From owner-freebsd-security Mon Sep 25 17:37:40 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 0D97737B43C; Mon, 25 Sep 2000 17:37:38 -0700 (PDT) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id RAA52592; Mon, 25 Sep 2000 17:37:38 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Mon, 25 Sep 2000 17:37:37 -0700 (PDT) From: Kris Kennaway To: Sam Wun Cc: "'freebsd-security@freebsd.org'" Subject: Re: IPsec block my ssh remote login. In-Reply-To: <39CFDB60.A69A3F49@eSec.com.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 26 Sep 2000, Sam Wun wrote: > I have just configured my 4.1 kernel with IPSEC enabled. > After executed setkey, it blocks all my network traffic accessing between my > client and server machines. > I can't even use ssh remote login. Then I used Tcpdump to listen on one of > the NIC which is dedicated for the network connection between my client and > server machine. I can see ESP packet going thru when I am runniing ssh > logging in to my client machine, but ssh seems waiting forever for the reply > from my client machine. > > How can I get some sort of packet go thru with IPSEC protected? Just configuring it in your kernel shouldn't block incoming packets (or change the behaviour of the system at all, in fact) - you need to configure the appropriate IPSEC security policies using setkey(8), and the security associations using the same tool (manually keyed SAs) or using the racoon port (IKE). It sounds like you're already sending out ESP packets from your other machine, but haven't configured the 4.1 machine with the corresponding setup. Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message