From owner-freebsd-stable Fri Jan 31 5:39:34 2003 Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A713137B401 for ; Fri, 31 Jan 2003 05:39:32 -0800 (PST) Received: from wartch.sapros.com (wartch.sapros.com [66.117.154.16]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2E83443F43 for ; Fri, 31 Jan 2003 05:39:32 -0800 (PST) (envelope-from peterh@wartch.sapros.com) Received: from wartch.sapros.com (localhost [127.0.0.1]) by wartch.sapros.com (8.12.6/8.12.3) with ESMTP id h0VDdPLG014367 for ; Fri, 31 Jan 2003 05:39:25 -0800 (PST) (envelope-from peterh@wartch.sapros.com) Message-Id: <200301311339.h0VDdPLG014367@wartch.sapros.com> To: freebsd-stable@freebsd.org Subject: IPSEC problems after upgrade Date: Fri, 31 Jan 2003 05:39:25 -0800 From: Peter Haight X-SMRazor: ok Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I've now upgraded two machines that I use as IPSEC tunnel endpoints to create a VPN. I used to use a script to setup the VPN that I will post below, but that script no longer works and I haven't been able to figure out why. Before I upgraded, the VPN was working fine. (Though maybe I had some security hole that is now caught by FreeBSD and is preventing my VPN from working.) If I turn IPSEC off, the tunnel works fine, so it isn't a routing or interface issue, it must be something wrong with the way I'm setting up IPSEC. The only wierd thing I noticed was that on one of the machines, if I do a 'netstat -sn -p ipsec', the 'inbound packets violated process security policty' counter increases by one with every packet that host receives. That does not seem to happen on the other other host. Here's some setkey output: 192.168.1.1/24[any] 10.10.1.1/24[any] any in ipsec esp/tunnel/XX.XX.XX.XX-YY.YY.YY.YY/require spid=24 seq=1 pid=24319 refcnt=1 10.10.1.1/24[any] 192.168.1.1/24[any] any out ipsec esp/tunnel/YY.YY.YY.YY-XX.XX.XX.XX/require spid=23 seq=0 pid=24319 refcnt=1 setkey -DP (4.7-RELEASE): 10.10.1.1/24[any] 192.168.1.1/24[any] any in ipsec esp/tunnel/YY.YY.YY.YY-XX.XX.XX.XX/require spid=4 seq=1 pid=8760 refcnt=1 192.168.1.1/24[any] 10.10.1.1/24[any] any out ipsec esp/tunnel/XX.XX.XX.XX-YY.YY.YY.YY/require spid=3 seq=0 pid=8760 refcnt=1 Here's my script. I use the same script on both machines, but I switch the local and remote variables. Note that the add SAD entry IPs do not use the variables, so they are the same on both machines. local_ip="XX.XX.XX.XX" local_net_ip="10.10.1.1" local_net_prefixlen="24" remote_ip="YY.YY.YY.YY" remote_net_ip="192.168.1.1" remote_net_prefixlen="12" remote_net_netmask="255.255.0.0" ifconfig gif0 create ifconfig gif0 tunnel ${local_ip} ${remote_ip} ifconfig gif0 inet ${local_net_ip} ${remote_net_ip} netmask ${remote_net_netmask } setkey -c << EOF flush; spdflush; add XX.XX.XX.XX YY.YY.YY.YY esp 9991 -E blowfish-cbc "foobar1"; add YY.YY.YY.YY XX.XX.XX.XX esp 9992 -E blowfish-cbc "foobar2"; spdadd ${local_net_ip}/${local_net_prefixlen} ${remote_net_ip}/${remote_net_pref ixlen} any -P out ipsec esp/tunnel/${local_ip}-${remote_ip}/require; spdadd ${remote_net_ip}/${remote_ne t_prefixlen} ${local_net_ip}/${local_net_prefixlen} any -P in ipsec esp/tunnel/${remote_ip}-${local_ip}/require; EOF To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message