Date: Sun, 19 Jan 2003 13:24:01 -0800 (PST) From: Joe <josepha48@yahoo.com> To: freebsd-questions@FreeBSD.ORG Subject: ipsec bridging, natd, HELP! Message-ID: <20030119212401.14272.qmail@web41004.mail.yahoo.com>
next in thread | raw e-mail | index | archive | help
Hello,
I have set up a nice little gateway / router using FreeBSD.
It works very nice so far.
I desperatly need help with ipsec. I have searched the
internet and read the faq's. My problem is that I have not
found an easy way to tell if it is working. I am guessing it is
not.
Here is the setup.
3 interfaces: xl0, xl1, wi0
xl0 is the external interface. all trafic is natted through
this interface
xl1 is the internal wired interface
wi0 is the wireless interface
xl1 -> xl0 works fine
wi0 -> xl1 are bridged (sysctl
net.link.ether.bridge_cfg="wi0 xl1"), this also works fine
I have enabled 128 bit wep, as a quick and dirty way of
getting the network 'somewhat' secure. At least the data is not
in clear text. There is little threat from a wireless hacker
here too, as there is not sufficient range (tested, much
concrete here)
I now want to set up ipsec. So I read the handbook, and
searched the net.
Before ipsec
ping wireless laptop to xl1 gives normal reply
After ipsec
ping wireless laptop to xl1 gives NO response
I can access the internet though. I run netstat -sn -p
ipsec on both machines and it seems that both are sending
outbound packets correctly
eg:
55 outbound packets processed successfully
however I also see:
eg:
35 inbound packets with no SA available
I want to secure traffic between xl1 and my laptop. esp
would be fine, as I have read that you cannot use ah with natd.
I also want to use ipcomp.
The basic setup is:
ipsec.conf:
add <machine a ip> <machine b ip> esp 7000 -E <env type from man
pg) "the key";
add <machine b ip> <machine a ip> esp 17000 -E <env type from
man pg) "the key";
add <machine a ip> <machine b ip> ipcomp 7002 -C deflate;
add <machine b ip> <machine a ip> ipcomp 17002 -C deflate;
spdadd <machine a ip> <machine b ip> -P out esp/transport//use
ipcomp/transport//use;
spdadd <machine b ip> <machine a ip> -P in esp/transport//use
ipcomp/transport//use;
the difference are the spdadd's on the machines the client is
swithced the in and out statements. This is what I have read.
So how do I tell is this is actually working, and why cannot I
ping the machine after starting ipsec?
Also shouldn't I be able to do this setup (bridging / nat) with
ipsec?
Thanks,
Joe
__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030119212401.14272.qmail>