From owner-freebsd-net@FreeBSD.ORG Fri Apr 2 15:19:43 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BA8D016A4CE for ; Fri, 2 Apr 2004 15:19:43 -0800 (PST) Received: from web60810.mail.yahoo.com (web60810.mail.yahoo.com [216.155.196.73]) by mx1.FreeBSD.org (Postfix) with SMTP id 3C3B943D39 for ; Fri, 2 Apr 2004 15:19:43 -0800 (PST) (envelope-from richard_bejtlich@yahoo.com) Message-ID: <20040402231942.30375.qmail@web60810.mail.yahoo.com> Received: from [208.235.153.34] by web60810.mail.yahoo.com via HTTP; Fri, 02 Apr 2004 15:19:42 PST Date: Fri, 2 Apr 2004 15:19:42 -0800 (PST) From: Richard Bejtlich To: freebsd-net@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: Re: IPSec troubles X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Apr 2004 23:19:43 -0000 Hello, This thread has been very helpful. I'm using FreeBSD 5.2.1 REL with kernels recompiled to support IPSEC. I've found the "trick" to exclude port 500 UDP packets allows ISAKMP traffic to be exchanged, e.g: spdadd 192.168.20.1[500] 192.168.21.1[500] udp -P out none; spdadd 192.168.21.1[500] 192.168.20.1[500] udp -P in none; Unfortunately, I cannot follow this ipsec.conf entry with something like this for 'any' protocol: spdadd 192.168.20.1 192.168.21.1 any -P out ipsec esp/tunnel/192.168.20.1-192.168.21.1/require; spdadd 192.168.21.1 192.168.20.1 any -P in ipsec esp/tunnel/192.168.21.1-192.168.20.1/require; If I try to ping 192.168.20.1 from 192.168.21.1, I get this error on 192.168.20.1 from racoon: 2004-04-02 18:10:43: ERROR: isakmp_quick.c:2064:get_proposal_r(): policy found, but no IPsec required: 192.168.20.1/32[0] 192.168.21.1/32[0] proto=any dir=out 2004-04-02 18:10:43: ERROR: isakmp_quick.c:1071:quick_r1recv(): failed to get proposal for responder. 2004-04-02 18:10:43: ERROR: isakmp.c:1061:isakmp_ph2begin_r(): failed to pre-process packet. No traffic is exchanged. I've found that replacing the 'any' entry in the ipsec.conf with new entries for 'icmp' and 'tcp' allow those protocols to be protected by IPSec, e.g. for tcp: spdadd 192.168.20.1 192.168.21.1 tcp -P out ipsec esp/tunnel/192.168.20.1-192.168.21.1/require; spdadd 192.168.21.1 192.168.20.1 tcp -P in ipsec esp/tunnel/192.168.21.1-192.168.20.1/require; Unfortunately, I can't add an entry for 'udp' as that appears to conflict with the udp entry for port 500. I tried 'ip' in place of 'any', but that didn't seem to encrypt any traffic at all. Is my only alternative to upgrade from 5.2.1 to CURRENT if I want everything to be protected by IPSec (besides ISAKMP)? Thank you, Richard http://www.taosecurity.com __________________________________ Do you Yahoo!? Yahoo! Small Business $15K Web Design Giveaway http://promotions.yahoo.com/design_giveaway/