Date: Tue, 16 Apr 2002 23:28:04 -0700 From: Charles Henrich <henrich@sigbus.com> To: freebsd-questions@freebsd.org Subject: ipencap instead of esp packets? Message-ID: <20020416232804.A34302@sigbus.com>
next in thread | raw e-mail | index | archive | help
I've setup IPsec according to several of the documents on the net, and it seems to be working correctly. However, when I went to install my firewalls rules to allow 00300 0 0 allow log udp from any to any 500 00400 0 0 allow log esp from any to any No packets successfully transferred. Allowing ipencap packets allowed the tunnels to work. This is on BSD-4.5, anyone have any suggestions as to why this might be? Also how I can verify the packets are actually being encrypted? Packet trace: 17:22:31.937768 10.2.1.21 > 10.2.1.20: remote > local: ESP(spi=0x01c22750,seq=0xba) [tos 0x10] (ipip) 17:22:31.938200 10.2.1.20 > 10.2.1.21: local > remote: ESP(spi=0x08dc78ca,seq=0x9e) [tos 0x10] (ipip) local# ifconfig -a xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 options=3<rxcsum,txcsum> inet 10.2.1.20 netmask 0xffff0000 broadcast 10.2.255.255 ether 00:04:76:cc:0b:ad media: Ethernet autoselect (100baseTX <full-duplex>) status: active lp0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500 lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384 inet 127.0.0.1 netmask 0xff000000 gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280 tunnel inet 10.2.1.20 --> 10.2.1.21 inet 172.16.0.1 --> 172.16.1.1 netmask 0xffffff00 local# setkey -PD 172.16.1.0/24[any] 172.16.0.0/24[any] any in ipsec esp/tunnel/172.16.1.1-172.16.0.1/require spid=2 seq=1 pid=136 refcnt=1 172.16.0.0/24[any] 172.16.1.0/24[any] any out ipsec esp/tunnel/172.16.0.1-172.16.1.1/require spid=1 seq=0 pid=136 refcnt=1 Any suggestions appreciated! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020416232804.A34302>