Date: Fri, 25 Oct 2013 11:20:11 +0200 From: =?ISO-8859-1?Q?Olivier_Cochard=2DLabb=E9?= <olivier@cochard.me> To: "freebsd-net@freebsd.org" <freebsd-net@freebsd.org> Subject: Can't configure a simple IPSec (manual SA/SP) Message-ID: <CA%2Bq%2BTcqJwNXPOEWeh_FcnLu5KE7cyU7e1h2Q4dc==8D441nRWA@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hi all,
I'm trying to configure simple static IPSec SA/SP in tunnel mode on my
FreeBSD 9.2-RELEASE (crypto + ipsec added to the kernel) but the IPSec
configuration seems to be ignored.
local private net (em0): 10.0.12.0/24
local end-point IP (em1): 10.0.23.2
remote private net: 10.0.45.0/24
remote end-point IP: 10.0.34.4
I'm configuring the static SA/SP entries like that:
flush;
spdflush;
spdadd 10.0.12.0/24 10.0.45.0/24 any -P out ipsec
esp/tunnel/10.0.23.2-10.0.34.4/require;
spdadd 10.0.45.0/24 10.0.12.0/24 any -P in ipsec
esp/tunnel/10.0.34.4-10.0.23.2/require;
add 10.0.23.2 10.0.34.4 esp 0x1000 -E 3des-cbc "3des_compliant_password1";
add 10.0.34.4 10.0.23.2 esp 0x1001 -E 3des-cbc "3des_compliant_password2";
This configuration seems correctly applied:
[root@R2]~# setkey -D
10.0.34.4 10.0.23.2
esp mode=any spi=4097(0x00001001) reqid=0(0x00000000)
E: 3des-cbc 33646573 5f636f6d 706c6961 6e745f70 61737377 6f726432
seq=0x00000000 replay=0 flags=0x00000040 state=mature
created: Oct 25 10:33:11 2013 current: Oct 25 11:08:49 2013
diff: 2138(s) hard: 0(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=1 pid=2024 refcnt=1
10.0.23.2 10.0.34.4
esp mode=any spi=4096(0x00001000) reqid=0(0x00000000)
E: 3des-cbc 33646573 5f636f6d 706c6961 6e745f70 61737377 6f726431
seq=0x00000000 replay=0 flags=0x00000040 state=mature
created: Oct 25 10:33:11 2013 current: Oct 25 11:08:49 2013
diff: 2138(s) hard: 0(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=0 pid=2024 refcnt=1
[root@R2]~# setkey -DP
10.0.45.0/24[any] 10.0.12.0/24[any] any
in ipsec
esp/tunnel/10.0.34.4-10.0.23.2/require
spid=2 seq=1 pid=2025
refcnt=1
10.0.12.0/24[any] 10.0.45.0/24[any] any
out ipsec
esp/tunnel/10.0.23.2-10.0.34.4/require
spid=1 seq=0 pid=2025
refcnt=1
But when a machine in local_private_net try to ping a
remote_private_net, the traffic is not tunnel/encrypted:
[root@R2]~# tcpdump -pni em1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes
10:35:21.284571 IP 10.0.12.1 > 10.0.45.5: ICMP echo request, id 48913,
seq 0, length 64
10:35:22.288836 IP 10.0.12.1 > 10.0.45.5: ICMP echo request, id 48913,
seq 1, length 64
10:35:23.298386 IP 10.0.12.1 > 10.0.45.5: ICMP echo request, id 48913,
seq 2, length 64
I've try to enable IPSEC_DEBUG on my kernel: I've got nothing in my log.
How can I get a more verbose IPsec log for spotting my problem ?
Thanks,
Olivier
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CA%2Bq%2BTcqJwNXPOEWeh_FcnLu5KE7cyU7e1h2Q4dc==8D441nRWA>