Date: Sun, 20 Apr 2003 18:26:14 -0500 From: "Jacques A. Vidrine" <nectar@FreeBSD.org> To: Lars Eggert <larse@ISI.EDU> Cc: "Crist J. Clark" <cjc@FreeBSD.org> Subject: Re: Single IP host and IPsec tunnel mode experience Message-ID: <20030420232614.GA41554@madman.celabo.org> In-Reply-To: <3EA2D6F5.4060209@isi.edu> References: <20030410161511.GA25681@madman.celabo.org> <20030416052335.GA2519@blossom.cjclark.org> <20030416123621.GC72501@madman.celabo.org> <20030420165538.GA31101@madman.celabo.org> <3EA2D6F5.4060209@isi.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Apr 20, 2003 at 10:20:53AM -0700, Lars Eggert wrote:
> On 4/20/2003 9:55 AM, Jacques A. Vidrine wrote:
> >On Wed, Apr 16, 2003 at 07:36:21AM -0500, Jacques A. Vidrine wrote:
> >
> >>On Tue, Apr 15, 2003 at 10:23:35PM -0700, Crist J. Clark wrote:
> >>
> >>>'uname -a'?
> >>
> >>The endpoints were both 4.7.
> >>
> >>
> >>>I can't reproduce this on a 4.8 to 4.7 tunnel. On
> >>>192.168.64.70,
> >>>
> >>> spdadd 192.168.64.70/32 10.0.0.0/24 any -P out
> >>> ipsec esp/tunnel/192.168.64.70-192.168.64.20/require;
> >>> spdadd 10.0.0.0/24 192.168.64.70/32 any -P in
> >>> ipsec esp/tunnel/192.168.64.20-192.168.64.70/require;
> >>>
> >>>And on 192.168.64.20, the gateway to 10.0.0.0/24,
> >>>
> >>> spdadd 192.168.64.70/32 10.0.0.0/24 any -P in
> >>> ipsec esp/tunnel/192.168.64.70-192.168.64.20/require;
> >>> spdadd 10.0.0.0/24 192.168.64.70/32 any -P out
> >>> ipsec esp/tunnel/192.168.64.20-192.168.64.70/require;
> >>>
> >>>Works fine.
> >>
> >>Hmm, yes, that appears to be exactly what I'm trying to do. Well,
> >>that's heartening ... it means that there is likely some anomoly in my
> >>environment that is hosing me. Now if only I can figure what it is :-)
> >
> >
> >Oddly enough ... ESP works, AH does not.
>
> Are you going through a NAT box? (Sorry, haven't been following this
> thread closely.) AH includes more of the IP header when computing the
> crypto checksum (compared to ESP), if those fields get diddled by a NAT
> box, the receiver will drop the packets because of bad crypto. One of
> the netstat counters on the receiver will show this.
No NAT.
> If you need to authenticate, maybe try using ESP authentication?
Yes, I believe that's what I tested. e.g.
223.223.223.223 117.117.117.117
esp mode=tunnel spi=40396514(0x26866e25) reqid=0(0x00000000)
E: 3des-cbc 4dafcf14 1e11dd81 4dafcf14 1e11dd81 4dafcf14 1e11dd81
A: hmac-sha1 4dafcf14 1e11dd81 4dafcf14 1e11dd81 4dafcf14
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Mar 2 07:52:31 2003 current: Mar 2 07:59:28 2003
diff: 20(s) hard: 30(s) soft: 24(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=2 pid=90010 refcnt=1
I actually don't need AH ... I was using AH because it is easier to see
what is going on.
Cheers,
--
Jacques A. Vidrine <nectar@celabo.org> http://www.celabo.org/
NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos
jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030420232614.GA41554>