Single IP host and IPsec tunnel mode experience
Lars Eggert
larse at ISI.EDU
Sun Apr 20 10:20:59 PDT 2003
On 4/20/2003 9:55 AM, Jacques A. Vidrine wrote:
> On Wed, Apr 16, 2003 at 07:36:21AM -0500, Jacques A. Vidrine wrote:
>
>>On Tue, Apr 15, 2003 at 10:23:35PM -0700, Crist J. Clark wrote:
>>
>>>'uname -a'?
>>
>>The endpoints were both 4.7.
>>
>>
>>>I can't reproduce this on a 4.8 to 4.7 tunnel. On
>>>192.168.64.70,
>>>
>>> spdadd 192.168.64.70/32 10.0.0.0/24 any -P out
>>> ipsec esp/tunnel/192.168.64.70-192.168.64.20/require;
>>> spdadd 10.0.0.0/24 192.168.64.70/32 any -P in
>>> ipsec esp/tunnel/192.168.64.20-192.168.64.70/require;
>>>
>>>And on 192.168.64.20, the gateway to 10.0.0.0/24,
>>>
>>> spdadd 192.168.64.70/32 10.0.0.0/24 any -P in
>>> ipsec esp/tunnel/192.168.64.70-192.168.64.20/require;
>>> spdadd 10.0.0.0/24 192.168.64.70/32 any -P out
>>> ipsec esp/tunnel/192.168.64.20-192.168.64.70/require;
>>>
>>>Works fine.
>>
>>Hmm, yes, that appears to be exactly what I'm trying to do. Well,
>>that's heartening ... it means that there is likely some anomoly in my
>>environment that is hosing me. Now if only I can figure what it is :-)
>
>
> Oddly enough ... ESP works, AH does not.
Are you going through a NAT box? (Sorry, haven't been following this
thread closely.) AH includes more of the IP header when computing the
crypto checksum (compared to ESP), if those fields get diddled by a NAT
box, the receiver will drop the packets because of bad crypto. One of
the netstat counters on the receiver will show this.
If you need to authenticate, maybe try using ESP authentication?
Lars
--
Lars Eggert <larse at isi.edu> USC Information Sciences Institute
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3529 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.freebsd.org/pipermail/freebsd-hackers/attachments/20030420/08481b0e/smime.bin
More information about the freebsd-hackers
mailing list