From owner-freebsd-questions@FreeBSD.ORG Mon Apr 14 17:09:06 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 858FB37B401 for ; Mon, 14 Apr 2003 17:09:06 -0700 (PDT) Received: from svmarshal.bytecraft.au.com (svmarshal.bytecraft.au.com [203.39.118.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 71DFA43FB1 for ; Mon, 14 Apr 2003 17:09:04 -0700 (PDT) (envelope-from murraytaylor@bytecraftsystems.com) Received: from wombat.bytecraft.au.com (Not Verified[203.39.118.3]) by svmarshal.bytecraft.au.com with MailMarshal (v5,0,3,78) id ; Tue, 15 Apr 2003 10:10:30 +1000 Received: from mjtdev1.dand06.au.bytecraft.au.com (unknown [10.0.17.42]) by wombat.bytecraft.au.com (Postfix) with ESMTP id CA1383E42 for ; Tue, 15 Apr 2003 10:09:01 +1000 (EST) From: Murray Taylor Organization: Bytecraft Systems To: freebsd-questions@freebsd.org Date: Tue, 15 Apr 2003 10:09:01 +1000 User-Agent: KMail/1.5 MIME-Version: 1.0 Content-Type: Multipart/Mixed; boundary="Boundary-00=_d20m++mvzhfoGLc" Message-Id: <200304151009.01104.murraytaylor@bytecraftsystems.com> X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: ipsec.conf of death X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Apr 2003 00:09:06 -0000 --Boundary-00=_d20m++mvzhfoGLc Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline We ( well my offsider) is having some trauma with ipsec He sent the forwarded message to me at 2300 And here is a bit more from Micheal .at 2316.. -------------------------------------------------------------------- That bug or whatever only seems to effect the range directly above the cidr, and only when the length of the cidr is <24... so 1-23 cause everything to go rather awry... Hopefully this gets addressed... i don't wanna have to chop everything but a /20 out of a /8 into /24 blocks for ipsec routing... would be rather ugly indeed :/ ------------------------------------------------------------------- and he continued to jump on it until 0457 ... and wants some help (some is going now, but comments are welcome) -- Murray Taylor Special Projects Engineer --------------------------------- Bytecraft Systems & Entertainment Phone: 61 3 8710 2555 Fax: 61 3 8710 2599 Direct: 61 3 9238 4275 Mobile: 61 0417 319 256 Email: murraytaylor@bytecraftsystems.com or visit us on the web http://www.bytecraftsystems.com http://www.bytecraftentertainment.com ************************************************************************ This Email has been scanned for Viruses by MailMarshal. ************************************************************************ --Boundary-00=_d20m++mvzhfoGLc Content-Type: message/rfc822; name="forwarded message" Content-Transfer-Encoding: 8bit Content-Description: "Michael Carew" : ipsec.conf of death X-Sieve: cmu-sieve 2.0 Return-Path: Received: from phat (unknown [10.250.11.54]) by wombat.bytecraft.au.com (Postfix) with SMTP id CE50A3E42 for ; Mon, 14 Apr 2003 23:03:02 +1000 (EST) Message-ID: <000f01c30286$6485a820$360bfa0a@phat> From: "Michael Carew" To: "Murray Taylor" Subject: ipsec.conf of death Date: Mon, 14 Apr 2003 23:04:31 +1000 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_000B_01C302DA.35868400" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 X-UID: 33519 This is a multi-part message in MIME format. ------=_NextPart_000_000B_01C302DA.35868400 Content-Type: multipart/alternative; boundary="----=_NextPart_001_000C_01C302DA.35868400" ------=_NextPart_001_000C_01C302DA.35868400 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Subject: Murray, Not sure what the appropriate list is for this question. Basically the attached ipsec.conf causes traffic from the local lan = 10.250.11.0/24 to totally ream itself, with the ipsec router pushing = packets destined for that lan out the ipsec tunnel. I can see no reason for this at all :/ Could there be something amiss in the ipsec cidr translations? This has = be rather confused :( Cheers, Michael p.s. All relevant private information has been stripped from the .conf, = so it is safe to forward :) ------=_NextPart_001_000C_01C302DA.35868400 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Murray, Not sure what the appropriate list is = for this=20 question. Basically the attached ipsec.conf = causes traffic=20 from the local lan 10.250.11.0/24 to totally ream itself, with the ipsec = router=20 pushing packets destined for that lan out the ipsec tunnel. I can see no reason for this at all = :/ Could there be something amiss in the = ipsec cidr=20 translations? This has be rather confused :( Cheers, Michael p.s. All relevant private information = has been=20 stripped from the .conf, so it is safe to forward = :) ------=_NextPart_001_000C_01C302DA.35868400-- ------=_NextPart_000_000B_01C302DA.35868400 Content-Type: application/octet-stream; name="ipsec.conf" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="ipsec.conf" add 1.2.3.4 5.6.7.8 esp 6969 -E 3des-cbc "etcetcetcetcetcetcetcetc" -A = hmac-md5 whateverwhateverwhateverwhateverwh;=0A= add 5.6.7.8 1.2.3.4 esp 9696 -E 3des-cbc "ctectectectectectectecte" -A = hmac-md5 revetahwrevetahwrevetahwrevetahwre;=0A= spdadd 1.2.3.4 5.6.7.8 any -P out ipsec esp/transport//require;=0A= spdadd 5.6.7.8 1.2.3.4 any -P in ipsec esp/transport//require;=0A= spdadd 10.250.12.0/14 1.2.3.4 any -P in ipsec = esp/tunnel/5.6.7.8-1.2.3.4/require;=0A= spdadd 1.2.3.4 10.250.12.0/14 any -P out ipsec = esp/tunnel/1.2.3.4-5.6.7.8/require;=0A= spdadd 10.250.12.0/14 10.250.11.0/24 any -P in ipsec = esp/tunnel/5.6.7.8-1.2.3.4/require;=0A= spdadd 10.250.11.0/24 10.250.12.0/14 any -P out ipsec = esp/tunnel/1.2.3.4-5.6.7.8/require;=0A= spdadd 5.6.7.8 10.250.11.0/24 any -P in ipsec = esp/tunnel/5.6.7.8-1.2.3.4/require;=0A= spdadd 10.250.11.0/24 5.6.7.8 any -P out ipsec = esp/tunnel/1.2.3.4-5.6.7.8/require;=0A= ------=_NextPart_000_000B_01C302DA.35868400-- --Boundary-00=_d20m++mvzhfoGLc--