Date: Sun, 11 Mar 2001 00:49:45 -0600 From: jomor <jomor@ahpcns.com> To: freebsd-security@freebsd.org Subject: IPSEC tunnel & setkey, How do I tell if setkey worked? Message-ID: <3AAB2008.E35A125D@ahpcns.com>
next in thread | raw e-mail | index | archive | help
I'm finally trying to get a VPN set up between home (DSL) and work (T-1). I've been running FreeBSD on my home firewall for a few years and now I want it to be an IPSEC tunnel endpoint. The other end will be another freeBSD box first, and maybe eventually a Watchguard firebox2 firewall "appliance". I'm testing off-line for now. I haven't been able to find any info on integrating my ipfw rules with the tunnel so I've got test boxes set up in an "open" firewall config. I figure I'll get the tunnel up first and then break it while I try different ipfw rules. My kernels have the IPSEC and IPSEC_ESP options included. I have the following "/etc/ipsec.conf" files Host 1 add 192.168.98.17 192.168.98.19 esp 1000 -m tunnel -E des-cbc "testtest" ; add 192.168.98.19 192.168.98.17 esp 1001 -m tunnel -E des-cbc "testtest" ; spdadd 172.18.0.0/24 172.18.10.0/24 any -P out ipsec esp/tunnel/192.168.98.19-192.168.98.17/require ; spdadd 172.18.10.0/24 172.18.0.0/24 any -P in ipsec esp/tunnel/192.168.98.17-192.168.98.19/require ; Host 2 add 192.168.98.17 192.168.98.19 esp 1000 -m tunnel -E des-cbc "testtest"; add 192.168.98.19 192.169.98.17 esp 1001 -m tunnel -E des-cbc "testtest"; spdadd 172.18.10.0/24 172.18.0.0/24 any -P out ipsec esp/tunnel/192.168.98.17-192.168.98.19/require ; spdadd 172.18.0.0/24 172.18.10.0/24 any -P in ipsec esp/tunnel/192.168.98.19-192.168.98.17/require ; both are running with gateway enabled, firewall "OPEN" and natd running. The 192.168.98.x addresses are what would normally be their public interfaces. "setkey -f /etc/ipsec.conf" runs without generating any errors, "setkey -D" and "setkey -D -P" display my entries OK, but I was expecting to see "netstat -nr" to show routes for the tunnel , or "ifconfig -a" to show some change in at least one of my "gifn" interfaces but I'm not seeing it. So I thought I'd run "gifconfig", "ifconfig" and "route add" to set up the tunnel first (modifying the ipsec.conf files to use the gif0 addresses). While that did set up a functioning tunnel, I didn't see any evidence of encryption happening. The tunnel kept working even if I ran setkey on only one of the endpoints. What am I missing (or doing wrong)? Things have been a little more complex than they need to be since one of my test "fiewalls" is a laptop and getting two PCMCIA Ethernet cards to work at the same time has been a challenge. All help is much appreciated. tia ...jgm To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3AAB2008.E35A125D>