From owner-freebsd-net Fri Nov 16 3:54:21 2001 Delivered-To: freebsd-net@freebsd.org Received: from Ag.arizona.edu (ag.arizona.edu [150.135.40.100]) by hub.freebsd.org (Postfix) with ESMTP id 1288637B416 for ; Fri, 16 Nov 2001 03:54:13 -0800 (PST) Received: from petros ([150.135.40.122]) by Ag.arizona.edu (8.10.2+Sun/8.11.2) with SMTP id fAGBs8R28424; Fri, 16 Nov 2001 04:54:08 -0700 (MST) From: "Erik Norvelle" To: "Lars Eggert" Cc: Subject: RE: 4.4-CURRENT problems getting IPSec to function Date: Fri, 16 Nov 2001 04:54:07 -0700 MIME-Version: 1.0 Message-ID: X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Content-Type: multipart/signed; micalg=SHA1; protocol="application/x-pkcs7-signature"; boundary="----=_NextPart_000_004A_01C16E5A.B86281A0" In-Reply-To: <3BE84F94.1060304@isi.edu> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_004A_01C16E5A.B86281A0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Lars (and anyone else who can help): I have attempted to follow your advice, by configuring my machines to use IPSEC tunnel mode only. However, I still can't get ping packets to go between the two internal networks. My /etc/ipsec.conf files on both machines are as follows: --- Begin included file --- flush; spdflush; # Note that the add rules are the same as on Node B! spdadd 10.20.0.0/24 192.168.1.0/24 any -P in ipsec esp/tunnel/xxx.yyy.40.122-xxx.yyy.40.135/require; spdadd 192.168.1.0/24 10.20.0.0/24 any -P out ipsec esp/tunnel/xxx.yyy.40.135-xxx.yyy.40.122/require; --- End included file --- For the test situation, I have set up my ipfilter to allow everything to pass, both in and out, on both the internal and external interfaces. Also, I have turned off IPNAT completely. I *have* been able to get transport mode working between the two external interfaces. Racoon successfully exchanged keys, and a perusal of netstat -sn output showed that IPSEC packets were in fact being passed. However, tunnel mode between the two internal networks does not produce any IPSEC packets or key exchange traffic at all. Thanks for your help. -Erik -------------------------------------------- Erik Norvelle Support Systems Analyst, Sr. Distributed Learning Laboratory Educational Communications and Technologies College of Agriculture and Life Sciences The University of Arizona Phone: 520-621-7663 Fax: 520-626-8688 email: norvelle@ag.arizona.edu Address: 224 Forbes Bldg., Tucson, AZ 85721 -------------------------------------------- Credo in Unum Deum -------------------------------------------- -----Original Message----- From: owner-freebsd-net@FreeBSD.ORG [mailto:owner-freebsd-net@FreeBSD.ORG]On Behalf Of Lars Eggert Sent: Tuesday, November 06, 2001 2:01 PM To: Erik Norvelle Cc: freebsd-net@FreeBSD.ORG Subject: Re: 4.4-CURRENT problems getting IPSec to function Erik Norvelle wrote: > My setup is as follows: > > Network #1 (192.168.1.0/24) > | > | > Gateway #1 (inner interface [xl0] = 192.168.1.1) > (outer interface [fxp0] = xxx.yyy.40.122) > | > | > (internet) > | > | > Gateway #2 (outer interface [fxp0] = xxx.yyy.40.135) > (inner interface [xl0] = 10.20.0.1) > | > | > Network #2 (10.20.0.0/24) > > The result of my setup is that I get the gif0 interface created and > configured properly (in tunnel mode, using ESP), and I setup my policy > database using setkey. You want to use *either* IPIP tunnels (i.e. gif interfaces) and IPsec transport mode *or* IPsec tunnel mode. Don't mix them. I'd recommend using the former. If you use IPIP + IPsec transport, you will need to set up routes so that traffic for the remote network is routed into the tunnel. If you use IPsec tunnel mode, the SAs will do the encapsulation for you. Also see http://www.isi.edu/~touch/pubs/draft-touch-ipsec-vpn-01.txt (expired, -02 is in preparation for the next IETF). > netstat -sn reveals that there is some UDP key exchange traffic going on > (at least, once I start racoon). However, there is *no* ESP traffic -- > all the counters are zero. If you use racoon, you should read the KAME IMPLEMENTATION file