From owner-freebsd-questions Fri Feb 21 9:48:52 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1C32237B405; Fri, 21 Feb 2003 09:48:47 -0800 (PST) Received: from kestrel.alerce.com (kestrel.alerce.com [209.182.219.40]) by mx1.FreeBSD.org (Postfix) with ESMTP id 255DA43F93; Fri, 21 Feb 2003 09:48:45 -0800 (PST) (envelope-from hartzell@rosebud.alerce.com) Received: from rosebud.alerce.com (w095.z064001164.sjc-ca.dsl.cnc.net [64.1.164.95]) by kestrel.alerce.com (8.12.4/8.12.4) with ESMTP id h1LHmWk6041851 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=OK); Fri, 21 Feb 2003 09:48:34 -0800 (PST) (envelope-from hartzell@rosebud.alerce.com) X-Authentication-Warning: kestrel.alerce.com: Host w095.z064001164.sjc-ca.dsl.cnc.net [64.1.164.95] claimed to be rosebud.alerce.com Received: from rosebud.alerce.com (rosebud.alerce.com [127.0.0.1]) by rosebud.alerce.com (8.12.7/8.12.7) with ESMTP id h1LHmifb002261 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Fri, 21 Feb 2003 09:48:45 -0800 (PST) (envelope-from hartzell@rosebud.alerce.com) Received: (from hartzell@localhost) by rosebud.alerce.com (8.12.7/8.12.6/Submit) id h1LHmgCi002258; Fri, 21 Feb 2003 09:48:42 -0800 (PST) From: George Hartzell MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15958.26232.847753.176153@rosebud.alerce.com> Date: Fri, 21 Feb 2003 09:48:40 -0800 To: hartzell@kestrel.alerce.com (George Hartzell) Cc: freebsd-questions@FreeBSD.ORG, freebsd-mobile@FreeBSD.ORG Subject: Almost there [was Re: FreeBSD 4.7-REL-p3 and an ... Linksys BEFVP41] In-Reply-To: <15956.23535.146549.735318@rosebud.alerce.com> References: <15956.23535.146549.735318@rosebud.alerce.com> X-Mailer: VM 7.07 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid Reply-To: hartzell@kestrel.alerce.com (George Hartzell) Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG George Hartzell writes: > > I'd like to set up an IPsec connection between my laptop running > FreeBSD 4.7-REL-p3 and a Linksys BEFVP41 router w/ built in IPsec > capability. > [...] I almost have things working! I've fallen back to a very simple solution, it took me a while to separate the fancy footwork in the various examples (the gif tunnels and the fancy-dancing to support/enable NAT, etc...), but I finally realized that what I needed was just pretty simple. /usr/sbin/setkey -FP /usr/sbin/setkey -F /usr/sbin/setkey -c << EOF spdadd LAPTOP_IP/32 192.168.1.0/24 any -P out ipsec esp/tunnel/LAPTOP_IP-LINKSYS_IP/require; spdadd 192.168.1.0/24 LAPTOP_IP/32 any -P out ipsec esp/tunnel/LINKSYS_IP-LAPTOP_IP/require; EOF and a racoon.conf that's almost exactly the example from the racoon.conf man page. Now I get the key exchange established, with racoon saying IPsec-SA established: ESP/Tunnel 64.1.164.95->64.1.164.92 spi=387448327(0x1717fe07) and the Linksys logging (in blue!) that the tunnel's been established. Still, it doesn't quite work. If I sit on my laptop and ping a machine on the private network, I never see any replies. But, a tcpdump on the private network machine shows the icmp requests and replies in the clear, and tcpdump on the laptop shows the replies coming back through the ipsec gateway (foo is the laptop, blah is the Linksys). 09:09:09.739914 foo.bar.com > blah.bar.com: ESP(spi=0x1a1ef0f9,seq=0x111) 09:09:09.742049 blah.bar.com > foo.bar.com: ESP(spi=0x0c053b00,seq=0x11f) .... So, it seems that the replies are making it back to the laptop (or close enough that the laptop can tcpdump them. Anyone have any suggestions on where they might be getting stuck and/or dropped on the floor? Suggestions on tools to dig around and understand what's up? g. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message