Date: Mon, 25 Sep 2000 18:45:49 -0700 (PDT) From: Kris Kennaway <kris@FreeBSD.org> To: Sam Wun <swun@eSec.com.au> Cc: "'freebsd-security@freebsd.org'" <freebsd-security@FreeBSD.ORG> Subject: Re: IPsec block my ssh remote login. Message-ID: <Pine.BSF.4.21.0009251841540.76875-100000@freefall.freebsd.org> In-Reply-To: <39CFFCFD.25452959@eSec.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 26 Sep 2000, Sam Wun wrote:
> Here is the setkey policy I used:
>
> setkey -c <<EOF
> add 172.16.1.1 172.16.1.2 esp 9876 -E 3des-cbc "hogehogehogehogehogehoge";
> add 172.16.1.2 172.16.1.1 esp 10000 -E 3des-cbc "mogamogamogamogamogamoga";
> spdadd 172.16.1.1 172.16.1.2 any -P out ipsec esp/transport//use;
I believe you also need a spd entry which matches the incoming packets
i.e. coming in from 172.16.1.2 to 172.16.1.1
spdadd 172.16.1.2 172.16.1.1 any -P in ipsec esp/transport//use;
This says to apply the esp/transport//use transform to packets coming IN
from 172.16.1.2 to 172.16.1.1, to go with your other policy which matches
packets going OUT from 172.16.1.1 to 172.16.1.2.
You may also find it beneficial to use racoon (/usr/ports/security/racoon)
to manage the security associations instead of manually keying them with
'add' entries (plus you'll get more random keys, periodic rekeying, etc).
Kris
--
In God we Trust -- all others must submit an X.509 certificate.
-- Charles Forsythe <forsythe@alum.mit.edu>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0009251841540.76875-100000>