Date: Tue, 26 Sep 2000 12:33:49 +1100 From: Sam Wun <swun@eSec.com.au> To: Kris Kennaway <kris@FreeBSD.org> Cc: "'freebsd-security@freebsd.org'" <freebsd-security@FreeBSD.ORG> Subject: Re: IPsec block my ssh remote login. Message-ID: <39CFFCFD.25452959@eSec.com.au> References: <Pine.BSF.4.21.0009251735300.48068-100000@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Here is the setkey policy I used: setkey -c <<EOF add 172.16.1.1 172.16.1.2 esp 9876 -E 3des-cbc "hogehogehogehogehogehoge"; add 172.16.1.2 172.16.1.1 esp 10000 -E 3des-cbc "mogamogamogamogamogamoga"; spdadd 172.16.1.1 172.16.1.2 any -P out ipsec esp/transport//use; EOF 172.16.1.2 is my client machine, system is FreeBSD 4.1 -stable, with the following kernel options: ############################################### options COMPAT_LINUX device pcm options IPFILTER #ipfilter support options IPFILTER_LOG #ipfilter logging options IPSTEALTH #support for stealth forwarding # Statically Link in accept filters options ACCEPT_FILTER_DATA options ACCEPT_FILTER_HTTP options ICMP_BANDLIM # enabling for IPSEC options IPSEC options IPSEC_ESP ############################################### 172.16.1.1 is my server machine, system is also FreeBSD 4.1 - stable, with the same kernel configuration options compiled. Thanks for your help Sam. Kris Kennaway wrote: > On Tue, 26 Sep 2000, Sam Wun wrote: > > > I have just configured my 4.1 kernel with IPSEC enabled. > > After executed setkey, it blocks all my network traffic accessing between my > > client and server machines. > > I can't even use ssh remote login. Then I used Tcpdump to listen on one of > > the NIC which is dedicated for the network connection between my client and > > server machine. I can see ESP packet going thru when I am runniing ssh > > logging in to my client machine, but ssh seems waiting forever for the reply > > from my client machine. > > > > How can I get some sort of packet go thru with IPSEC protected? > > Just configuring it in your kernel shouldn't block incoming packets (or > change the behaviour of the system at all, in fact) - you need to > configure the appropriate IPSEC security policies using setkey(8), and the > security associations using the same tool (manually keyed SAs) or using > the racoon port (IKE). > > It sounds like you're already sending out ESP packets from your other > machine, but haven't configured the 4.1 machine with the corresponding > setup. > > Kris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?39CFFCFD.25452959>