Date: Tue, 16 Apr 2002 23:28:04 -0700 From: Charles Henrich <henrich@sigbus.com> To: freebsd-questions@freebsd.org Subject: ipencap instead of esp packets? Message-ID: <20020416232804.A34302@sigbus.com>
next in thread | raw e-mail | index | archive | help
I've setup IPsec according to several of the documents on the net, and it
seems to be working correctly. However, when I went to install my firewalls
rules to allow
00300 0 0 allow log udp from any to any 500
00400 0 0 allow log esp from any to any
No packets successfully transferred. Allowing ipencap packets allowed the
tunnels to work. This is on BSD-4.5, anyone have any suggestions as to why
this might be? Also how I can verify the packets are actually being
encrypted?
Packet trace:
17:22:31.937768 10.2.1.21 > 10.2.1.20: remote > local: ESP(spi=0x01c22750,seq=0xba) [tos 0x10] (ipip)
17:22:31.938200 10.2.1.20 > 10.2.1.21: local > remote: ESP(spi=0x08dc78ca,seq=0x9e) [tos 0x10] (ipip)
local# ifconfig -a
xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=3<rxcsum,txcsum>
inet 10.2.1.20 netmask 0xffff0000 broadcast 10.2.255.255
ether 00:04:76:cc:0b:ad
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
lp0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet 127.0.0.1 netmask 0xff000000
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
tunnel inet 10.2.1.20 --> 10.2.1.21
inet 172.16.0.1 --> 172.16.1.1 netmask 0xffffff00
local# setkey -PD
172.16.1.0/24[any] 172.16.0.0/24[any] any
in ipsec
esp/tunnel/172.16.1.1-172.16.0.1/require
spid=2 seq=1 pid=136
refcnt=1
172.16.0.0/24[any] 172.16.1.0/24[any] any
out ipsec
esp/tunnel/172.16.0.1-172.16.1.1/require
spid=1 seq=0 pid=136
refcnt=1
Any suggestions appreciated!
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020416232804.A34302>