Date: Fri, 21 Sep 2001 10:16:57 +0100 From: Brian Somers <brian@freebsd-services.com> To: Sameh Ghane <sw@anthologeek.net> Cc: net@FreeBSD.ORG, brian@freebsd-services.com Subject: Re: IPSEC question.. Message-ID: <200109210916.f8L9GvR34876@hak.lan.Awfulhak.org> In-Reply-To: Message from Sameh Ghane <sw@anthologeek.net> of "Fri, 21 Sep 2001 11:05:14 %2B0200." <20010921110514.G77863@anthologeek.net>
next in thread | previous in thread | raw e-mail | index | archive | help
> Le (On) Fri, Sep 21, 2001 at 09:47:03AM +0100, Brian Somers ecrivit (wrote):
> >
> > spdadd 1.2.3.4/32 5.6.7.8/32 ip4 -P in ipsec esp/transport//require;
> > spdadd 5.6.7.8/32 1.2.3.4/32 ip4 -P out ipsec esp/transport//require;
> >
> > This is your setkey input. The ``ip4'' bit tells ipsec to only touch
> > IP-in-IP traffic, so comms going from an internal LAN to an external
> > gateway address (1.2.3.4 or 5.6.7.8) won't be encrypted (but may be
> > NAT'd). Only the gif-encapsulated traffic is encrypted.
>
> Hum, looks great, but the man page for setkey says:
>
> « spdadd src_range dst_range upperspec policy ;
>
> upperspec
> Upper-layer protocol to be used. Currently tcp, udp and any can
> be specified. any stands for ``any protocol''. »
>
> And when I use 'ip4' instead of any/icmp/tcp/udp, it says:
> line #[where ip4]: Syntax error at [i].
>
> (Funny error location, by the way).
>
> Is it a « new feature » with 4.4's shipped KAME's setkey ?
Yes, it was added by me specifically to permit NAT & IPSEC to work
together (although the KAME guys have made it better by now allowing
any protocols(5) value.
The patch is very simple, so you may want to patch your system
(kernel support is already there, it's just a one-line userland
change).
> --
> Sameh
Cheers.
--
Brian <brian@freebsd-services.com> <brian@Awfulhak.org>
http://www.freebsd-services.com/ <brian@[uk.]FreeBSD.org>
Don't _EVER_ lose your sense of humour ! <brian@[uk.]OpenBSD.org>
Index: token.l
===================================================================
RCS file: /home/ncvs/src/usr.sbin/setkey/token.l,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- token.l 4 Jul 2000 16:22:05 -0000 1.3
+++ token.l 17 May 2001 15:30:49 -0000 1.4
@@ -200,6 +200,7 @@
/* upper layer protocols */
icmp { PREPROC; yylval.num = IPPROTO_ICMP; return(UP_PROTO); }
icmp6 { PREPROC; yylval.num = IPPROTO_ICMPV6; return(UP_PROTO); }
+ip4 { PREPROC; yylval.num = IPPROTO_IPV4; return(UP_PROTO); }
tcp { PREPROC; yylval.num = IPPROTO_TCP; return(UP_PROTO); }
udp { PREPROC; yylval.num = IPPROTO_UDP; return(UP_PROTO); }
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200109210916.f8L9GvR34876>