IPSEC tunnel & setkey, How do I tell if setkey worked?

From: jomor (jomor@ahpcns.com)
Date: 03/11/01


Date: Sun, 11 Mar 2001 00:49:45 -0600
From: jomor <jomor@ahpcns.com>
To: freebsd-security@freebsd.org

I'm finally trying to get a VPN set up between home (DSL) and work
(T-1). I've been running FreeBSD on my home firewall for a few years and
now I want it to be an IPSEC tunnel endpoint. The other end will be
another freeBSD box first, and maybe eventually a Watchguard firebox2
firewall "appliance". I'm testing off-line for now. I haven't been able
to find any info on integrating my ipfw rules with the tunnel so I've
got test boxes set up in an "open" firewall config. I figure I'll get
the tunnel up first and then break it while I try different ipfw rules.

My kernels have the IPSEC and IPSEC_ESP options included. I have the
following "/etc/ipsec.conf" files

Host 1

add 192.168.98.17 192.168.98.19 esp 1000 -m tunnel -E des-cbc "testtest"
;
add 192.168.98.19 192.168.98.17 esp 1001 -m tunnel -E des-cbc "testtest"
;
spdadd 172.18.0.0/24 172.18.10.0/24 any -P out ipsec
        esp/tunnel/192.168.98.19-192.168.98.17/require ;
spdadd 172.18.10.0/24 172.18.0.0/24 any -P in ipsec
        esp/tunnel/192.168.98.17-192.168.98.19/require ;

Host 2

add 192.168.98.17 192.168.98.19 esp 1000 -m tunnel -E des-cbc
"testtest";
add 192.168.98.19 192.169.98.17 esp 1001 -m tunnel -E des-cbc
"testtest";
spdadd 172.18.10.0/24 172.18.0.0/24 any -P out ipsec
        esp/tunnel/192.168.98.17-192.168.98.19/require ;
spdadd 172.18.0.0/24 172.18.10.0/24 any -P in ipsec
        esp/tunnel/192.168.98.19-192.168.98.17/require ;

both are running with gateway enabled, firewall "OPEN" and natd running.
The 192.168.98.x addresses are what would normally be their public
interfaces.

"setkey -f /etc/ipsec.conf" runs without generating any errors, "setkey
-D" and "setkey -D -P" display my entries OK, but I was expecting to see
"netstat -nr" to show routes for the tunnel , or "ifconfig -a" to show
some change in at least one of my "gifn" interfaces but I'm not seeing
it. So I thought I'd run "gifconfig", "ifconfig" and "route add" to set
up the tunnel first (modifying the ipsec.conf files to use the gif0
addresses). While that did set up a functioning tunnel, I didn't see any
evidence of encryption happening. The tunnel kept working even if I ran
setkey on only one of the endpoints.

What am I missing (or doing wrong)? Things have been a little more
complex than they need to be since one of my test "fiewalls" is a laptop
and getting two PCMCIA Ethernet cards to work at the same time has been
a challenge.

All help is much appreciated.

                        tia ...jgm

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message



Relevant Pages

  • Re: if_ipsec
    ... I am personally responsible for the network infrastructure of the company. ... My company network infrastructure is build using FreeBSD servers and Cisco equipment. ... The conventional way to build vpn is to build a tunnel of some sort. ... So, the industry invented a method: you use a gre/ipinip tunnel, you pass the dynamic routing information, and you encrypt this tunnel with ipsec. ...
    (freebsd-net)
  • if_ipsec
    ... I am personally responsible for the network infrastructure of the company. ... My company network infrastructure is build using FreeBSD servers and Cisco equipment. ... The conventional way to build vpn is to build a tunnel of some sort. ... So, the industry invented a method: you use a gre/ipinip tunnel, you pass the dynamic routing information, and you encrypt this tunnel with ipsec. ...
    (freebsd-net)
  • Re: if_ipsec
    ... the idea) I work about 10 years as a network engineer. ... My company network infrastructure is build using FreeBSD ... conventional way to build vpn is to build a tunnel of some sort. ... talking about ipsec) cannot be used for rounting, ...
    (freebsd-net)
  • FreeBSD (Racoon) / Draytek Setup
    ... I'm having trouble attempting to set up a lan to lan VPN between FreeBSD 4.9 ... This tunnel joins 192.168.32.1 and 192.168.1.1 There's a route to ... I've completd the VPN setup on the Draytek Vigor2900. ... FreeBSD/Draytek lan to lan VPN using IPSec? ...
    (freebsd-net)
  • Racoon / Draytek Setup
    ... I'm having trouble attempting to set up a lan to lan VPN between FreeBSD 4.9 ... On the FreeBSD box I've gone ahead and created a tunnel ... I've completd the VPN setup on the Draytek Vigor2900. ... FreeBSD/Draytek lan to lan VPN using IPSec? ...
    (freebsd-questions)