Too stupid for IPsec
From: Bernhard Schmidt (email@example.com)
- Next message: Doug Barton: "Re: Too stupid for IPsec"
- Previous message: Crist J. Clark: "Re: ipfw-ntad-jail"
- Next in thread: Doug Barton: "Re: Too stupid for IPsec"
- Reply: Doug Barton: "Re: Too stupid for IPsec"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 16 Jun 2002 23:55:39 +0200 From: Bernhard Schmidt <firstname.lastname@example.org> To: email@example.com
Warning, this is quite long. I don't know whether there is a better
group for IPsec related things, if so please drop me a note.
I just tried to establish a secure connection with IPsec between my
router at home and my machine at work.
The machine at home (heimdall) is running FBSD 4.6-RELEASE, the other
one (lupus) is running FBSD 4.5-RELEASE-p4. Both have IPSEC, IPSEC_ESP
and IPSEC_DEBUG integrated in the kernel.
The structure of the network is as follows:
Linux ---+----------------+ heimdall +------- (some routers) ------->
FreeBSD ---+ 220.127.116.11/29 18.104.22.168/32 (alias)
<----------------+ lupus |
At the moment I'm trying to encrypt/authenticate the data, when there is
a connection between frigg (a not-ipsec aware linux box in my /29 above)
and lupus. As far as I have understood the documentation, I need the
tunnel mode in this case.
My current approach looks like the following. I generated my spi
definitions into a file and copy&pasted them into "setkey -c" on both
add 22.214.171.124 126.96.36.199 esp 1000 -m tunnel -E rijndael-cbc
"1234567890123456" -A hmac-sha1 "12345678901234567890" ;
add 188.8.131.52 184.108.40.206 esp 2000 -m tunnel -E rijndael-cbc
"2345678901234567" -A hmac-sha1 "23456789012345678901" ;
then I created my SPDs by adding
spdadd 220.127.116.11/32 18.104.22.168/32 any -P out ipsec
on heimdall and
spdadd 22.214.171.124/32 126.96.36.199/32 any -P out ipsec
on lupus. When I ping/telnet lupus from frigg and vice versa I can see
ESP packets in tcpdump with the correct spi. But nothing more happens.
lupus does not react on anything it receives with ESP and heimdall does
not forward the (now unencrypted) packet to its second ethernet device.
net.inet.ipsec.debug is set to "1" and I'm logging *.* to my server, but
nothing shows up in the logfile (yes, syslog is set up correctly).
Any ideas what could be missing/wrong? Any help appreciated, I'm
probably just too blind to see the obvious solution.
-- bye bye Bernhard To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message