Re: IPsec on FreeBSD 5.0-RELEASE-p7

From: Ludo Koren <lk_at_tempest.sk>
Date: Thu, 24 Apr 2003 10:57:44 +0200 (CEST)
First of all, thank you very much for your answer. 

>>>>> Lars Eggert <larse_at_ISI.EDU> writes:


     > On 4/23/2003 6:16 AM, Ludo Koren wrote:

    >> After upgrading to FreeBSD 5.0-RELEASE-p7 (COMPAQ) #0: Sun Apr
    >> 20 21:50:49 CEST 2003 IPsec stopped working.
    >> 
    >> I have the following options in the kernel configuration:
    >> 
    >> options IPSEC #IP security options IPSEC_ESP #IP security
    >> (crypto; define w/ IPSEC) options IPSEC_DEBUG #debug for IP
    >> security
    >> 
    >> and the IPsec configuration was working with FreeBSD 4.6:
    >> 
    >> #! /bin/sh
    >> 
    >> /sbin/ifconfig gif0 create tunnel 195.28.126.7 195.91.63.194
    >> /usr/sbin/gifconfig gif0 inet 195.28.126.7 195.91.63.194
    >> /sbin/ifconfig gif0 inet x.x.x.x netmask 255.255.255.255
    >> y.y.y.0 netmask 255.255.255.0 up
    >> 
    >> /usr/sbin/setkey -FP /usr/sbin/setkey -F /usr/sbin/setkey -c <<
    >> EOF
    >> 
    >> spdadd x.x.x.x/32 y.y.y.0/24 any -P out ipsec
    >> esp/tunnel/195.28.126.7-195.91.63.194/require; spdadd
    >> y.y.y.0/24 x.x.x.x/32 any -P in ipsec
    >> esp/tunnel/195.91.63.194-195.28.126.7/require;
    >> 
    >> EOF
    >> 
    >> /sbin/route add -net y.y.y.0 x.x.x.x 255.255.255.0 -iface
    >> /usr/local/sbin/racoon
    >> 
    >> 
    >> I can see via tcpdump on fxp0, ESP packets are going to the
    >> destination and back. But unfortunately, ping doesn't get the
    >> response. It seems, packets do not come back through gif0
    >> interface, though tcpdump on fxp0 interface get them.

     > you're using IPsec tunnel mode together with a parallel IPIP
     > gif tunnel.  This has been suggested in a bunch of online
     > "tutorials" on IPsec, but is a bad idea, with both -stable and
     > -current. The attached email message explains why.

     > In short, try this:

     > 1. remove IPSEC_DEBUG (not sure if this even still does
     > something) 2. don't configure the gif interface at all 3. don't
     > use the route command

It is working now, but with my IP address of the ethernet interface
only. What I would like to do (maybe based on the Cisco VPN client
configuration) is to use private IP address when communicating with
the other end of the IPsec tunnel. Even if I added
esp/transport/x.x.x.x-y.y.y.0/use to the above configuration, it is
not working. Is it possible at all or am I making something wrong?

     > i.e. just do the setkey commands you have above.

     > Alternatively, take a look at draft-touch-ipsec-vpn-05.txt,
     > which proposes an alternative that works with routing (but not
     > current IKE).

I have read the document, thanks for the pointer.

     > Lars -- Lars Eggert <larse_at_isi.edu> USC Information Sciences
     > Institute

ludo
Received on Wed Apr 23 2003 - 23:57:48 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:37:04 UTC