Date: Tue, 20 Jun 2000 03:34:33 +0900 From: ARIGA Seiji <say@sfc.wide.ad.jp> To: gronimw@stuy.edu Cc: freebsd-security@FreeBSD.ORG Subject: Re: Ipsec misconfiguration problem Message-ID: <20000620033433M.say@decoy.sfc.keio.ac.jp> In-Reply-To: <20000619004802.A1461@spike.brainlink.com> References: <20000619004802.A1461@spike.brainlink.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, First of all, I assume that you are using FreeBSD4.0-RELEASE. On Mon, 19 Jun 2000 00:48:02 -0400, Spike Gronim <william@brainlink.com> wrote, : I tried a lot of things, and then copied the NetBSD documentation setup : (http://www.netbsd.org/Documentation/network/ipsec/#sample_esp) : IPsec functions are based on KAME (http://www.kame.net) code. FreeBSD4.0 is based on old KAME code, though NetBSD merged very recent code. So, IPsec configuration is bit different between these OSes. : [ipsec.conf] : add 192.168.0.1 192.168.0.200 esp 9876 -E des-cbc "hogehoge"; : add 192.168.0.200 192.168.0.1 esp 10000 -E des-cbc "mogamoga"; : add 192.168.0.1 192.168.0.200 ah 9877 -A hmac-md5 "hogehogehogehoge"; : add 192.168.0.200 192.168.0.1 ah 10001 -A hmac-md5 "mogamogamogamoga"; : spdadd 192.168.0.1 192.168.0.200 any -P out\ : ipsec esp/transport//use ah/transport//use; : [ipsec.conf] Try this, on 192.168.0.1, add 192.168.0.1 192.168.0.200 esp 9876 -E des-cbc "hogehoge"; add 192.168.0.200 192.168.0.1 esp 10000 -E des-cbc "mogamoga"; add 192.168.0.1 192.168.0.200 ah 9877 -A hmac-md5 "hogehogehogehoge"; add 192.168.0.200 192.168.0.1 ah 10001 -A hmac-md5 "mogamogamogamoga"; spdadd 192.168.0.1 192.168.0.200 any -P out ipsec esp/transport/192.168.0.1-192.168.0.200/use ah/transport/192.168.0.1-192.168.0.200/use; on 192.168.0.200 add 192.168.0.1 192.168.0.200 esp 9876 -E des-cbc "hogehoge"; add 192.168.0.200 192.168.0.1 esp 10000 -E des-cbc "mogamoga"; add 192.168.0.1 192.168.0.200 ah 9877 -A hmac-md5 "hogehogehogehoge"; add 192.168.0.200 192.168.0.1 ah 10001 -A hmac-md5 "mogamogamogamoga"; spdadd 192.168.0.200 192.168.0.1 any -P out ipsec esp/transport/192.168.0.200-192.168.0.1/use ah/transport/192.168.0.200-192.168.0.1/use; As you see, you have to swap IP address only for spdadd. # I think it is because both nodes have to share the same SA configuration. And also you have to add "src-dst" for spd. // ARIGA Seiji To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000620033433M.say>