Date: Fri, 25 Oct 2013 11:20:11 +0200 From: =?ISO-8859-1?Q?Olivier_Cochard=2DLabb=E9?= <olivier@cochard.me> To: "freebsd-net@freebsd.org" <freebsd-net@freebsd.org> Subject: Can't configure a simple IPSec (manual SA/SP) Message-ID: <CA%2Bq%2BTcqJwNXPOEWeh_FcnLu5KE7cyU7e1h2Q4dc==8D441nRWA@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hi all, I'm trying to configure simple static IPSec SA/SP in tunnel mode on my FreeBSD 9.2-RELEASE (crypto + ipsec added to the kernel) but the IPSec configuration seems to be ignored. local private net (em0): 10.0.12.0/24 local end-point IP (em1): 10.0.23.2 remote private net: 10.0.45.0/24 remote end-point IP: 10.0.34.4 I'm configuring the static SA/SP entries like that: flush; spdflush; spdadd 10.0.12.0/24 10.0.45.0/24 any -P out ipsec esp/tunnel/10.0.23.2-10.0.34.4/require; spdadd 10.0.45.0/24 10.0.12.0/24 any -P in ipsec esp/tunnel/10.0.34.4-10.0.23.2/require; add 10.0.23.2 10.0.34.4 esp 0x1000 -E 3des-cbc "3des_compliant_password1"; add 10.0.34.4 10.0.23.2 esp 0x1001 -E 3des-cbc "3des_compliant_password2"; This configuration seems correctly applied: [root@R2]~# setkey -D 10.0.34.4 10.0.23.2 esp mode=any spi=4097(0x00001001) reqid=0(0x00000000) E: 3des-cbc 33646573 5f636f6d 706c6961 6e745f70 61737377 6f726432 seq=0x00000000 replay=0 flags=0x00000040 state=mature created: Oct 25 10:33:11 2013 current: Oct 25 11:08:49 2013 diff: 2138(s) hard: 0(s) soft: 0(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=1 pid=2024 refcnt=1 10.0.23.2 10.0.34.4 esp mode=any spi=4096(0x00001000) reqid=0(0x00000000) E: 3des-cbc 33646573 5f636f6d 706c6961 6e745f70 61737377 6f726431 seq=0x00000000 replay=0 flags=0x00000040 state=mature created: Oct 25 10:33:11 2013 current: Oct 25 11:08:49 2013 diff: 2138(s) hard: 0(s) soft: 0(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=0 pid=2024 refcnt=1 [root@R2]~# setkey -DP 10.0.45.0/24[any] 10.0.12.0/24[any] any in ipsec esp/tunnel/10.0.34.4-10.0.23.2/require spid=2 seq=1 pid=2025 refcnt=1 10.0.12.0/24[any] 10.0.45.0/24[any] any out ipsec esp/tunnel/10.0.23.2-10.0.34.4/require spid=1 seq=0 pid=2025 refcnt=1 But when a machine in local_private_net try to ping a remote_private_net, the traffic is not tunnel/encrypted: [root@R2]~# tcpdump -pni em1 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes 10:35:21.284571 IP 10.0.12.1 > 10.0.45.5: ICMP echo request, id 48913, seq 0, length 64 10:35:22.288836 IP 10.0.12.1 > 10.0.45.5: ICMP echo request, id 48913, seq 1, length 64 10:35:23.298386 IP 10.0.12.1 > 10.0.45.5: ICMP echo request, id 48913, seq 2, length 64 I've try to enable IPSEC_DEBUG on my kernel: I've got nothing in my log. How can I get a more verbose IPsec log for spotting my problem ? Thanks, Olivier
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CA%2Bq%2BTcqJwNXPOEWeh_FcnLu5KE7cyU7e1h2Q4dc==8D441nRWA>