Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 24 May 2001 15:57:20 -0700
From:      "Brandt Everett" <everett@bentonrea.com>
To:        "'Matt Dillon'" <dillon@earth.backplane.com>
Cc:        <freebsd-stable@FreeBSD.ORG>
Subject:   RE: FreeBSD and IPSEC
Message-ID:  <004c01c0e4a4$e43fcd90$632807d8@prosser.bentonrea.org>
In-Reply-To: <200105242015.f4OKFxH30464@earth.backplane.com>

next in thread | previous in thread | raw e-mail | index | archive | help
Ok, I see a switch for it on the setkey(8) man but I can't seem to get it
too take.  I keep getting an invalid argument

here is the man page section

extensions
             takes some of the following:
             -m mode     Specify an security protocol mode for use.  By de-
                         fault, any. mode is one of following: transport,
                         tunnel or any.
             -r size     Specify window size of bytes for replay prevention.
                         size must be decimal number in 32-bit word.  If
size
                         is zero or not specified, replay check don't take
                         place.
             -f pad_option
                         pad_option is one of following: zero-pad,
random-pad
                         or seq-pad
             -f cyclic-seq
                         Allow cyclic sequence number.
             -lh time
             -ls time    Specify hard/soft lifetime.

add x.x.x.x y.y.y.y esp 9983 -m any -f cyclic-seq -E 3des-cbc "mysecret";
add y.y.y.y x.x.x.x esp 9984 -m any -f cyclic-seq -E 3des-cbc "mysecret";


Has something changed on this that I can't find the info on?

Brandt Everett

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
e-mail:   everett@bentonrea.com
webpage:      www.bentonrea.com
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-



> -----Original Message-----
> From: owner-freebsd-stable@FreeBSD.ORG
> [mailto:owner-freebsd-stable@FreeBSD.ORG]On Behalf Of Matt Dillon
> Sent: Thursday, May 24, 2001 1:16 PM
> To: Brandt Everett
> Cc: freebsd-stable@FreeBSD.ORG
> Subject: Re: FreeBSD and IPSEC
>
>
> :I have two remote offices.  I am running FreeBSD ver 4.0R on
> all three
> :firewalls.  I would like to create two VPN between the
> remote offices and
> :our HQ here.  I can create a VPN connection using the gif and
> :esp/tunnel//require, without the racoon, but from time to
> time the remote
> :offices loose communication with the HQ.  If I allow routing
> between the
> :remote sites, without the VPN or encryption they work just
> fine.  There are
> :some ipfw rules in place, but this happens even if I open
> the firewall up
> :all the way.
> :
> :Does anyone have any suggestions for troubleshooting this?
> Any ideas on
> :where to continue looking for problems?  I'm not looking for
> answers(unless
> :you got them) I'm looking for the next place to look.
> :
> :Brandt Everett
>
>     I did an IPSEC tunnel once with the same problem.  It
> turned out that
>     cyclic sequence numbers were not being allowed (I guess
> for security
>     reasons).  Any sort of packet loss caused the VPN to stop working.
>     Allowing cyclic sequence numbers fixed the problem.
>
>     Unfortunately, this was a year ago so I don't have the config file
>     to show you. I'm not sure where you specify it in the config.
>
> 						-Matt


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?004c01c0e4a4$e43fcd90$632807d8>