Date: Tue, 15 Apr 2003 10:09:01 +1000 From: Murray Taylor <murraytaylor@bytecraftsystems.com> To: freebsd-questions@freebsd.org Subject: ipsec.conf of death Message-ID: <200304151009.01104.murraytaylor@bytecraftsystems.com>
next in thread | raw e-mail | index | archive | help
--Boundary-00=_d20m++mvzhfoGLc Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline We ( well my offsider) is having some trauma with ipsec He sent the forwarded message to me at 2300 And here is a bit more from Micheal .at 2316.. -------------------------------------------------------------------- That bug or whatever only seems to effect the range directly above the cidr, and only when the length of the cidr is <24... so 1-23 cause everything to go rather awry... Hopefully this gets addressed... i don't wanna have to chop everything but a /20 out of a /8 into /24 blocks for ipsec routing... would be rather ugly indeed :/ ------------------------------------------------------------------- and he continued to jump on it until 0457 ... and wants some help (some is going now, but comments are welcome) -- Murray Taylor Special Projects Engineer --------------------------------- Bytecraft Systems & Entertainment Phone: 61 3 8710 2555 Fax: 61 3 8710 2599 Direct: 61 3 9238 4275 Mobile: 61 0417 319 256 Email: murraytaylor@bytecraftsystems.com or visit us on the web http://www.bytecraftsystems.com http://www.bytecraftentertainment.com ************************************************************************ This Email has been scanned for Viruses by MailMarshal. ************************************************************************ --Boundary-00=_d20m++mvzhfoGLc Content-Type: message/rfc822; name="forwarded message" Content-Transfer-Encoding: 8bit Content-Description: "Michael Carew" <michaelcarew@bytecraftsystems.com>: ipsec.conf of death X-Sieve: cmu-sieve 2.0 Return-Path: <michaelcarew@bytecraftsystems.com> Received: from phat (unknown [10.250.11.54]) by wombat.bytecraft.au.com (Postfix) with SMTP id CE50A3E42 for <murraytaylor@bytecraftsystems.com>; Mon, 14 Apr 2003 23:03:02 +1000 (EST) Message-ID: <000f01c30286$6485a820$360bfa0a@phat> From: "Michael Carew" <michaelcarew@bytecraftsystems.com> To: "Murray Taylor" <taylorm@bytecraft.au.com> Subject: ipsec.conf of death Date: Mon, 14 Apr 2003 23:04:31 +1000 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_000B_01C302DA.35868400" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 X-UID: 33519 This is a multi-part message in MIME format. ------=_NextPart_000_000B_01C302DA.35868400 Content-Type: multipart/alternative; boundary="----=_NextPart_001_000C_01C302DA.35868400" ------=_NextPart_001_000C_01C302DA.35868400 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Subject: Murray, Not sure what the appropriate list is for this question. Basically the attached ipsec.conf causes traffic from the local lan = 10.250.11.0/24 to totally ream itself, with the ipsec router pushing = packets destined for that lan out the ipsec tunnel. I can see no reason for this at all :/ Could there be something amiss in the ipsec cidr translations? This has = be rather confused :( Cheers, Michael p.s. All relevant private information has been stripped from the .conf, = so it is safe to forward :) ------=_NextPart_001_000C_01C302DA.35868400 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Murray, Not sure what the appropriate list is = for this=20 question. Basically the attached ipsec.conf = causes traffic=20 from the local lan 10.250.11.0/24 to totally ream itself, with the ipsec = router=20 pushing packets destined for that lan out the ipsec tunnel. I can see no reason for this at all = :/ Could there be something amiss in the = ipsec cidr=20 translations? This has be rather confused :( Cheers, Michael p.s. All relevant private information = has been=20 stripped from the .conf, so it is safe to forward = :) ------=_NextPart_001_000C_01C302DA.35868400-- ------=_NextPart_000_000B_01C302DA.35868400 Content-Type: application/octet-stream; name="ipsec.conf" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="ipsec.conf" add 1.2.3.4 5.6.7.8 esp 6969 -E 3des-cbc "etcetcetcetcetcetcetcetc" -A = hmac-md5 whateverwhateverwhateverwhateverwh;=0A= add 5.6.7.8 1.2.3.4 esp 9696 -E 3des-cbc "ctectectectectectectecte" -A = hmac-md5 revetahwrevetahwrevetahwrevetahwre;=0A= spdadd 1.2.3.4 5.6.7.8 any -P out ipsec esp/transport//require;=0A= spdadd 5.6.7.8 1.2.3.4 any -P in ipsec esp/transport//require;=0A= spdadd 10.250.12.0/14 1.2.3.4 any -P in ipsec = esp/tunnel/5.6.7.8-1.2.3.4/require;=0A= spdadd 1.2.3.4 10.250.12.0/14 any -P out ipsec = esp/tunnel/1.2.3.4-5.6.7.8/require;=0A= spdadd 10.250.12.0/14 10.250.11.0/24 any -P in ipsec = esp/tunnel/5.6.7.8-1.2.3.4/require;=0A= spdadd 10.250.11.0/24 10.250.12.0/14 any -P out ipsec = esp/tunnel/1.2.3.4-5.6.7.8/require;=0A= spdadd 5.6.7.8 10.250.11.0/24 any -P in ipsec = esp/tunnel/5.6.7.8-1.2.3.4/require;=0A= spdadd 10.250.11.0/24 5.6.7.8 any -P out ipsec = esp/tunnel/1.2.3.4-5.6.7.8/require;=0A= ------=_NextPart_000_000B_01C302DA.35868400-- --Boundary-00=_d20m++mvzhfoGLc--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200304151009.01104.murraytaylor>