Date: Fri, 31 Jan 2003 05:39:25 -0800 From: Peter Haight <peterh@sapros.com> To: freebsd-stable@freebsd.org Subject: IPSEC problems after upgrade Message-ID: <200301311339.h0VDdPLG014367@wartch.sapros.com>
next in thread | raw e-mail | index | archive | help
I've now upgraded two machines that I use as IPSEC tunnel endpoints to
create a VPN. I used to use a script to setup the VPN that I will post
below, but that script no longer works and I haven't been able to figure out
why. Before I upgraded, the VPN was working fine. (Though maybe I had some
security hole that is now caught by FreeBSD and is preventing my VPN from
working.)
If I turn IPSEC off, the tunnel works fine, so it isn't a routing or
interface issue, it must be something wrong with the way I'm setting up
IPSEC. The only wierd thing I noticed was that on one of the machines, if I
do a 'netstat -sn -p ipsec', the 'inbound packets violated process security
policty' counter increases by one with every packet that host receives. That
does not seem to happen on the other other host.
Here's some setkey output:
192.168.1.1/24[any] 10.10.1.1/24[any] any
in ipsec
esp/tunnel/XX.XX.XX.XX-YY.YY.YY.YY/require
spid=24 seq=1 pid=24319
refcnt=1
10.10.1.1/24[any] 192.168.1.1/24[any] any
out ipsec
esp/tunnel/YY.YY.YY.YY-XX.XX.XX.XX/require
spid=23 seq=0 pid=24319
refcnt=1
setkey -DP (4.7-RELEASE):
10.10.1.1/24[any] 192.168.1.1/24[any] any
in ipsec
esp/tunnel/YY.YY.YY.YY-XX.XX.XX.XX/require
spid=4 seq=1 pid=8760
refcnt=1
192.168.1.1/24[any] 10.10.1.1/24[any] any
out ipsec
esp/tunnel/XX.XX.XX.XX-YY.YY.YY.YY/require
spid=3 seq=0 pid=8760
refcnt=1
Here's my script. I use the same script on both machines, but I switch the
local and remote variables. Note that the add SAD entry IPs do not use the
variables, so they are the same on both machines.
local_ip="XX.XX.XX.XX"
local_net_ip="10.10.1.1"
local_net_prefixlen="24"
remote_ip="YY.YY.YY.YY"
remote_net_ip="192.168.1.1"
remote_net_prefixlen="12"
remote_net_netmask="255.255.0.0"
ifconfig gif0 create
ifconfig gif0 tunnel ${local_ip} ${remote_ip}
ifconfig gif0 inet ${local_net_ip} ${remote_net_ip} netmask ${remote_net_netmask
}
setkey -c << EOF
flush;
spdflush;
add XX.XX.XX.XX YY.YY.YY.YY esp 9991 -E blowfish-cbc "foobar1";
add YY.YY.YY.YY XX.XX.XX.XX esp 9992 -E blowfish-cbc "foobar2";
spdadd ${local_net_ip}/${local_net_prefixlen} ${remote_net_ip}/${remote_net_pref
ixlen} any -P out ipsec esp/tunnel/${local_ip}-${remote_ip}/require;
spdadd ${remote_net_ip}/${remote_ne t_prefixlen} ${local_net_ip}/${local_net_prefixlen} any -P in ipsec esp/tunnel/${remote_ip}-${local_ip}/require;
EOF
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200301311339.h0VDdPLG014367>