From owner-freebsd-questions Thu Nov 8 17:28:55 2001 Delivered-To: freebsd-questions@freebsd.org Received: from web11701.mail.yahoo.com (web11701.mail.yahoo.com [216.136.172.67]) by hub.freebsd.org (Postfix) with SMTP id BBA0F37B419 for ; Thu, 8 Nov 2001 17:28:51 -0800 (PST) Message-ID: <20011109012851.22363.qmail@web11701.mail.yahoo.com> Received: from [209.140.253.2] by web11701.mail.yahoo.com via HTTP; Thu, 08 Nov 2001 17:28:51 PST Date: Thu, 8 Nov 2001 17:28:51 -0800 (PST) From: Tim Erlin Subject: Re: IPsec w/ Sonicwall To: Will Froning , freebsd-questions@freebsd.org In-Reply-To: <20011108152140.F24612-100000@angui.sh> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I've actually just set this up with isakmpd. How are you validating whether or not the key negotiation works? If you're running tcpdump (or something else), I found that IPSec (or isakmpd?) consistently failed if the interface I was using was set to promiscious by tcpdump. Running tcpdump -p allowed me to watch the key negotiation without affecting it negatively. --Tim --- Will Froning wrote: > OS: FreeBSD4.3 and SonicWall VPN > > I've been trying to setup FreeBSD IPsec to work with > SonicWall, but I keep > running into issues. > > I've tried it with manual keys and also with IKE > (racoon). Neither work. > When I set-up the account on the SonicWall for > manual keys DES HMAC_MD5, > for DES it's a 16 digit key and HMAC_MD5 it's a 32 > digit key. > > When I looked in the FBSD handbook for IPsec, it > also claimed DES to be > 16, but Setkey still complains. If there is some > obvious thing I'm doing > wrong, please inform me. If there is not enough > info, please ask. I need > to have this setup for my office guys. > > If you need output from my Racoon sessions, just > ask. > > Please cc me on the reply as I'm not on the list. > > Thanks, > Will > > When I try to configure setkey I get this: > > ipsec.sh: > #!/bin/sh > gifconfig gif0 XXX.XXX.XXX.158 XXX.XXX.XXX.131 > ifconfig gif0 inet XXX.XXX.XXX.158 192.168.1.0 > netmask 255.255.0.0 > setkey -FP > setkey -F > setkey -vc << EOF > spdadd XXX.XXX.XXX.158/32 192.168.1.0/16 any -P out > ipsec > esp/tunnel/XXX.XXX.XXX.158-XXX.XXX.XXX.131/require; > spdadd 192.168.1.0/16 XXX.XXX.XXX.158/32 any -P in > ipsec > esp/tunnel/XXX.XXX.XXX.131-XXX.XXX.XXX.158/require; > add XXX.XXX.XXX.158 XXX.XXX.XXX.131 esp 822577 > -m tunnel > -E des-cbc "WWWWWWWWIIILLLLL" > -A hmac-md5 > "SECRETKEYSECRETKEYSECRETKEYSECRE" ; > add XXX.XXX.XXX.131 XXX.XXX.XXX.158 esp 577822 > -m tunnel > -E des-cbc "WWWWWWWWIIILLLLL" > -A hmac-md5 > "SECRETKEYSECRETKEYSECRETKEYSECRE" ; > > wfroning# ./ipsec.sh > line 5: Invalid key length at [WWWWWWWWIIILLLLL] > parse failed, line 5. > > -- > Will Froning > Unix Sys. Admin. > wfroning@angui.sh > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of > the message __________________________________________________ Do You Yahoo!? Find a job, post your resume. http://careers.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message