From owner-freebsd-net@FreeBSD.ORG Tue Dec 16 07:01:19 2003 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 301EC16A4CE for ; Tue, 16 Dec 2003 07:01:19 -0800 (PST) Received: from GWOUT.thalesgroup.com (gwout.thalesgroup.com [195.101.39.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7A4F543D2D for ; Tue, 16 Dec 2003 07:01:17 -0800 (PST) (envelope-from Regis.HANNA@fr.thalesgroup.com) Received: from thalescan.corp.thales (200.3.2.3) by GWOUT.thalesgroup.com (NPlex 6.5.026) id 3FD7086F00116147 for freebsd-net@freebsd.org; Tue, 16 Dec 2003 16:00:43 +0100 Received: from tccplex.tcc.thomson-csf.com ([200.3.1.11]) by thalescan with InterScan Messaging Security Suite; Tue, 16 Dec 2003 16:00:22 +0100 Received: from NODALNET.clb.tcfr.thales (146.11.5.4) by tccplex.tcc.thomson-csf.com (NPlex 6.5.026) id 3EC391A20040D91C for freebsd-net@freebsd.org; Tue, 16 Dec 2003 16:00:48 +0100 Received: by NODALNET.clb.tcfr.thales with Internet Mail Service (5.5.2653.19) id ; Tue, 16 Dec 2003 16:00:22 +0100 Message-ID: From: Regis.HANNA@fr.thalesgroup.com To: freebsd-net@freebsd.org Date: Tue, 16 Dec 2003 16:00:18 +0100 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Subject: Problems using ipsec transport mode with a gateway X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Dec 2003 15:01:19 -0000 Hello, My network configuration is 2 subnets separated by a gateway : |--------| 1.1.1.0/24 |-----------------| 2.1.1.0/24 |--------------| | Host 1 |--------------| FreeBSD gateway |--------------| FreeBSD host | |--------| |-----------------| |--------------| 1.1.1.4 1.1.1.1 2.1.1.1 2.1.1.4 non ciphered data ciphered data I want to protect data between Host 1 and FreeBSD host, only in the 2.1.1.0/24 subnet by using ipsec in TRANSPORT mode. I choose transport mode because of low overhead and higher performances. I observe that data from Host 1 to FreeBSD host are ok but data from FreeBSD host to Host 1 are STOPPED in the FreeBSD gateway. When I use ipsec in tunnel mode it is always ok. The FreeBSD gateway setkey configuration is : add 2.1.1.1 2.1.1.4 esp 1000 -m transport -E rijndael-cbc "PASSWORDPASSWORD"; add 2.1.1.4 2.1.1.1 esp 1001 -m transport -E rijndael-cbc "PASSWORDPASSWORD"; spdadd 1.1.1.4 2.1.1.4 any -P out ipsec esp/transport/2.1.1.1-2.1.1.4/require; spdadd 2.1.1.4 1.1.1.4 any -P in ipsec esp/transport/2.1.1.4-2.1.1.1/require; The FreeBSD host setkey configuration is : add 2.1.1.1 2.1.1.4 esp 1000 -m transport -E rijndael-cbc "PASSWORDPASSWORD"; add 2.1.1.4 2.1.1.1 esp 1001 -m transport -E rijndael-cbc "PASSWORDPASSWORD"; spdadd 1.1.1.4 2.1.1.4 any -P in ipsec esp/transport/2.1.1.1-2.1.1.4/require; spdadd 2.1.1.4 1.1.1.4 any -P out ipsec esp/transport/2.1.1.4-2.1.1.1/require; I use FreeBSD 5.1. Thank you in advance, Regis Hanna.