Re: IPSEC config

From: Michael Proto (echo.ranger@corp.earthlink.net)
Date: 09/13/01


Date: Thu, 13 Sep 2001 15:54:09 -0400 (EDT)
From: Michael Proto <echo.ranger@corp.earthlink.net>
To: Paul Root <proot@iaces.com>

Paul,

Have you used ifconfig to setup the inside points of your gif tunnel?
gifconfig only sets the outside IP addresses of your security gateways.
You still need to use ifconfig to set the point-to-point link on the
inside.

for ex:

Gateway A:
public IP: 199.54.21.1
private net IP: 10.0.0.1

Gateway B:
public IP: 199.54.85.4
private net IP: 10.0.10.1

on Gateway A:
gifconfig gif0 199.54.21.1 199.54.85.4
ifconfig gif0 inet 10.0.0.1 10.0.10.1 netmask 255.255.0.0

and vice versa on Gateway B.

From the looks of it, you seem to be missing the 'inside IP' configuration
of your gif tunnels.

Good luck,
Michael Proto

On Thu, 13 Sep 2001, Paul Root wrote:

> Hi,
> I'm trying to setup a IPSec tunnel and am having trouble.
> Both machines are 4.4 RC3 (I think, last week). And when I set it up
> for a transport between the two machines it works fine, so racoon
> must be fine.
>
> I'm following the IPsec mini-HOWTO from January 2001 daemonnews.
> Here's my config on one end:
>
> #!/bin/sh
> # These commands need to be run on acesfbsd to
> # connect to lorax, in a IPSEC test
> #
> # Setup the tunnel device.
> gifconfig gif0 10.20.30.4 172.28.56.82
> #
> # The next 2 lines delete all existing entries
> # from the SPD and SAD
> setkey -FP
> setkey -F
> # Add the policy
> setkey -c <<EOF
> spdadd 10.20.30.0/24 172.28.56.0/23 any -P out ipsec
> esp/tunnel/10.20.30.4-172.28.56.82/require;
> spdadd 172.28.56.0/23 10.20.30.0/24 any -P in ipsec
> esp/tunnel/172.28.56.82-10.20.30.4/require;
> EOF
>
>
>
> The man page on gif and gifconfig are vague to me, but I think I've
> got it, those are the actual addresses of the boxes right? Also, the
> howto had transport instead of tunnel in the spdadd lines but
> the man page suggests tunnel.
>
> I'm sure I'm doing something horribly wrong.
>
> Thanks,
> Paul.
>
>

-- 
Michael Proto                      | echo.ranger@corp.earthlink.net
Security Engineer, EarthLink Inc.  | (404)815-0770 x22114
-------------------------------------------------------------------
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message