Date: Sun, 11 Mar 2001 00:49:45 -0600 From: jomor <jomor@ahpcns.com> To: freebsd-security@freebsd.org Subject: IPSEC tunnel & setkey, How do I tell if setkey worked? Message-ID: <3AAB2008.E35A125D@ahpcns.com>
next in thread | raw e-mail | index | archive | help
I'm finally trying to get a VPN set up between home (DSL) and work
(T-1). I've been running FreeBSD on my home firewall for a few years and
now I want it to be an IPSEC tunnel endpoint. The other end will be
another freeBSD box first, and maybe eventually a Watchguard firebox2
firewall "appliance". I'm testing off-line for now. I haven't been able
to find any info on integrating my ipfw rules with the tunnel so I've
got test boxes set up in an "open" firewall config. I figure I'll get
the tunnel up first and then break it while I try different ipfw rules.
My kernels have the IPSEC and IPSEC_ESP options included. I have the
following "/etc/ipsec.conf" files
Host 1
add 192.168.98.17 192.168.98.19 esp 1000 -m tunnel -E des-cbc "testtest"
;
add 192.168.98.19 192.168.98.17 esp 1001 -m tunnel -E des-cbc "testtest"
;
spdadd 172.18.0.0/24 172.18.10.0/24 any -P out ipsec
esp/tunnel/192.168.98.19-192.168.98.17/require ;
spdadd 172.18.10.0/24 172.18.0.0/24 any -P in ipsec
esp/tunnel/192.168.98.17-192.168.98.19/require ;
Host 2
add 192.168.98.17 192.168.98.19 esp 1000 -m tunnel -E des-cbc
"testtest";
add 192.168.98.19 192.169.98.17 esp 1001 -m tunnel -E des-cbc
"testtest";
spdadd 172.18.10.0/24 172.18.0.0/24 any -P out ipsec
esp/tunnel/192.168.98.17-192.168.98.19/require ;
spdadd 172.18.0.0/24 172.18.10.0/24 any -P in ipsec
esp/tunnel/192.168.98.19-192.168.98.17/require ;
both are running with gateway enabled, firewall "OPEN" and natd running.
The 192.168.98.x addresses are what would normally be their public
interfaces.
"setkey -f /etc/ipsec.conf" runs without generating any errors, "setkey
-D" and "setkey -D -P" display my entries OK, but I was expecting to see
"netstat -nr" to show routes for the tunnel , or "ifconfig -a" to show
some change in at least one of my "gifn" interfaces but I'm not seeing
it. So I thought I'd run "gifconfig", "ifconfig" and "route add" to set
up the tunnel first (modifying the ipsec.conf files to use the gif0
addresses). While that did set up a functioning tunnel, I didn't see any
evidence of encryption happening. The tunnel kept working even if I ran
setkey on only one of the endpoints.
What am I missing (or doing wrong)? Things have been a little more
complex than they need to be since one of my test "fiewalls" is a laptop
and getting two PCMCIA Ethernet cards to work at the same time has been
a challenge.
All help is much appreciated.
tia ...jgm
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3AAB2008.E35A125D>