From owner-freebsd-security Mon Jun 19 11:35: 7 2000 Delivered-To: freebsd-security@freebsd.org Received: from decoy.sfc.keio.ac.jp (decoy.sfc.keio.ac.jp [133.27.84.101]) by hub.freebsd.org (Postfix) with ESMTP id BA70E37B834 for ; Mon, 19 Jun 2000 11:35:00 -0700 (PDT) (envelope-from say@sfc.wide.ad.jp) Received: from localhost (localhost.sfc.keio.ac.jp [127.0.0.1]) by decoy.sfc.keio.ac.jp (8.9.3/8.9.3) with ESMTP id DAA41477; Tue, 20 Jun 2000 03:34:34 +0900 (JST) (envelope-from say@sfc.wide.ad.jp) To: gronimw@stuy.edu Cc: freebsd-security@FreeBSD.ORG Subject: Re: Ipsec misconfiguration problem From: ARIGA Seiji In-Reply-To: <20000619004802.A1461@spike.brainlink.com> References: <20000619004802.A1461@spike.brainlink.com> X-Mailer: Mew version 1.95b3 on Emacs 20.7 / Mule 4.0 (HANANOEN) X-PGP-Publickey: http://decoy.sfc.keio.ac.jp/~say/key.txt X-PGP-Fingerprint: 8E 70 AB 20 44 E6 8A 8A 1C 49 B3 30 44 1B B3 BA Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <20000620033433M.say@decoy.sfc.keio.ac.jp> Date: Tue, 20 Jun 2000 03:34:33 +0900 X-Dispatcher: imput version 991025(IM133) Lines: 49 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, First of all, I assume that you are using FreeBSD4.0-RELEASE. On Mon, 19 Jun 2000 00:48:02 -0400, Spike Gronim wrote, : I tried a lot of things, and then copied the NetBSD documentation setup : (http://www.netbsd.org/Documentation/network/ipsec/#sample_esp) : IPsec functions are based on KAME (http://www.kame.net) code. FreeBSD4.0 is based on old KAME code, though NetBSD merged very recent code. So, IPsec configuration is bit different between these OSes. : [ipsec.conf] : add 192.168.0.1 192.168.0.200 esp 9876 -E des-cbc "hogehoge"; : add 192.168.0.200 192.168.0.1 esp 10000 -E des-cbc "mogamoga"; : add 192.168.0.1 192.168.0.200 ah 9877 -A hmac-md5 "hogehogehogehoge"; : add 192.168.0.200 192.168.0.1 ah 10001 -A hmac-md5 "mogamogamogamoga"; : spdadd 192.168.0.1 192.168.0.200 any -P out\ : ipsec esp/transport//use ah/transport//use; : [ipsec.conf] Try this, on 192.168.0.1, add 192.168.0.1 192.168.0.200 esp 9876 -E des-cbc "hogehoge"; add 192.168.0.200 192.168.0.1 esp 10000 -E des-cbc "mogamoga"; add 192.168.0.1 192.168.0.200 ah 9877 -A hmac-md5 "hogehogehogehoge"; add 192.168.0.200 192.168.0.1 ah 10001 -A hmac-md5 "mogamogamogamoga"; spdadd 192.168.0.1 192.168.0.200 any -P out ipsec esp/transport/192.168.0.1-192.168.0.200/use ah/transport/192.168.0.1-192.168.0.200/use; on 192.168.0.200 add 192.168.0.1 192.168.0.200 esp 9876 -E des-cbc "hogehoge"; add 192.168.0.200 192.168.0.1 esp 10000 -E des-cbc "mogamoga"; add 192.168.0.1 192.168.0.200 ah 9877 -A hmac-md5 "hogehogehogehoge"; add 192.168.0.200 192.168.0.1 ah 10001 -A hmac-md5 "mogamogamogamoga"; spdadd 192.168.0.200 192.168.0.1 any -P out ipsec esp/transport/192.168.0.200-192.168.0.1/use ah/transport/192.168.0.200-192.168.0.1/use; As you see, you have to swap IP address only for spdadd. # I think it is because both nodes have to share the same SA configuration. And also you have to add "src-dst" for spd. // ARIGA Seiji To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message