From owner-freebsd-security  Fri Apr 13  3: 9:34 2001
Delivered-To: freebsd-security@freebsd.org
Received: from excalibur.dotcom.fr (ns.dotcom.fr [195.154.74.11])
	by hub.freebsd.org (Postfix) with ESMTP id 2911D37B506
	for <freebsd-security@freebsd.org>; Fri, 13 Apr 2001 03:09:31 -0700 (PDT)
	(envelope-from lionnel.chaptal@IPricot.com)
Received: from IPricot.com (pc172.fr.ipricot.com [192.168.31.172])
	by excalibur.dotcom.fr (8.9.1/8.9.1) with ESMTP id KAA25987
	for <freebsd-security@freebsd.org>; Fri, 13 Apr 2001 10:09:30 GMT
X-To: <freebsd-security@freebsd.org>
Message-ID: <3AD6D047.91F3F843@IPricot.com>
Date: Fri, 13 Apr 2001 12:09:11 +0200
From: Lionnel CHAPTAL <lionnel.chaptal@IPricot.com>
Organization: IPricot European Headquarters (Formerly DotCom SA)
X-Mailer: Mozilla 4.75 [en] (X11; U; FreeBSD 4.2-STABLE i386)
X-Accept-Language: French/France, fr-FR, French, fr, en
MIME-Version: 1.0
To: freebsd-security@freebsd.org
Subject: IPSEC/Racoon/local adress when initiator
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Hi,

I have a IPSec tunnnel between 2 nets :

 FBSD(eth)--|--(eth)GW(eth)--(eth)Cisco(eth)--|
            |                                 |--(eth)host
host(eth)---|

and it works fine in static key configuration.

FBSD is the encryption/decryption machine on the LAN on the left side 
and is the gateway for the LAN.

Cisco is doing the same job on the right side.

On the FBSD side, there is only one NIC, so I have set up an alias
address on the ethernet interface. 

So the FBSD eth iface has one address in the net-to-be-tunneled
(192.168.0.1/24) and another for the tunnel-transported-lan (1.2.3.4 or
whatever). 

Now, I would like to use IKE. Well, there is no problem with the  racoon
parameters. 

The gateway for the FBSD (GW) has only one address in the same net as
the net-to-be-tunneled (for instance 192.168.0.254). So racoon is
binding on the eth iface with the address 192.168.0.1
[sockmisc.c/getlocaladdr()]. The frame are beeing sent from 192.168.0.1
whereas they should come from 1.2.3.4

Question. Is there a way, in the configuration file to change the local
address binding so that it will use 1.2.3.4 instead ? (like "crypto map
<MAP> local-address <iface>" with cisco ios ?

Note: the exchange is OK when the Cisco is the initiator, and the SAD is
filled.

Thanks in advance,

Lionnel.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message