ipsec tunnel/freebsd2linux
Lou Kamenov
phayze at secureroot.org.uk
Sun Apr 13 13:54:03 BST 2003
In some email I received from Peter McGarvey <fbsu-x at packet.org.uk> on Sat, 12 Apr 2003
10:24:45 +0100, wrote:
> I had a similar problem a while back. I got it working, eventually, by
> trial and error.
>
> What I eventually discovered whas that I needed another line in my
> ipsec.conf to explicitly encrypt traffic from my private network, to my
> remote box. Something like this:
>
> spdadd linux.box/32 freebsd.box/32 any -P in ipsec
> esp/tunnel/linux.box-freebsd.box/require; spdadd freebsd.box/32 linux.box/32 any -P
> out ipsec esp/tunnel/freebsd.box-linux.box/require;
>
> spdadd linux.box/32 10.0.0.0/24 any -P in ipsec
> esp/tunnel/linux.box-freebsd.box/require; spdadd 10.0.0.0/24 linux.box/32 any -P
> out ipsec esp/tunnel/freebsd.box-linux.box/require;
Hi Peter,
I`ve already tried this and it doesnt work.
It looks more like a NAT problem, IIRC there was something similar with ipf in NetBSD,
some time ago.
Any other pointers?
cheers
> * Lou Kamenov <phayze at secureroot.org.uk> [2003-04-11 19:52:11 BST]:
> > Hello guys,
> >
> > Last few days i was struggling with FreeBSD IPsec/racoon - Linux FreeSWAN tunnel.
> >
> > So the scenario is something like this:
> >
> > <scenario>
> >
> > Linux FreeS/WAN my.new.host.org
> > //
> > INET
> > \\
> > FreeBSD IPsec/racoon my.other.host.org
> > \\
> > NAT
> > ||
> >
> > [ A rfc1918 network/10.0.0.0/24 ]
> >
> > </scenario>
> >
> > When the FreeBSD box sends a packet to the Linux box, everything is encrypted.. and
> > vice versa.
> >
> > But when a host from 10.0.0.0/24 sends a packet to the Linux box, the packet passes
> > the freebsd box unencrypted.. then the Linux sends reply with encrypted payload, and
> > never arrives to the 10.0.0.0/24 host. (however i can see the freebsd.box recv it)
> >
> > Any ideas?
> >
> > my SPD entries are:
> >
> > <ipsec.conf>
> >
> > spdadd linux.box/32 freebsd.box/32 any -P in ipsec
> > esp/tunnel/linux.box-freebsd.box/require;
> > spdadd freebsd.box/32 linux.box/32 any -P out ipsec
> > esp/tunnel/freebsd.box-linux.box/require;
> >
> > </ipsec.conf>
> >
> > <racoon.conf>
> >
> > remote linux.box
> > {
> > exchange_mode main;
> > doi ipsec_doi;
> > situation identity_only;
> > my_identifier address;
> > lifetime time 1 min;
> > proposal_check obey;
> > proposal {
> > encryption_algorithm 3des;
> > hash_algorithm sha1;
> > authentication_method pre_shared_key;
> > dh_group 2;
> > }
> > }
> >
> > sainfo address freebsd.box any address linux.box any
> > {
> > pfs_group 2;
> > lifetime time 2600 sec;
> > encryption_algorithm 3des;
> > authentication_algorithm hmac_sha1;
> > compression_algorithm deflate;
> > }
> >
> > </racoon.conf>
> >
> >
> >
> > cheers
> > -lk
> >
> >
> >
> > --
> >
> > Lou Kamenov AEYE R&D lou.kamenov at aeye.net
> > FreeBSD BGUG http://www.freebsd-bg.org lou at FreeBSD-bg.org
> > Secureroot UK http://secureroot.org.uk phayze at secureroot.org.uk
> > Key Fingerprint - 936F F64A AD50 2D27 07E7 6629 F493 95AE A297 084A
> > One advantage of talking to yourself is that you know at least
> > somebody's listening. - Franklin P. Jones
> >
> >
> >
> >
> >
> > ------ FreeBSD UK Users' Group - Mailing List ------
> > http://listserver.uk.freebsd.org/mailman/listinfo/freebsd-users
> >
>
> --
> TTFN, FNORD
>
> Peter McGarvey
> Freelance FreeBSD Hacker
> (will work for bandwidth)
>
> ------ FreeBSD UK Users' Group - Mailing List ------
> http://listserver.uk.freebsd.org/mailman/listinfo/freebsd-users
>
--
Lou Kamenov AEYE R&D lou.kamenov at aeye.net
FreeBSD BGUG http://www.freebsd-bg.org lou at FreeBSD-bg.org
Secureroot UK http://secureroot.org.uk phayze at secureroot.org.uk
Key Fingerprint - 936F F64A AD50 2D27 07E7 6629 F493 95AE A297 084A
One advantage of talking to yourself is that you know at least
somebody's listening. - Franklin P. Jones
More information about the Ukfreebsd
mailing list