Date: Tue, 18 Jul 2000 14:57:56 +1200 From: "Dan Langille" <dan@freebsddiary.org> To: freebsd-questions@freebsd.org Subject: can't get IPSEC/ESP to work Message-ID: <39747074.15193.3F959BE7@localhost>
index | next in thread | raw e-mail
I have two boxes, 192.168.0.101 and 192.168.0.78. I'm trying to encrypt
the data between these two boxes. I've compiled IPSEC into both 4.0-
stable boxes. Clues please.
On the .101 box, here are my setkey inputs:
add 191.168.0.101 192.168.0.78 esp 9876 -m transport -E des-cbc "hogehoge";
add 192.168.0.78 191.168.0.101 esp 10000 -m transport -E des-cbc "mogamoga";
spdadd 191.168.0.101 192.168.0.78 any -P out ipsec esp/transport/191.168.0.101-192.168.0.78/require;
And for the .78 box:
add 191.168.0.101 192.168.0.78 esp 9876 -m transport -E des-cbc "hogehoge";
add 192.168.0.78 191.168.0.101 esp 10000 -m transport -E des-cbc "mogamoga";
spdadd 192.168.0.78 191.168.0.101 any -P out ipsec esp/transport/192.168.0.78-191.168.0.101/require;
On a third box, I'm running tcpdump to monitor the traffic. I then try a
telnet from .101 to .78. In the tcpdump output, i can clearly see the
unecrypted text:
192.168.0.78.23 > 192.168.0.101.1037: P 196:203(7) ack 157 win 17520 (DF) [tos 0x10]
0x0000 4510 002f 56f0 4000 4006 61c5 c0a8 004e E../V.@.@.a....N
0x0010 c0a8 0065 0017 040d 4c8a f9fb 449b f4ea ...e....L...D...
0x0020 5018 4470 030e 0000 6c6f 6769 6e3a 20 P.Dp....login:.
I'm a bit mystified as to why this is. Here's some more info:
From the .78 box:
[root@set:~/ipsec] # setkey -D
192.168.0.78 191.168.0.101
esp mode=transport spi=10000(0x00002710) replay=4 flags=0x00000000
E: des-cbc 6d6f6761 6d6f6761
state=mature seq=1 pid=22708
created: Jul 18 14:51:49 2000 current: Jul 18 14:55:34 2000
diff: 225(s) hard: 0(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
refcnt=1
191.168.0.101 192.168.0.78
esp mode=transport spi=9876(0x00002694) replay=4 flags=0x00000000
E: des-cbc 686f6765 686f6765
state=mature seq=0 pid=22708
created: Jul 18 14:51:49 2000 current: Jul 18 14:55:34 2000
diff: 225(s) hard: 0(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
refcnt=1
[root@set:~/ipsec] # setkey -DP
192.168.0.78[any] 191.168.0.101[any] any
out ipsec
esp/transport/192.168.0.78-191.168.0.101/require
seq=0 pid=22709
refcnt=1
[root@set:~/ipsec] #
from the .101 box:
[root@synergy:~/ipsec] # setkey -D
192.168.0.78 191.168.0.101
esp mode=transport spi=10000(0x00002710) replay=4 flags=0x00000000
E: des-cbc 6d6f6761 6d6f6761
state=mature seq=1 pid=356
created: Jul 18 14:25:24 2000 current: Jul 18 14:29:58 2000
diff: 274(s) hard: 0(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
refcnt=1
191.168.0.101 192.168.0.78
esp mode=transport spi=9876(0x00002694) replay=4 flags=0x00000000
E: des-cbc 686f6765 686f6765
state=mature seq=0 pid=356
created: Jul 18 14:25:24 2000 current: Jul 18 14:29:58 2000
diff: 274(s) hard: 0(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
refcnt=1
[root@synergy:~/ipsec] # setkey -DP
191.168.0.101[any] 192.168.0.78[any] any
out ipsec
esp/transport/191.168.0.101-192.168.0.78/require
seq=0 pid=360
refcnt=1
--
Dan Langille - DVL Software Limited
FreshPorts - http://freshports.org/ - the place for ports
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?39747074.15193.3F959BE7>