Date: Sun, 20 Apr 2003 18:26:14 -0500 From: "Jacques A. Vidrine" <nectar@FreeBSD.org> To: Lars Eggert <larse@ISI.EDU> Cc: "Crist J. Clark" <cjc@FreeBSD.org> Subject: Re: Single IP host and IPsec tunnel mode experience Message-ID: <20030420232614.GA41554@madman.celabo.org> In-Reply-To: <3EA2D6F5.4060209@isi.edu> References: <20030410161511.GA25681@madman.celabo.org> <20030416052335.GA2519@blossom.cjclark.org> <20030416123621.GC72501@madman.celabo.org> <20030420165538.GA31101@madman.celabo.org> <3EA2D6F5.4060209@isi.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Apr 20, 2003 at 10:20:53AM -0700, Lars Eggert wrote: > On 4/20/2003 9:55 AM, Jacques A. Vidrine wrote: > >On Wed, Apr 16, 2003 at 07:36:21AM -0500, Jacques A. Vidrine wrote: > > > >>On Tue, Apr 15, 2003 at 10:23:35PM -0700, Crist J. Clark wrote: > >> > >>>'uname -a'? > >> > >>The endpoints were both 4.7. > >> > >> > >>>I can't reproduce this on a 4.8 to 4.7 tunnel. On > >>>192.168.64.70, > >>> > >>> spdadd 192.168.64.70/32 10.0.0.0/24 any -P out > >>> ipsec esp/tunnel/192.168.64.70-192.168.64.20/require; > >>> spdadd 10.0.0.0/24 192.168.64.70/32 any -P in > >>> ipsec esp/tunnel/192.168.64.20-192.168.64.70/require; > >>> > >>>And on 192.168.64.20, the gateway to 10.0.0.0/24, > >>> > >>> spdadd 192.168.64.70/32 10.0.0.0/24 any -P in > >>> ipsec esp/tunnel/192.168.64.70-192.168.64.20/require; > >>> spdadd 10.0.0.0/24 192.168.64.70/32 any -P out > >>> ipsec esp/tunnel/192.168.64.20-192.168.64.70/require; > >>> > >>>Works fine. > >> > >>Hmm, yes, that appears to be exactly what I'm trying to do. Well, > >>that's heartening ... it means that there is likely some anomoly in my > >>environment that is hosing me. Now if only I can figure what it is :-) > > > > > >Oddly enough ... ESP works, AH does not. > > Are you going through a NAT box? (Sorry, haven't been following this > thread closely.) AH includes more of the IP header when computing the > crypto checksum (compared to ESP), if those fields get diddled by a NAT > box, the receiver will drop the packets because of bad crypto. One of > the netstat counters on the receiver will show this. No NAT. > If you need to authenticate, maybe try using ESP authentication? Yes, I believe that's what I tested. e.g. 223.223.223.223 117.117.117.117 esp mode=tunnel spi=40396514(0x26866e25) reqid=0(0x00000000) E: 3des-cbc 4dafcf14 1e11dd81 4dafcf14 1e11dd81 4dafcf14 1e11dd81 A: hmac-sha1 4dafcf14 1e11dd81 4dafcf14 1e11dd81 4dafcf14 seq=0x00000000 replay=4 flags=0x00000000 state=mature created: Mar 2 07:52:31 2003 current: Mar 2 07:59:28 2003 diff: 20(s) hard: 30(s) soft: 24(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=2 pid=90010 refcnt=1 I actually don't need AH ... I was using AH because it is easier to see what is going on. Cheers, -- Jacques A. Vidrine <nectar@celabo.org> http://www.celabo.org/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030420232614.GA41554>