Date: Mon, 17 Sep 2001 10:01:42 -0500 From: Paul Root <proot@iaces.com> To: Brooks Davis <brooks@one-eyed-alien.net>, security@freebsd.org Subject: Re: IPSEC config Message-ID: <3BA61056.5F48202@iaces.com> References: <3BA10B3F.610E6FB3@iaces.com> <20010913124438.A19163@Odin.AC.HMC.Edu>
next in thread | previous in thread | raw e-mail | index | archive | help
Brooks Davis wrote: > > On Thu, Sep 13, 2001 at 02:38:39PM -0500, Paul Root wrote: > > Hi, > > I'm trying to setup a IPSec tunnel and am having trouble. > > Both machines are 4.4 RC3 (I think, last week). And when I set it up > > for a transport between the two machines it works fine, so racoon > > must be fine. > > > > I'm following the IPsec mini-HOWTO from January 2001 daemonnews. > > Here's my config on one end: > > > > #!/bin/sh > > # These commands need to be run on acesfbsd to > > # connect to lorax, in a IPSEC test > > # > > # Setup the tunnel device. > > gifconfig gif0 10.20.30.4 172.28.56.82 > > This won't work in 4.4. There's no gif0 device at this point because gif > devices are now created at runtime. Also, while gifconfig still works, > it's obsolete. Instead use: > > ifconfig gif0 create tunnel 10.20.30.4 172.28.56.82 > > These addresses should be the local machine's address and the remote > machines address (is the local machine really a 10.x address?) Yes, those are their real addresses. I had another response about having tunnel addresses as well as real addresses. Unfortunately, it's written exactly the same way as the doco that I already don't understand. So, here's a question. I set the addresses of gif0 the same as my primary interface, or are they a network all to themselves? Logically to me they need to be addresses that can be routed to, i.e. the real addresses of the machine. So here's a picture of what I think happens. workstation1 tunnel-start-machine - network - tunnel-end-machine workstation2 172.28.56.54 172.28.56.82 10.20.30.4 10.20.30.3 172.28.56.56-10.20.30.1 The network in the middle is actually a nokia running fw-1 4.1. It's rules are setup correctly, letting all traffic between the two machines. So for routing, I do this IP address Route to other net ---------- ------------------ 172.28.56.54 172.28.56.82 172.28.56.82 172.28.56.56 10.20.30.4 10.20.30.1 10.20.30.3 10.20.30.4 This is one end of the tunnel. #!/bin/sh # These commands need to be run on acesfbsd to # connect to lorax, in a IPSEC test # # Setup the tunnel device. #gifconfig gif0 10.20.30.4 172.28.56.82 ifconfig gif0 destroy ifconfig gif0 create tunnel 10.20.30.4 172.28.56.82 # # The next 2 lines delete all existing entries # from the SPD and SAD setkey -FP setkey -F # Add the policy setkey -c <<EOF spdadd 10.20.30.0/24 172.28.56.0/23 any -P out ipsec esp/tunnel/10.20.30.4-172.28.56.82/require; spdadd 172.28.56.0/23 10.20.30.0/24 any -P in ipsec esp/tunnel/172.28.56.82-10.20.30.4/require; EOF The other end is just a mirror image. Perhaps, I'm getting in trouble with loops? > -- Brooks > > -- > Any statement of the form "X is the one, true Y" is FALSE. > PGP fingerprint 655D 519C 26A7 82E7 2529 9BF0 5D8E 8BE9 F238 1AD4 > > ------------------------------------------------------------------------ > Part 1.2Type: application/pgp-signature -- Paul T. Root E/Mail: proot@iaces.com 600 Stinson Blvd, Fl 1S PAG: +1 (877) 693-7155 Minneapolis, MN 55413 WRK: +1 (612) 664-3385 NIC: PTR FAX: +1 (612) 664-4779 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3BA61056.5F48202>