Site Navigation

Date:      Sun, 20 Apr 2003 10:20:53 -0700
From:      Lars Eggert <larse@ISI.EDU>
To:        "Jacques A. Vidrine" <nectar@FreeBSD.org>
Cc:        "Crist J. Clark" <cjc@FreeBSD.org>
Subject:   Re: Single IP host and IPsec tunnel mode experience
Message-ID:  <3EA2D6F5.4060209@isi.edu>
In-Reply-To: <20030420165538.GA31101@madman.celabo.org>
References:  <20030410161511.GA25681@madman.celabo.org> <20030416052335.GA2519@blossom.cjclark.org> <20030416123621.GC72501@madman.celabo.org> <20030420165538.GA31101@madman.celabo.org>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

[-- Attachment #1 --]
On 4/20/2003 9:55 AM, Jacques A. Vidrine wrote:
> On Wed, Apr 16, 2003 at 07:36:21AM -0500, Jacques A. Vidrine wrote:
> 
>>On Tue, Apr 15, 2003 at 10:23:35PM -0700, Crist J. Clark wrote:
>>
>>>'uname -a'?
>>
>>The endpoints were both 4.7.
>>
>>
>>>I can't reproduce this on a 4.8 to 4.7 tunnel. On
>>>192.168.64.70,
>>>
>>>  spdadd 192.168.64.70/32 10.0.0.0/24 any -P out
>>>	ipsec esp/tunnel/192.168.64.70-192.168.64.20/require;
>>>  spdadd 10.0.0.0/24 192.168.64.70/32 any -P  in
>>>	ipsec esp/tunnel/192.168.64.20-192.168.64.70/require;
>>>
>>>And on 192.168.64.20, the gateway to 10.0.0.0/24,
>>>
>>>  spdadd 192.168.64.70/32 10.0.0.0/24 any -P  in
>>>	ipsec esp/tunnel/192.168.64.70-192.168.64.20/require;
>>>  spdadd 10.0.0.0/24 192.168.64.70/32 any -P out
>>>	ipsec esp/tunnel/192.168.64.20-192.168.64.70/require;
>>>
>>>Works fine.
>>
>>Hmm, yes, that appears to be exactly what I'm trying to do.  Well,
>>that's heartening ... it means that there is likely some anomoly in my
>>environment that is hosing me.  Now if only I can figure what it is :-)
> 
> 
> Oddly enough ...  ESP works, AH does not.

Are you going through a NAT box? (Sorry, haven't been following this 
thread closely.) AH includes more of the IP header when computing the 
crypto checksum (compared to ESP), if those fields get diddled by a NAT 
box, the receiver will drop the packets because of bad crypto. One of 
the netstat counters on the receiver will show this.

If you need to authenticate, maybe try using ESP authentication?

Lars
-- 
Lars Eggert <larse@isi.edu>           USC Information Sciences Institute

[-- Attachment #2 --]
0�	*�H��

��0�

10	+0�	*�H��


��	�0�80���
fEr��t��cvE��.�
0
	*�H��


0��10	UZA10UWestern Cape10U	Cape Town10U
Thawte Consulting1(0&UCertification Services Division1$0"UThawte Personal Freemail CA1+0)	*�H��

	
personal-freemail@thawte.com0
000830000000Z
040827235959Z0��10	UZA10UWestern Cape10U	Cape Town10
U
Thawte10UCertificate Services1(0&UPersonal Freemail RSA 2000.8.300��0
	*�H��



��0�����32�c�	%E>�nx'g��ڈ���D)�c5*mp<�ܮ��to0�3��4q��m���O�e�
�K���a����U�5��u�'��r���װ�����|CBPQ��<�9��T������If-	��k�i

�N0L0)U"0 �010UPrivateLabel1-2970U

�0

�
0U
0
	*�H��


��1�KG]�
q��Sl]y�=��&b�"��"��I�'{9����$����
*8�PU�l�
�L����G�l�X�1B	l�i�+�@]j�y��.%݊���
��Z��<�D�&i�H�����bb��0�90���
%A0
	*�H��


