Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 24 Apr 2003 10:57:44 +0200 (CEST)
From:      Ludo Koren <lk@tempest.sk>
To:        larse@ISI.EDU
Cc:        freebsd-current@freebsd.org
Subject:   Re: IPsec on FreeBSD 5.0-RELEASE-p7
Message-ID:  <200304240857.h3O8vixJ042188@lk.tempest.sk>
In-Reply-To: <3EA6781F.3030600@isi.edu> (message from Lars Eggert on Wed, 23 Apr 2003 07:25:19 -0400)

next in thread | previous in thread | raw e-mail | index | archive | help

First of all, thank you very much for your answer. 

>>>>> Lars Eggert <larse@ISI.EDU> writes:


     > On 4/23/2003 6:16 AM, Ludo Koren wrote:

    >> After upgrading to FreeBSD 5.0-RELEASE-p7 (COMPAQ) #0: Sun Apr
    >> 20 21:50:49 CEST 2003 IPsec stopped working.
    >> 
    >> I have the following options in the kernel configuration:
    >> 
    >> options IPSEC #IP security options IPSEC_ESP #IP security
    >> (crypto; define w/ IPSEC) options IPSEC_DEBUG #debug for IP
    >> security
    >> 
    >> and the IPsec configuration was working with FreeBSD 4.6:
    >> 
    >> #! /bin/sh
    >> 
    >> /sbin/ifconfig gif0 create tunnel 195.28.126.7 195.91.63.194
    >> /usr/sbin/gifconfig gif0 inet 195.28.126.7 195.91.63.194
    >> /sbin/ifconfig gif0 inet x.x.x.x netmask 255.255.255.255
    >> y.y.y.0 netmask 255.255.255.0 up
    >> 
    >> /usr/sbin/setkey -FP /usr/sbin/setkey -F /usr/sbin/setkey -c <<
    >> EOF
    >> 
    >> spdadd x.x.x.x/32 y.y.y.0/24 any -P out ipsec
    >> esp/tunnel/195.28.126.7-195.91.63.194/require; spdadd
    >> y.y.y.0/24 x.x.x.x/32 any -P in ipsec
    >> esp/tunnel/195.91.63.194-195.28.126.7/require;
    >> 
    >> EOF
    >> 
    >> /sbin/route add -net y.y.y.0 x.x.x.x 255.255.255.0 -iface
    >> /usr/local/sbin/racoon
    >> 
    >> 
    >> I can see via tcpdump on fxp0, ESP packets are going to the
    >> destination and back. But unfortunately, ping doesn't get the
    >> response. It seems, packets do not come back through gif0
    >> interface, though tcpdump on fxp0 interface get them.

     > you're using IPsec tunnel mode together with a parallel IPIP
     > gif tunnel.  This has been suggested in a bunch of online
     > "tutorials" on IPsec, but is a bad idea, with both -stable and
     > -current. The attached email message explains why.

     > In short, try this:

     > 1. remove IPSEC_DEBUG (not sure if this even still does
     > something) 2. don't configure the gif interface at all 3. don't
     > use the route command

It is working now, but with my IP address of the ethernet interface
only. What I would like to do (maybe based on the Cisco VPN client
configuration) is to use private IP address when communicating with
the other end of the IPsec tunnel. Even if I added
esp/transport/x.x.x.x-y.y.y.0/use to the above configuration, it is
not working. Is it possible at all or am I making something wrong?

     > i.e. just do the setkey commands you have above.

     > Alternatively, take a look at draft-touch-ipsec-vpn-05.txt,
     > which proposes an alternative that works with routing (but not
     > current IKE).

I have read the document, thanks for the pointer.

     > Lars -- Lars Eggert <larse@isi.edu> USC Information Sciences
     > Institute

ludo



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200304240857.h3O8vixJ042188>