Date: Mon, 25 Sep 2000 17:37:37 -0700 (PDT) From: Kris Kennaway <kris@FreeBSD.org> To: Sam Wun <swun@eSec.com.au> Cc: "'freebsd-security@freebsd.org'" <freebsd-security@FreeBSD.ORG> Subject: Re: IPsec block my ssh remote login. Message-ID: <Pine.BSF.4.21.0009251735300.48068-100000@freefall.freebsd.org> In-Reply-To: <39CFDB60.A69A3F49@eSec.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 26 Sep 2000, Sam Wun wrote:
> I have just configured my 4.1 kernel with IPSEC enabled.
> After executed setkey, it blocks all my network traffic accessing between my
> client and server machines.
> I can't even use ssh remote login. Then I used Tcpdump to listen on one of
> the NIC which is dedicated for the network connection between my client and
> server machine. I can see ESP packet going thru when I am runniing ssh
> logging in to my client machine, but ssh seems waiting forever for the reply
> from my client machine.
>
> How can I get some sort of packet go thru with IPSEC protected?
Just configuring it in your kernel shouldn't block incoming packets (or
change the behaviour of the system at all, in fact) - you need to
configure the appropriate IPSEC security policies using setkey(8), and the
security associations using the same tool (manually keyed SAs) or using
the racoon port (IKE).
It sounds like you're already sending out ESP packets from your other
machine, but haven't configured the 4.1 machine with the corresponding
setup.
Kris
--
In God we Trust -- all others must submit an X.509 certificate.
-- Charles Forsythe <forsythe@alum.mit.edu>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0009251735300.48068-100000>