Re: IPSEC config
From: Michael Proto (email@example.com)
- Next message: Paul Root: "Re: IPSEC config"
- Previous message: Brooks Davis: "Re: IPSEC config"
- In reply to: Paul Root: "IPSEC config"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 13 Sep 2001 15:54:09 -0400 (EDT) From: Michael Proto <firstname.lastname@example.org> To: Paul Root <email@example.com>
Have you used ifconfig to setup the inside points of your gif tunnel?
gifconfig only sets the outside IP addresses of your security gateways.
You still need to use ifconfig to set the point-to-point link on the
public IP: 22.214.171.124
private net IP: 10.0.0.1
public IP: 126.96.36.199
private net IP: 10.0.10.1
on Gateway A:
gifconfig gif0 188.8.131.52 184.108.40.206
ifconfig gif0 inet 10.0.0.1 10.0.10.1 netmask 255.255.0.0
and vice versa on Gateway B.
From the looks of it, you seem to be missing the 'inside IP' configuration
of your gif tunnels.
On Thu, 13 Sep 2001, Paul Root wrote:
> I'm trying to setup a IPSec tunnel and am having trouble.
> Both machines are 4.4 RC3 (I think, last week). And when I set it up
> for a transport between the two machines it works fine, so racoon
> must be fine.
> I'm following the IPsec mini-HOWTO from January 2001 daemonnews.
> Here's my config on one end:
> # These commands need to be run on acesfbsd to
> # connect to lorax, in a IPSEC test
> # Setup the tunnel device.
> gifconfig gif0 10.20.30.4 172.28.56.82
> # The next 2 lines delete all existing entries
> # from the SPD and SAD
> setkey -FP
> setkey -F
> # Add the policy
> setkey -c <<EOF
> spdadd 10.20.30.0/24 172.28.56.0/23 any -P out ipsec
> spdadd 172.28.56.0/23 10.20.30.0/24 any -P in ipsec
> The man page on gif and gifconfig are vague to me, but I think I've
> got it, those are the actual addresses of the boxes right? Also, the
> howto had transport instead of tunnel in the spdadd lines but
> the man page suggests tunnel.
> I'm sure I'm doing something horribly wrong.
-- Michael Proto | firstname.lastname@example.org Security Engineer, EarthLink Inc. | (404)815-0770 x22114 ------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message