From owner-freebsd-net@FreeBSD.ORG  Mon May 19 06:47:08 2003
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 497E737B401
	for <freebsd-net@freebsd.org>; Mon, 19 May 2003 06:47:08 -0700 (PDT)
Received: from scoubidou.webnext.com (mail.webnext.com [213.161.193.129])
	by mx1.FreeBSD.org (Postfix) with SMTP id 7048743FAF
	for <freebsd-net@freebsd.org>; Mon, 19 May 2003 06:47:05 -0700 (PDT)
	(envelope-from souris@nerim.net)
Received: from sexy.mouh.org (213.161.192.227[213.161.192.227])by
	SCOUBIDOU(MailMax 4.2.4.9) with ESMTP id 5429991 for
	<freebsd-net@freebsd.org>; Mon, 19 May 2003 15:46:52 +0200 PDT
Date: Mon, 19 May 2003 15:46:51 +0200
From: souris <souris@nerim.net>
To: freebsd-net@freebsd.org
Message-Id: <20030519154651.52d77bff.souris@nerim.net>
X-Mailer: Sylpheed version 0.8.11 (GTK+ 1.2.10; i386-portbld-freebsd4.8)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Subject: About IPsec ...
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 19 May 2003 13:47:08 -0000

Hi,

I tryed to make IPSEC between 2 computers : Freebsd 4.8 and NetBSD 1.5.2

While following the handbook : http://www.fr.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html
I noticed something.
<From Handbook>
setkey -c
    spdadd 10.2.3.4 10.6.7.8 any -P out ipsec
    ah/transport/10.2.3.4-10.6.7.8/require ;
    ^D

At B:

# setkey -c
    spdadd 10.6.7.8 10.2.3.4 any -P out ipsec
    esp/transport/10.6.7.8-10.2.3.4/require ;
    spdadd 10.6.7.8 10.2.3.4 any -P out ipsec
    ah/transport/10.6.7.8-10.2.3.4/require ;
    ^D

</From Handbook>

>From A: only "OUT" traffic is set
>From B: 2 "OUT" traffics are set. It seems to be two differents protocols ... so it doesn't matters, but still no "IN" traffic is set.

I tryed to simulate exactly the same than the handbook, and setkey gave me an error :

root@sexy 14:19 /home/souris$ setkey -c 
spdadd 10.6.7.8 10.2.3.4 any -P out ipsec
esp/transport/10.6.7.8-10.2.3.4/require ;
spdadd 10.6.7.8 10.2.3.4 any -P out ipsec
ah/transport/10.6.7.8-10.2.3.4/require ;
The result of line 4: File exists.

(I've just flushed all the setkey's rules before doing that)

In the others examples, like IPV6 etc ... there is an OUT and IN traffic set. It seems that without "IN" traffic set, IPSEC don't work ... Traffic go out but not IN :

14:05:07.973207 10.6.7.8 > 10.2.3.4: AH(spi=0x000003e8,seq=0x37d813cc): icmp: echo request
14:05:08.979010 10.6.7.8 > 10.2.3.4: AH(spi=0x000003e8,seq=0x99378b78): icmp: echo request

I am obviously not the first one to use this book, but there is an mistake somewhere ... 

May somebody help me?

thx

--
souris