ipsec changes in 5.2R
Guido van Rooij
guido at gvr.org
Thu Jan 22 03:09:31 PST 2004
On Wed, Jan 21, 2004 at 12:53:46PM +1100, Andrew Thomson wrote:
> I'm a little guilty as I upgraded my laptop from 5.0 to 5.2. So I'm
> guessing things have changed a bit.
>
> However I used to encrypt my wireless connection using IPSEC. Since the
> upgrade, things no longer work.
>
> My firewall is a 4.9p1 host which is at the other end of the IPSEC VPN
> and wireless link.
>
> I previously used the following ipsec.conf to get things going (these
> are from the firewall, obviously the reverse [out/in] is applied to my
> laptop).
>
> 192.168.14.2[any] 0.0.0.0/0[any] any
> in ipsec
> esp/tunnel/192.168.14.2-192.168.14.1/require
> spid=5 seq=1 pid=1409
> refcnt=1
> 0.0.0.0/0[any] 192.168.14.2[any] any
> out ipsec
> esp/tunnel/192.168.14.1-192.168.14.2/require
> spid=6 seq=0 pid=1409
> refcnt=1
>
> Now when I have those setkey entries enabled on my laptop, I can't even
> ping my own host (192.168.14.2).
>
> Both tcpdump and ipfw add 100 log ip from any to any shows nothing on my
> wireless link..
>
> Not sure why this has now stopped working.. Any clues?
I have seen the same. Somehow it looks like ISAKMP traffic, which used to
go around the ipsec policy, is now included. The only workaround I know
of is to replace "require" with "use".
-Guido
More information about the freebsd-current
mailing list