Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 19 May 2003 15:46:51 +0200
From:      souris <souris@nerim.net>
To:        freebsd-net@freebsd.org
Subject:   About IPsec ...
Message-ID:  <20030519154651.52d77bff.souris@nerim.net>

next in thread | raw e-mail | index | archive | help
Hi,

I tryed to make IPSEC between 2 computers : Freebsd 4.8 and NetBSD 1.5.2

While following the handbook : http://www.fr.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html
I noticed something.
<From Handbook>
setkey -c
    spdadd 10.2.3.4 10.6.7.8 any -P out ipsec
    ah/transport/10.2.3.4-10.6.7.8/require ;
    ^D

At B:

# setkey -c
    spdadd 10.6.7.8 10.2.3.4 any -P out ipsec
    esp/transport/10.6.7.8-10.2.3.4/require ;
    spdadd 10.6.7.8 10.2.3.4 any -P out ipsec
    ah/transport/10.6.7.8-10.2.3.4/require ;
    ^D

</From Handbook>

>From A: only "OUT" traffic is set
>From B: 2 "OUT" traffics are set. It seems to be two differents protocols ... so it doesn't matters, but still no "IN" traffic is set.

I tryed to simulate exactly the same than the handbook, and setkey gave me an error :

root@sexy 14:19 /home/souris$ setkey -c 
spdadd 10.6.7.8 10.2.3.4 any -P out ipsec
esp/transport/10.6.7.8-10.2.3.4/require ;
spdadd 10.6.7.8 10.2.3.4 any -P out ipsec
ah/transport/10.6.7.8-10.2.3.4/require ;
The result of line 4: File exists.

(I've just flushed all the setkey's rules before doing that)

In the others examples, like IPV6 etc ... there is an OUT and IN traffic set. It seems that without "IN" traffic set, IPSEC don't work ... Traffic go out but not IN :

14:05:07.973207 10.6.7.8 > 10.2.3.4: AH(spi=0x000003e8,seq=0x37d813cc): icmp: echo request
14:05:08.979010 10.6.7.8 > 10.2.3.4: AH(spi=0x000003e8,seq=0x99378b78): icmp: echo request

I am obviously not the first one to use this book, but there is an mistake somewhere ... 

May somebody help me?

thx

--
souris






Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030519154651.52d77bff.souris>