on how to use IKE with IPIP tunnels and IPsec. > * Installed and setup IPFILTER and IPNAT. These are working great on > their own, however there may be conflicts with IPSec that are caused by > how I have filtering/NAT setup. IPFILTER is set up to allow ISAKMP > traffic, I'd recommend doing this step by step. The first step would be to get IPsec working between your gateways. Once that works, I'd go on and set up NAT. Doing both at the same time means you have many variables in your setup. Lars -- Lars Eggert Information Sciences Institute http://www.isi.edu/larse/ University of Southern California To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message ------=_NextPart_000_004A_01C16E5A.B86281A0 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIFyDCCAogw ggHxoAMCAQICAwXIijANBgkqhkiG9w0BAQIFADCBkjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdl c3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNVBAsT FENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYDVQQDEx9QZXJzb25hbCBGcmVlbWFpbCBSU0EgMjAw MC44LjMwMB4XDTAxMTAwMzIzMDgzMloXDTAyMTAwMzIzMDgzMlowSTEfMB0GA1UEAxMWVGhhd3Rl IEZyZWVtYWlsIE1lbWJlcjEmMCQGCSqGSIb3DQEJARYXbm9ydmVsbGVAYWcuYXJpem9uYS5lZHUw gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOXc+7KAKquX5DNHA2xK1S6hRG5HQlIzxE0ia8Hi iD/9iu6A1E1qax4tllHTKnevvTqT/PxfdM1pBHPDqpgRzPGpRxhNJbbJOmmTfkP+jFqECJUQf9Lh TThr3sBztkK8H7H1S0GPvwYenFW8t3h85OcUrgyqDQGE6ONxHQ07RMefAgMBAAGjNDAyMCIGA1Ud EQQbMBmBF25vcnZlbGxlQGFnLmFyaXpvbmEuZWR1MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEC BQADgYEAIpU93jcqTfB1PvEZV2juvqTNXeKN14Qw7Puh9jPtUNvQZPemuv9i7BX6xKYnRtA9Gc6t 1Y11PHz1WPBbM4QlCn7cpLAcbcj/zVFKxPTJ9Gmr9rmEh8tl3sO+lLfe9AULKLZNtQC1fG9QOWoT CdCFKcuILOZmWX2p25YSkAQ531swggM4MIICoaADAgECAhBmRXK3zHT1z2N2RYTQLpEBMA0GCSqG SIb3DQEBBAUAMIHRMQswCQYDVQQGEwJaQTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQH EwlDYXBlIFRvd24xGjAYBgNVBAoTEVRoYXd0ZSBDb25zdWx0aW5nMSgwJgYDVQQLEx9DZXJ0aWZp Y2F0aW9uIFNlcnZpY2VzIERpdmlzaW9uMSQwIgYDVQQDExtUaGF3dGUgUGVyc29uYWwgRnJlZW1h aWwgQ0ExKzApBgkqhkiG9w0BCQEWHHBlcnNvbmFsLWZyZWVtYWlsQHRoYXd0ZS5jb20wHhcNMDAw ODMwMDAwMDAwWhcNMDQwODI3MjM1OTU5WjCBkjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rl cm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNVBAsTFENl cnRpZmljYXRlIFNlcnZpY2VzMSgwJgYDVQQDEx9QZXJzb25hbCBGcmVlbWFpbCBSU0EgMjAwMC44 LjMwMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDeMzKmY8cJJUU+0m54J2eBxdqIGYKXDuNE KYpjNSptcDz63K737nRvMLwzkH/5NHGgo22Y8cNPomXbDfpL8dbdYaX5hc1VmjUanZJ1qCeu2HL5 ugL217CR3hzpq+AYA6h8Q0JQUYeDPPA5tJtUihOH/7ObnUlmAC0JieyUa+mhaQIDAQABo04wTDAp BgNVHREEIjAgpB4wHDEaMBgGA1UEAxMRUHJpdmF0ZUxhYmVsMS0yOTcwEgYDVR0TAQH/BAgwBgEB /wIBADALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQEEBQADgYEAMbFLR135AXHl9VNsXXnWPZjAJhNi gSKnEvgilegbSbcnewQ5uvzm8iTrkfq97A0qOPdQVahs9w2tTBu8A/S166JHn2yiDFiNMUIJEWyw GmnRKxKyQF1q+XnQ6i4l3Yrk/NsNH50C81rbyjz2ROomaYd/SJ7OpZ/nhNjJYmKtBcYxggLIMIIC xAIBATCBmjCBkjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJ Q2FwZSBUb3duMQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNVBAsTFENlcnRpZmljYXRlIFNlcnZpY2Vz MSgwJgYDVQQDEx9QZXJzb25hbCBGcmVlbWFpbCBSU0EgMjAwMC44LjMwAgMFyIowCQYFKw4DAhoF AKCCAYMwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMDExMTE2MTE1 NDA2WjAjBgkqhkiG9w0BCQQxFgQUqgtRAzEOWABadIg9DVId87nAyr0wdgYJKoZIhvcNAQkPMWkw ZzAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwBwYFKw4DAgcwBwYFKw4DAgcwDQYIKoZIhvcN AwICASgwBwYFKw4DAhowBwYFKw4DAhowCgYIKoZIhvcNAgUwCgYIKoZIhvcNAgUwgasGCSsGAQQB gjcQBDGBnTCBmjCBkjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UE BxMJQ2FwZSBUb3duMQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNVBAsTFENlcnRpZmljYXRlIFNlcnZp Y2VzMSgwJgYDVQQDEx9QZXJzb25hbCBGcmVlbWFpbCBSU0EgMjAwMC44LjMwAgMFyIowDQYJKoZI hvcNAQEBBQAEgYAlOgmMUrKLT7GEqs0DgXpy1euAel84TGJN5deSV8V6H6DT8jCJ3Jq8lBRorIdu 9bKZhWS5z6xMIzrnepccALNqAw6ANnddWEoyQ84qEXMm3F3bmcUm5UPunp9UHAYO1f+LjZWEwr4A kSVy9FnWbAVguV71U1tpfPqEbKdolOKlpgAAAAAAAA== ------=_NextPart_000_004A_01C16E5A.B86281A0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message