From owner-freebsd-security Sat Mar 10 22:49:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from shorty.ahpcns.com (joemoore-host.dsl.visi.com [209.98.246.61]) by hub.freebsd.org (Postfix) with ESMTP id A0D5737B719 for ; Sat, 10 Mar 2001 22:49:47 -0800 (PST) (envelope-from jomor@ahpcns.com) Received: from ahpcns.com (localhost [127.0.0.1]) by shorty.ahpcns.com (Postfix) with ESMTP id 752FC3A4C7 for ; Sun, 11 Mar 2001 00:49:45 -0600 (CST) Message-ID: <3AAB2008.E35A125D@ahpcns.com> Date: Sun, 11 Mar 2001 00:49:45 -0600 From: jomor Organization: ahpcns X-Mailer: Mozilla 4.72 [en] (X11; I; FreeBSD 3.5-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: IPSEC tunnel & setkey, How do I tell if setkey worked? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'm finally trying to get a VPN set up between home (DSL) and work (T-1). I've been running FreeBSD on my home firewall for a few years and now I want it to be an IPSEC tunnel endpoint. The other end will be another freeBSD box first, and maybe eventually a Watchguard firebox2 firewall "appliance". I'm testing off-line for now. I haven't been able to find any info on integrating my ipfw rules with the tunnel so I've got test boxes set up in an "open" firewall config. I figure I'll get the tunnel up first and then break it while I try different ipfw rules. My kernels have the IPSEC and IPSEC_ESP options included. I have the following "/etc/ipsec.conf" files Host 1 add 192.168.98.17 192.168.98.19 esp 1000 -m tunnel -E des-cbc "testtest" ; add 192.168.98.19 192.168.98.17 esp 1001 -m tunnel -E des-cbc "testtest" ; spdadd 172.18.0.0/24 172.18.10.0/24 any -P out ipsec esp/tunnel/192.168.98.19-192.168.98.17/require ; spdadd 172.18.10.0/24 172.18.0.0/24 any -P in ipsec esp/tunnel/192.168.98.17-192.168.98.19/require ; Host 2 add 192.168.98.17 192.168.98.19 esp 1000 -m tunnel -E des-cbc "testtest"; add 192.168.98.19 192.169.98.17 esp 1001 -m tunnel -E des-cbc "testtest"; spdadd 172.18.10.0/24 172.18.0.0/24 any -P out ipsec esp/tunnel/192.168.98.17-192.168.98.19/require ; spdadd 172.18.0.0/24 172.18.10.0/24 any -P in ipsec esp/tunnel/192.168.98.19-192.168.98.17/require ; both are running with gateway enabled, firewall "OPEN" and natd running. The 192.168.98.x addresses are what would normally be their public interfaces. "setkey -f /etc/ipsec.conf" runs without generating any errors, "setkey -D" and "setkey -D -P" display my entries OK, but I was expecting to see "netstat -nr" to show routes for the tunnel , or "ifconfig -a" to show some change in at least one of my "gifn" interfaces but I'm not seeing it. So I thought I'd run "gifconfig", "ifconfig" and "route add" to set up the tunnel first (modifying the ipsec.conf files to use the gif0 addresses). While that did set up a functioning tunnel, I didn't see any evidence of encryption happening. The tunnel kept working even if I ran setkey on only one of the endpoints. What am I missing (or doing wrong)? Things have been a little more complex than they need to be since one of my test "fiewalls" is a laptop and getting two PCMCIA Ethernet cards to work at the same time has been a challenge. All help is much appreciated. tia ...jgm To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message