OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Nicholas Janzen (nicktelin.com)
Date: Tue May 01 2001 - 15:29:15 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    I'm having a little trouble with an ipsec tunnel. Hopeing someone can
    point out what i have done wrong.

    Here is my configuration:

    I have 2 machines

    A with external ip of 209.115.237.91
      with internal net of ips 192.168.0.0/24
    B with external ip of 24.64.60.210
      with internal net of ips 90.0.0.0/24

    I used one machine to generate the keys, then copied them to the other
    machine.

    Both machines are OpenBSD 2.8/i386

    Machine A:
    ipf.rules:
            pass in proto esp from 24.64.60.210/32 to 209.115.237.91/32
            pass out proto esp from 209.115.237.91/32 to 24.64.60.210/32
            pass in quick on enc0 from 90.0.0.0/24 to 192.168.0.0/24

            pass in from any to any
            pass out from any to any

    netstat -rnf encap:
    Source Port Destination Port Proto
    SA(Address/Proto/Type/Direction)
    192.168.0/24 0 24.64.60.210/32 0 0
    209.115.237.91/50/require/in
    192.168.0/24 0 90.0.0/24 0 0
    209.115.237.91/50/require/in
    209.115.237.91/32 0 24.64.60.210/32 0 0
    209.115.237.91/50/require/in
    209.115.237.91/32 0 90.0.0/24 0 0
    209.115.237.91/50/require/in
    24.64.60.210/32 0 192.168.0/24 0 0
    209.115.237.91/50/require/out
    24.64.60.210/32 0 209.115.237.91/32 0 0
    209.115.237.91/50/require/out
    90.0.0/24 0 192.168.0/24 0 0
    209.115.237.91/50/require/out
    90.0.0/24 0 209.115.237.91/32 0 0
    209.115.237.91/50/require/out

    Machine B
    ipf.rules:
    pass in proto esp from 209.115.237.91/32 to 24.64.60.210/32
    pass out proto esp from 24.64.60.210/32 to 209.115.237.91/32
    pass in quick on enc0 from 192.168.0.0/24 to 90.0.0.0/24

    pass in from any to any
    pass out from any to any

    count in on xl0 from any to any
    count out on xl0 from any to any
    count in on ne3 from any to any
    count out on ne3 from any to any

    netstat -rnf encap:
    Source Port Destination Port Proto
    SA(Address/Proto/Type/Direction)
    192.168.0/24 0 24.64.60.210/32 0 0
    209.115.237.91/50/require/in
    192.168.0/24 0 90.0.0/24 0 0
    209.115.237.91/50/require/in
    209.115.237.91/32 0 24.64.60.210/32 0 0
    209.115.237.91/50/require/in
    209.115.237.91/32 0 90.0.0/24 0 0
    209.115.237.91/50/require/in
    24.64.60.210/32 0 192.168.0/24 0 0
    209.115.237.91/50/require/out
    24.64.60.210/32 0 209.115.237.91/32 0 0
    209.115.237.91/50/require/out
    90.0.0/24 0 192.168.0/24 0 0
    209.115.237.91/50/require/out
    90.0.0/24 0 209.115.237.91/32 0 0
    209.115.237.91/50/require/out

    Both the machines display outgoing traffic on the enc0 using tcpdump -i
    enc0

    enc0: flags=101<UP,PROMISC> mtu 1536

    13:24:35.540316 (authentic,confidential): SPI 0x00001000: 209.115.237.91 >
    24.64.60.210: ip-proto-4 84
    13:24:36.550942 (authentic,confidential): SPI 0x00001000: 209.115.237.91 >
    24.64.60.210: ip-proto-4 84
    13:24:37.560257 (authentic,confidential): SPI 0x00001000: 209.115.237.91 >
    24.64.60.210: ip-proto-4 84

    thanks for your help.