Date: Mon, 19 Jun 2000 00:48:02 -0400 From: Spike Gronim <william@brainlink.com> To: freebsd-security@freebsd.org Subject: Ipsec misconfiguration problem Message-ID: <20000619004802.A1461@spike.brainlink.com>
next in thread | raw e-mail | index | archive | help
--r5Pyd7+fXNt84Ff3 Content-Type: text/plain; charset=us-ascii Hey. I'm trying to set up a simple ipsec connection between two computers on my LAN (192.168.0.1 and 192.168.0.200). I'm going for ipsec esp in transport mode with authentication. I tried a lot of things, and then copied the NetBSD documentation setup (http://www.netbsd.org/Documentation/network/ipsec/#sample_esp) : (long lines wrapped) [ipsec.conf] add 192.168.0.1 192.168.0.200 esp 9876 -E des-cbc "hogehoge"; add 192.168.0.200 192.168.0.1 esp 10000 -E des-cbc "mogamoga"; add 192.168.0.1 192.168.0.200 ah 9877 -A hmac-md5 "hogehogehogehoge"; add 192.168.0.200 192.168.0.1 ah 10001 -A hmac-md5 "mogamogamogamoga"; spdadd 192.168.0.1 192.168.0.200 any -P out\ ipsec esp/transport//use ah/transport//use; [ipsec.conf] 'setkey -D' and 'setkey -D -P' on 192.168.0.1 are attached. The ipsec.conf file for setkey on 192.168.0.200 is the same as that on 192.168.0.1, with the IPs swapped. The ipsec code sees my keys, my security associations, and my security policies. Yet, when I 'ping 192.168.0.200', tcpdump shows me straight ICMP instead of ESP, and neither side's sequences or byte counters increment. I'm not sure what I'm doing wrong. Thanks. --Spike Gronim gronimw@stuy.edu "Oh yes? An obscene triangle which, has more courage than the word." --r5Pyd7+fXNt84Ff3 Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename=setkey-d 192.168.0.200 192.168.0.1 ah mode=any spi=10001(0x00002711) replay=4 flags=0x00000000 A: hmac-md5 6d6f6761 6d6f6761 6d6f6761 6d6f6761 state=mature seq=3 pid=1491 created: Jun 19 00:38:23 2000 current: Jun 19 00:47:30 2000 diff: 547(s) hard: 0(s) soft: 0(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 refcnt=1 192.168.0.1 192.168.0.200 ah mode=any spi=9877(0x00002695) replay=4 flags=0x00000000 A: hmac-md5 686f6765 686f6765 686f6765 686f6765 state=mature seq=2 pid=1491 created: Jun 19 00:38:23 2000 current: Jun 19 00:47:30 2000 diff: 547(s) hard: 0(s) soft: 0(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 refcnt=1 192.168.0.200 192.168.0.1 esp mode=any spi=10000(0x00002710) replay=4 flags=0x00000000 E: des-cbc 6d6f6761 6d6f6761 state=mature seq=1 pid=1491 created: Jun 19 00:38:23 2000 current: Jun 19 00:47:30 2000 diff: 547(s) hard: 0(s) soft: 0(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 refcnt=1 192.168.0.1 192.168.0.200 esp mode=any spi=9876(0x00002694) replay=4 flags=0x00000000 E: des-cbc 686f6765 686f6765 state=mature seq=0 pid=1491 created: Jun 19 00:38:23 2000 current: Jun 19 00:47:30 2000 diff: 547(s) hard: 0(s) soft: 0(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 refcnt=1 --r5Pyd7+fXNt84Ff3 Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename=setkey-d-p 192.168.0.1[any] 192.168.0.200[any] any out ipsec esp/transport//use ah/transport//use seq=0 pid=1492 refcnt=1 --r5Pyd7+fXNt84Ff3-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000619004802.A1461>