NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > FreeBSD Security> 2000-06

Subject: Re: Ipsec misconfiguration problem
From: ARIGA Seiji (saysfc.wide.ad.jp)
Date: Mon Jun 19 2000 - 13:34:33 CDT

Next message: Kris Kennaway: "Dinner at Usenix on Tuesday"
Previous message: Bart van Leeuwen: "Re: tried to be cracked"
In reply to: Spike Gronim: "Ipsec misconfiguration problem"
Reply: ARIGA Seiji: "Re: Ipsec misconfiguration problem"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

First of all, I assume that you are using FreeBSD4.0-RELEASE.

On Mon, 19 Jun 2000 00:48:02 -0400,
Spike Gronim <williambrainlink.com> wrote,

: I tried a lot of things, and then copied the NetBSD documentation setup
: (http://www.netbsd.org/Documentation/network/ipsec/#sample_esp) :

IPsec functions are based on KAME (http://www.kame.net) code. FreeBSD4.0
is based on old KAME code, though NetBSD merged very recent code.
So, IPsec configuration is bit different between these OSes.

: [ipsec.conf]
: add 192.168.0.1 192.168.0.200 esp 9876 -E des-cbc "hogehoge";
: add 192.168.0.200 192.168.0.1 esp 10000 -E des-cbc "mogamoga";
: add 192.168.0.1 192.168.0.200 ah 9877 -A hmac-md5 "hogehogehogehoge";
: add 192.168.0.200 192.168.0.1 ah 10001 -A hmac-md5 "mogamogamogamoga";
: spdadd 192.168.0.1 192.168.0.200 any -P out\
: ipsec esp/transport//use ah/transport//use;
: [ipsec.conf]

Try this,

on 192.168.0.1,

add 192.168.0.1 192.168.0.200 esp 9876 -E des-cbc "hogehoge";
add 192.168.0.200 192.168.0.1 esp 10000 -E des-cbc "mogamoga";
add 192.168.0.1 192.168.0.200 ah 9877 -A hmac-md5 "hogehogehogehoge";
add 192.168.0.200 192.168.0.1 ah 10001 -A hmac-md5 "mogamogamogamoga";
spdadd 192.168.0.1 192.168.0.200 any -P out ipsec
esp/transport/192.168.0.1-192.168.0.200/use ah/transport/192.168.0.1-192.168.0.200/use;

on 192.168.0.200

add 192.168.0.1 192.168.0.200 esp 9876 -E des-cbc "hogehoge";
add 192.168.0.200 192.168.0.1 esp 10000 -E des-cbc "mogamoga";
add 192.168.0.1 192.168.0.200 ah 9877 -A hmac-md5 "hogehogehogehoge";
add 192.168.0.200 192.168.0.1 ah 10001 -A hmac-md5 "mogamogamogamoga";
spdadd 192.168.0.200 192.168.0.1 any -P out ipsec
esp/transport/192.168.0.200-192.168.0.1/use ah/transport/192.168.0.200-192.168.0.1/use;

As you see, you have to swap IP address only for spdadd.
# I think it is because both nodes have to share the same SA configuration.

And also you have to add "src-dst" for spd.

// ARIGA Seiji

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Next message: Kris Kennaway: "Dinner at Usenix on Tuesday"
Previous message: Bart van Leeuwen: "Re: tried to be cracked"
In reply to: Spike Gronim: "Ipsec misconfiguration problem"
Reply: ARIGA Seiji: "Re: Ipsec misconfiguration problem"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]