Date: Fri, 31 Jan 2003 05:39:25 -0800 From: Peter Haight <peterh@sapros.com> To: freebsd-stable@freebsd.org Subject: IPSEC problems after upgrade Message-ID: <200301311339.h0VDdPLG014367@wartch.sapros.com>
next in thread | raw e-mail | index | archive | help
I've now upgraded two machines that I use as IPSEC tunnel endpoints to create a VPN. I used to use a script to setup the VPN that I will post below, but that script no longer works and I haven't been able to figure out why. Before I upgraded, the VPN was working fine. (Though maybe I had some security hole that is now caught by FreeBSD and is preventing my VPN from working.) If I turn IPSEC off, the tunnel works fine, so it isn't a routing or interface issue, it must be something wrong with the way I'm setting up IPSEC. The only wierd thing I noticed was that on one of the machines, if I do a 'netstat -sn -p ipsec', the 'inbound packets violated process security policty' counter increases by one with every packet that host receives. That does not seem to happen on the other other host. Here's some setkey output: 192.168.1.1/24[any] 10.10.1.1/24[any] any in ipsec esp/tunnel/XX.XX.XX.XX-YY.YY.YY.YY/require spid=24 seq=1 pid=24319 refcnt=1 10.10.1.1/24[any] 192.168.1.1/24[any] any out ipsec esp/tunnel/YY.YY.YY.YY-XX.XX.XX.XX/require spid=23 seq=0 pid=24319 refcnt=1 setkey -DP (4.7-RELEASE): 10.10.1.1/24[any] 192.168.1.1/24[any] any in ipsec esp/tunnel/YY.YY.YY.YY-XX.XX.XX.XX/require spid=4 seq=1 pid=8760 refcnt=1 192.168.1.1/24[any] 10.10.1.1/24[any] any out ipsec esp/tunnel/XX.XX.XX.XX-YY.YY.YY.YY/require spid=3 seq=0 pid=8760 refcnt=1 Here's my script. I use the same script on both machines, but I switch the local and remote variables. Note that the add SAD entry IPs do not use the variables, so they are the same on both machines. local_ip="XX.XX.XX.XX" local_net_ip="10.10.1.1" local_net_prefixlen="24" remote_ip="YY.YY.YY.YY" remote_net_ip="192.168.1.1" remote_net_prefixlen="12" remote_net_netmask="255.255.0.0" ifconfig gif0 create ifconfig gif0 tunnel ${local_ip} ${remote_ip} ifconfig gif0 inet ${local_net_ip} ${remote_net_ip} netmask ${remote_net_netmask } setkey -c << EOF flush; spdflush; add XX.XX.XX.XX YY.YY.YY.YY esp 9991 -E blowfish-cbc "foobar1"; add YY.YY.YY.YY XX.XX.XX.XX esp 9992 -E blowfish-cbc "foobar2"; spdadd ${local_net_ip}/${local_net_prefixlen} ${remote_net_ip}/${remote_net_pref ixlen} any -P out ipsec esp/tunnel/${local_ip}-${remote_ip}/require; spdadd ${remote_net_ip}/${remote_ne t_prefixlen} ${local_net_ip}/${local_net_prefixlen} any -P in ipsec esp/tunnel/${remote_ip}-${local_ip}/require; EOF To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200301311339.h0VDdPLG014367>