From owner-freebsd-stable Thu May 24 15:58:38 2001 Delivered-To: freebsd-stable@freebsd.org Received: from greyhound.bentonrea.com (mail.bentonrea.com [12.18.240.4]) by hub.freebsd.org (Postfix) with ESMTP id 485F937B423 for ; Thu, 24 May 2001 15:58:33 -0700 (PDT) (envelope-from everett@bentonrea.com) Received: from everett (everett.bentonrea.com [216.7.40.99]) by greyhound.bentonrea.com (8.9.3/8.9.3) with SMTP id PAA20315; Thu, 24 May 2001 15:58:33 -0700 From: "Brandt Everett" To: "'Matt Dillon'" Cc: Subject: RE: FreeBSD and IPSEC Date: Thu, 24 May 2001 15:57:20 -0700 Message-ID: <004c01c0e4a4$e43fcd90$632807d8@prosser.bentonrea.org> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2911.0) In-reply-to: <200105242015.f4OKFxH30464@earth.backplane.com> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Importance: Normal Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Ok, I see a switch for it on the setkey(8) man but I can't seem to get it too take. I keep getting an invalid argument here is the man page section extensions takes some of the following: -m mode Specify an security protocol mode for use. By de- fault, any. mode is one of following: transport, tunnel or any. -r size Specify window size of bytes for replay prevention. size must be decimal number in 32-bit word. If size is zero or not specified, replay check don't take place. -f pad_option pad_option is one of following: zero-pad, random-pad or seq-pad -f cyclic-seq Allow cyclic sequence number. -lh time -ls time Specify hard/soft lifetime. add x.x.x.x y.y.y.y esp 9983 -m any -f cyclic-seq -E 3des-cbc "mysecret"; add y.y.y.y x.x.x.x esp 9984 -m any -f cyclic-seq -E 3des-cbc "mysecret"; Has something changed on this that I can't find the info on? Brandt Everett -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- e-mail: everett@bentonrea.com webpage: www.bentonrea.com -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > -----Original Message----- > From: owner-freebsd-stable@FreeBSD.ORG > [mailto:owner-freebsd-stable@FreeBSD.ORG]On Behalf Of Matt Dillon > Sent: Thursday, May 24, 2001 1:16 PM > To: Brandt Everett > Cc: freebsd-stable@FreeBSD.ORG > Subject: Re: FreeBSD and IPSEC > > > :I have two remote offices. I am running FreeBSD ver 4.0R on > all three > :firewalls. I would like to create two VPN between the > remote offices and > :our HQ here. I can create a VPN connection using the gif and > :esp/tunnel//require, without the racoon, but from time to > time the remote > :offices loose communication with the HQ. If I allow routing > between the > :remote sites, without the VPN or encryption they work just > fine. There are > :some ipfw rules in place, but this happens even if I open > the firewall up > :all the way. > : > :Does anyone have any suggestions for troubleshooting this? > Any ideas on > :where to continue looking for problems? I'm not looking for > answers(unless > :you got them) I'm looking for the next place to look. > : > :Brandt Everett > > I did an IPSEC tunnel once with the same problem. It > turned out that > cyclic sequence numbers were not being allowed (I guess > for security > reasons). Any sort of packet loss caused the VPN to stop working. > Allowing cyclic sequence numbers fixed the problem. > > Unfortunately, this was a year ago so I don't have the config file > to show you. I'm not sure where you specify it in the config. > > -Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message