Too stupid for IPsec

From: Bernhard Schmidt (berni@birkenwald.de)
Date: 06/16/02


Date: Sun, 16 Jun 2002 23:55:39 +0200
From: Bernhard Schmidt <berni@birkenwald.de>
To: freebsd-security@freebsd.org

Warning, this is quite long. I don't know whether there is a better
group for IPsec related things, if so please drop me a note.

I just tried to establish a secure connection with IPsec between my
router at home and my machine at work.

The machine at home (heimdall) is running FBSD 4.6-RELEASE, the other
one (lupus) is running FBSD 4.5-RELEASE-p4. Both have IPSEC, IPSEC_ESP
and IPSEC_DEBUG integrated in the kernel.

The structure of the network is as follows:

At home:

Windows ---+
           | +----------+
Linux ---+----------------+ heimdall +------- (some routers) ------->
           | +----------+
FreeBSD ---+ 195.143.230.217/29 195.143.230.215/32 (alias)

                 +-------+
<----------------+ lupus |
                 +-------+
     195.143.155.4/32

At the moment I'm trying to encrypt/authenticate the data, when there is
a connection between frigg (a not-ipsec aware linux box in my /29 above)
and lupus. As far as I have understood the documentation, I need the
tunnel mode in this case.

My current approach looks like the following. I generated my spi
definitions into a file and copy&pasted them into "setkey -c" on both
sides.

add 195.143.230.215 195.143.155.4 esp 1000 -m tunnel -E rijndael-cbc
   "1234567890123456" -A hmac-sha1 "12345678901234567890" ;
add 195.143.155.4 195.143.230.215 esp 2000 -m tunnel -E rijndael-cbc
   "2345678901234567" -A hmac-sha1 "23456789012345678901" ;

then I created my SPDs by adding

spdadd 195.143.230.220/32 195.143.155.4/32 any -P out ipsec
   esp/tunnel/195.143.230.215-195.143.155.4/require ;

on heimdall and

spdadd 195.143.155.4/32 195.143.230.220/32 any -P out ipsec
   esp/tunnel/195.143.155.4-195.143.230.215/require ;

on lupus. When I ping/telnet lupus from frigg and vice versa I can see
ESP packets in tcpdump with the correct spi. But nothing more happens.
lupus does not react on anything it receives with ESP and heimdall does
not forward the (now unencrypted) packet to its second ethernet device.
net.inet.ipsec.debug is set to "1" and I'm logging *.* to my server, but
nothing shows up in the logfile (yes, syslog is set up correctly).

Any ideas what could be missing/wrong? Any help appreciated, I'm
probably just too blind to see the obvious solution.

-- 
   bye bye
     Bernhard
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message