Robert Johannes wrote:
>
> On Wed, 7 Mar 2007, VANHULLEBUS Yvan wrote:
>
>
> Ok, I have done quite a bit of work since my last
email, but I still
> don't see visible progress. I did rebuild world and
the kernel with the
> NAT-T patches/support that you recommended. I have
been playing around
> with ipsec e.t.c.
>
> I have created an esp tunnel between my two sites, and
I am sending some
> ping traffic to the remote end, but the packets don't
seem to get
> through. Here's a snippet of what I see on tcpdump:
>
> 14:06:53.594241 IP 190.41.95.135 >
client-201.240.165.191.speedy.net.pe:
> IP 192.168.1.254 > 192.168.0.254: ICMP echo request,
id 5784, seq 1519,
> length 64 (ipip-proto-4)
> 14:06:54.595071 IP 190.41.95.135 >
client-201.240.165.191.speedy.net.pe:
> IP 192.168.1.254 > 192.168.0.254: ICMP echo request,
id 5784, seq 1520,
> length 64 (ipip-proto-4)
Firstly have you set your DSL routers up to nat the ipencap
protocol
back to your FreeBSD box? (IPencap is a IP payload protocol,
not a TCP
or UDP payload, so you will probably need a prity advanced
router to do
this). The packets you see here are not protected by IPSEC
they are
just plain old IPENCAP packets. If they where IPSEC packets
I would
expect to see ESP as the protocol and not see the
encapsulated packet
header (Again when you get IPSEC working you are going to
need to NAT
these packets to your freebsd boxes.)
>
>> From what I can tell, the kernel knows that it is
to send the ping
>> request
> from 192.168.1.254 to 192.168.0.254 through the tunnel
mouths
> 190.41.95.135 and 201.240.165.191. But, there's no
request from the
> other end. Doing a tcpdump on the other side
(192.168.0.254), nothing
> is coming in. I have also done a ping from the latter
machine to the
> former, but with exactly the same problem. Nothing
seems to get to the
> other end.
>
> The tunnel is not using racoon yet. I figure that I
should be able to
> see some traffic going back and forth before I use
racoon to manage
> keys. The tunnel was created by the following lines on
one host, and
> reversed on the other:
>
> spdadd 192.168.1.0/24 192.168.0.0/24 any -P in ipsec
> esp/tunnel/190.41.95.135-201.240.151.15/require;
> spdadd 192.168.0.0/24 192.168.1.0/24 any -P out ipsec
> esp/tunnel/201.240.151.15-190.41.95.135/require;
>
> If any one can shed some more light on this, I would
appreciate it.
>
From what I can see your /etc/ipsec.conf should look like
this:
spdadd 190.41.95.135/32 201.240.151.15/32 ipencap -P in
ipsec
esp/tunnel/190.41.95.135-201.240.151.15/require;
spdadd 201.240.151.15/32 190.41.95.135/32 ipencap -P out
ipsec
esp/tunnel/201.240.151.15-190.41.95.135/require;
These rules may be wrong but your tunnel seems to be an IP
protocol 4
payload which is ipencap (see /etc/protocols).
Hope this helps.
Tom
_______________________________________________
freebsd-security freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-secu
rity
To unsubscribe, send any mail to
"freebsd-security-unsubscribefreebsd.org"
|
