Date: Fri, 13 Apr 2001 12:09:11 +0200 From: Lionnel CHAPTAL <lionnel.chaptal@IPricot.com> To: freebsd-security@freebsd.org Subject: IPSEC/Racoon/local adress when initiator Message-ID: <3AD6D047.91F3F843@IPricot.com>
next in thread | raw e-mail | index | archive | help
Hi,
I have a IPSec tunnnel between 2 nets :
FBSD(eth)--|--(eth)GW(eth)--(eth)Cisco(eth)--|
| |--(eth)host
host(eth)---|
and it works fine in static key configuration.
FBSD is the encryption/decryption machine on the LAN on the left side
and is the gateway for the LAN.
Cisco is doing the same job on the right side.
On the FBSD side, there is only one NIC, so I have set up an alias
address on the ethernet interface.
So the FBSD eth iface has one address in the net-to-be-tunneled
(192.168.0.1/24) and another for the tunnel-transported-lan (1.2.3.4 or
whatever).
Now, I would like to use IKE. Well, there is no problem with the racoon
parameters.
The gateway for the FBSD (GW) has only one address in the same net as
the net-to-be-tunneled (for instance 192.168.0.254). So racoon is
binding on the eth iface with the address 192.168.0.1
[sockmisc.c/getlocaladdr()]. The frame are beeing sent from 192.168.0.1
whereas they should come from 1.2.3.4
Question. Is there a way, in the configuration file to change the local
address binding so that it will use 1.2.3.4 instead ? (like "crypto map
<MAP> local-address <iface>" with cisco ios ?
Note: the exchange is OK when the Cisco is the initiator, and the SAD is
filled.
Thanks in advance,
Lionnel.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3AD6D047.91F3F843>