0��10	UZA10UWestern Cape10U	Cape Town10
U
Thawte10UCertificate Services1(0&UPersonal Freemail RSA 2000.8.300
020824185339Z
030824185339Z0T10
UEggert1
0U*Lars10ULars Eggert10	*�H��

	

larse@isi.edu0�
"0
	*�H��



�
0�

�

�6F�x����ΰ7��a��ED��&0��+Dj�)ֽ�X��CUc��n�lei��jm�z~S�����0�J�j
�W�V�~	1^����({�I�ݛL�j��Ӗ
a�����o:bP�}W���L��V�ܱ��욗cD��ɖ_��K�v.�����A(���W4���9�;�Z�8�-��uXE
6�b
@_0%�#d�`�����R�to5 L0���R`w��@7
�r	�H�����c�c�����	�U�3�%7N_o

�V0T0*+e

!0
00
L2uMyffBNUbNJJcdZ2s0U0�
larse@isi.edu0U

�00
	*�H��


��]�Ȕ��,�����fK<�������cj���R�Z�eL�an�@���Z6,��=
�fK�?y�O#��8��+�	����Ni�*LS��f���pQ��g<�(aӒ��$�k���Tx�_AL��1>ގ|S�0�90���
%A0
	*�H��


0��10	UZA10UWestern Cape10U	Cape Town10
U
Thawte10UCertificate Services1(0&UPersonal Freemail RSA 2000.8.300
020824185339Z
030824185339Z0T10
UEggert1
0U*Lars10ULars Eggert10	*�H��

	

larse@isi.edu0�
"0
	*�H��



�
0�

�

�6F�x����ΰ7��a��ED��&0��+Dj�)ֽ�X��CUc��n�lei��jm�z~S�����0�J�j
�W�V�~	1^����({�I�ݛL�j��Ӗ
a�����o:bP�}W���L��V�ܱ��욗cD��ɖ_��K�v.�����A(���W4���9�;�Z�8�-��uXE
6�b
@_0%�#d�`�����R�to5 L0���R`w��@7
�r	�H�����c�c�����	�U�3�%7N_o

�V0T0*+e

!0
00
L2uMyffBNUbNJJcdZ2s0U0�
larse@isi.edu0U

�00
	*�H��


��]�Ȕ��,�����fK<�������cj���R�Z�eL�an�@���Z6,��=
�fK�?y�O#��8��+�	����Ni�*LS��f���pQ��g<�(aӒ��$�k���Tx�_AL��1>ގ|S�1��0��

0��0��10	UZA10UWestern Cape10U	Cape Town10
U
Thawte10UCertificate Services1(0&UPersonal Freemail RSA 2000.8.30%A0	+��0	*�H��

	1	*�H��


0	*�H��

	1
030420172053Z0#	*�H��

	1��<Z܊]e��S���G�/���0R	*�H��

	1E0C0
*�H��
0*�H��
�0
*�H��

@0+0
*�H��

(0��	+

�71��0��0��10	UZA10UWestern Cape10U	Cape Town10
U
Thawte10UCertificate Services1(0&UPersonal Freemail RSA 2000.8.30%A0��*�H��

	1�����0��10	UZA10UWestern Cape10U	Cape Town10
U
Thawte10UCertificate Services1(0&UPersonal Freemail RSA 2000.8.30%A0
	*�H��



�
:�'�ӧFЊ���ݫ��f���x���]��M�-*8Xw���̠C�ؚ��ܔٷ�I�Ĩ��]�
.+����d����ٰ>�	�\VETy���s;��}7�J���j�v^��~�X�r�߫���Z_�렒ߵ��R�W�lyc�k�j2�H�f��M�4���=3k
�^�S�U�J2��ؔ:�˓���Ë�
¸�Ν��!3�E����:qn)�V}Tl�p��LF��r>�~U��'n8����:�#�`���C�{�

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3EA2D6F5.4060209>

Legal Notices | © 1995-2025 The FreeBSD Project. All rights reserved.

Contact