Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 25 Oct 2000 18:33:55 -0400
From:      Matthew Hagerty <matthew@venux.net>
To:        freebsd-security@FreeBSD.ORG
Subject:   IPsec requires FreeBSD-4.??
Message-ID:  <5.0.0.25.2.20001025174629.02b0fbd0@pop3.venux.net>
next in thread | raw e-mail | index | archive | help 
Greetings,

I am trying desperately to get a simple network-to-network VPN working with 
FreeBSD.  I am having no luck and would like to know what version of 4.x I 
need?  I am currently using 4.0 release on both sides.  Is that going to 
work or do I need to upgrade to 4.1.1 or something?

Also, while I'm here, this is the whole procedure I'm using (that does not 
seem to be working.)  Is there something wrong with this?

In the kernel I added these and recompiled:

options         IPSEC
options         IPSEC_ESP


Then I modified the IPv4 tunnel example in the handbook (the example as 
written did not work either... long lines wrap)

10.0.0.0/24--24.7.242.61<------->216.93.125.61--10.0.1.0/24

setkey -c <<EOF
spdadd 10.0.1.0/24 10.0.0.0/24 any -P out ipsec 
esp/tunnel/216.93.125.61-24.7.242.61/require ;
spdadd 10.0.0.0/24 10.0.1.0/24 any -P in  ipsec 
esp/tunnel/24.7.242.61-216.93.125.61/require ;
add 216.93.125.61 24.7.242.61 esp 0x10001 -E des-cbc "ESP with" -A hmac-md5 
"authentication!!" ;
add 24.7.242.61 216.93.125.61 esp 0x10002 -E des-cbc "ESP with" -A hmac-md5 
"authentication!!" ;
EOF

setkey -c <<EOF
spdadd 10.0.0.0/24 10.0.1.0/24 any -P out ipsec 
esp/tunnel/24.7.242.61-216.93.125.61/require ;
spdadd 10.0.1.0/24 10.0.0.0/24 any -P in  ipsec 
esp/tunnel/216.93.125.61-24.7.242.61/require ;
add 216.93.125.61 24.7.242.61 esp 0x10001 -E des-cbc "ESP with" -A hmac-md5 
"authentication!!" ;
add 24.7.242.61 216.93.125.61 esp 0x10002 -E des-cbc "ESP with" -A hmac-md5 
"authentication!!" ;
EOF


I am running NATd on both sides, but I shut it off and still no 
good.  There was a post a few weeks ago about running NATd with IPsec, 
something to the effect of having to set a route to the loopback interface:

route add 172.16.0.0 -netmask 0xffffff00 -interface lo0

I tried that as well, but in my case I was not sure which of my IP 
addresses I should be using to replace the 172.16.0.0...

Any insight would be greatly appreciated!!

Thank you,
Matthew Hagerty



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.0.0.25.2.20001025174629.02b0fbd0>