From owner-freebsd-security Sun Jun 16 14:55:46 2002 Delivered-To: freebsd-security@freebsd.org Received: from thor.birkenwald.de (thor.birkenwald.de [195.143.230.218]) by hub.freebsd.org (Postfix) with ESMTP id 0265C37B41D for ; Sun, 16 Jun 2002 14:55:41 -0700 (PDT) Received: by thor.birkenwald.de (Postfix, from userid 1000) id CC7631A7B7; Sun, 16 Jun 2002 23:55:39 +0200 (CEST) Date: Sun, 16 Jun 2002 23:55:39 +0200 From: Bernhard Schmidt To: freebsd-security@freebsd.org Subject: Too stupid for IPsec Message-ID: <20020616215539.GA3675@thor.birkenwald.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.3.99i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Warning, this is quite long. I don't know whether there is a better group for IPsec related things, if so please drop me a note. I just tried to establish a secure connection with IPsec between my router at home and my machine at work. The machine at home (heimdall) is running FBSD 4.6-RELEASE, the other one (lupus) is running FBSD 4.5-RELEASE-p4. Both have IPSEC, IPSEC_ESP and IPSEC_DEBUG integrated in the kernel. The structure of the network is as follows: At home: Windows ---+ | +----------+ Linux ---+----------------+ heimdall +------- (some routers) -------> | +----------+ FreeBSD ---+ 195.143.230.217/29 195.143.230.215/32 (alias) +-------+ <----------------+ lupus | +-------+ 195.143.155.4/32 At the moment I'm trying to encrypt/authenticate the data, when there is a connection between frigg (a not-ipsec aware linux box in my /29 above) and lupus. As far as I have understood the documentation, I need the tunnel mode in this case. My current approach looks like the following. I generated my spi definitions into a file and copy&pasted them into "setkey -c" on both sides. add 195.143.230.215 195.143.155.4 esp 1000 -m tunnel -E rijndael-cbc "1234567890123456" -A hmac-sha1 "12345678901234567890" ; add 195.143.155.4 195.143.230.215 esp 2000 -m tunnel -E rijndael-cbc "2345678901234567" -A hmac-sha1 "23456789012345678901" ; then I created my SPDs by adding spdadd 195.143.230.220/32 195.143.155.4/32 any -P out ipsec esp/tunnel/195.143.230.215-195.143.155.4/require ; on heimdall and spdadd 195.143.155.4/32 195.143.230.220/32 any -P out ipsec esp/tunnel/195.143.155.4-195.143.230.215/require ; on lupus. When I ping/telnet lupus from frigg and vice versa I can see ESP packets in tcpdump with the correct spi. But nothing more happens. lupus does not react on anything it receives with ESP and heimdall does not forward the (now unencrypted) packet to its second ethernet device. net.inet.ipsec.debug is set to "1" and I'm logging *.* to my server, but nothing shows up in the logfile (yes, syslog is set up correctly). Any ideas what could be missing/wrong? Any help appreciated, I'm probably just too blind to see the obvious solution. -- bye bye Bernhard To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message