0(bytes) hard: 0(bytes) soft: 0(bytes) > allocated: 0 hard: 0 soft: 0 > refcnt=1 > > > setkey -DP: > > 128.1.1.0/24[any] 192.168.1.0/24[any] any > in ipsec > ah/tunnel/200.248.23.150-200.248.23.134/require > spid=4 seq=1 pid=389 > refcnt=1 > 192.168.1.0/24[any] 128.1.1.0/24[any] any > out ipsec > ah/tunnel/200.248.23.134-200.248.23.150/require > spid=3 seq=0 pid=389 > refcnt=1 > > * LAN B - Subnet 128.1.1.0/24 -> IP: 200.248.23.150 > > > IPSEC.CONF: > > flush; > spdflush; > spdadd 128.1.1.0/24 192.168.1.0/24 any -P out ipsec > ah/tunnel/200.248.23.150-200.248.23.134/require; > spdadd 192.168.1.0/24 128.1.1.0/24 any -P in ipsec > ah/tunnel/200.248.23.134-200.248.23.150/require; > add 200.248.23.134 200.248.23.150 ah-old 0xd10003 -m any -A > keyed-md5 "this > is the test"; > add 200.248.23.150 200.248.23.134 ah-old 0xd10004 -m any -A > keyed-md5 "this > is the test"; > > > setkey -D: > > 200.248.23.150 200.248.23.134 > ah mode=any spi=13697028(0x00d10004) reqid=0(0x00000000) > A: md5 74686973 20697320 74686520 74657374 > replay=0 flags=0x00000041 state=mature seq=1 pid=1404 > created: Oct 15 18:21:18 2000 current: Oct 15 18:36:19 2000 > diff: 901(s) hard: 0(s) soft: 0(s) > last: hard: 0(s) soft: 0(s) > current: 0(bytes) hard: 0(bytes) soft: 0(bytes) > allocated: 0 hard: 0 soft: 0 > refcnt=1 > 200.248.23.134 200.248.23.150 > ah mode=any spi=13697027(0x00d10003) reqid=0(0x00000000) > A: md5 74686973 20697320 74686520 74657374 > replay=0 flags=0x00000041 state=mature seq=0 pid=1404 > created: Oct 15 18:21:18 2000 current: Oct 15 18:36:19 2000 > diff: 901(s) hard: 0(s) soft: 0(s) > last: hard: 0(s) soft: 0(s) > current: 0(bytes) hard: 0(bytes) soft: 0(bytes) > allocated: 0 hard: 0 soft: 0 > refcnt=1 > > setkey -DP: > > 192.168.1.0/24[any] 128.1.1.0/24[any] any > in ipsec > ah/tunnel/200.248.23.134-200.248.23.150/require > spid=5 seq=1 pid=1405 > refcnt=1 > 128.1.1.0/24[any] 192.168.1.0/24[any] any > out ipsec > ah/tunnel/200.248.23.150-200.248.23.134/require > spid=4 seq=0 pid=1405 > refcnt=1 > > > Thanks for all !!! > > >> >> What do the actual SAD and SPD entries look like, i.e. what does >> setkey -D and setkey -DP show? Need to see this on the other >> machine >> as well. >> >> >> Bill > > The SAD and SPD entries look OK. Are you running a firewall and/or NAT on these systems? If so, how are they configured? Bill To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message