Single IP host and IPsec tunnel mode experience

Lars Eggert larse at ISI.EDU
Sun Apr 20 10:20:59 PDT 2003


On 4/20/2003 9:55 AM, Jacques A. Vidrine wrote:
> On Wed, Apr 16, 2003 at 07:36:21AM -0500, Jacques A. Vidrine wrote:
> 
>>On Tue, Apr 15, 2003 at 10:23:35PM -0700, Crist J. Clark wrote:
>>
>>>'uname -a'?
>>
>>The endpoints were both 4.7.
>>
>>
>>>I can't reproduce this on a 4.8 to 4.7 tunnel. On
>>>192.168.64.70,
>>>
>>>  spdadd 192.168.64.70/32 10.0.0.0/24 any -P out
>>>	ipsec esp/tunnel/192.168.64.70-192.168.64.20/require;
>>>  spdadd 10.0.0.0/24 192.168.64.70/32 any -P  in
>>>	ipsec esp/tunnel/192.168.64.20-192.168.64.70/require;
>>>
>>>And on 192.168.64.20, the gateway to 10.0.0.0/24,
>>>
>>>  spdadd 192.168.64.70/32 10.0.0.0/24 any -P  in
>>>	ipsec esp/tunnel/192.168.64.70-192.168.64.20/require;
>>>  spdadd 10.0.0.0/24 192.168.64.70/32 any -P out
>>>	ipsec esp/tunnel/192.168.64.20-192.168.64.70/require;
>>>
>>>Works fine.
>>
>>Hmm, yes, that appears to be exactly what I'm trying to do.  Well,
>>that's heartening ... it means that there is likely some anomoly in my
>>environment that is hosing me.  Now if only I can figure what it is :-)
> 
> 
> Oddly enough ...  ESP works, AH does not.

Are you going through a NAT box? (Sorry, haven't been following this 
thread closely.) AH includes more of the IP header when computing the 
crypto checksum (compared to ESP), if those fields get diddled by a NAT 
box, the receiver will drop the packets because of bad crypto. One of 
the netstat counters on the receiver will show this.

If you need to authenticate, maybe try using ESP authentication?

Lars
-- 
Lars Eggert <larse at isi.edu>           USC Information Sciences Institute
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3529 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.freebsd.org/pipermail/freebsd-hackers/attachments/20030420/08481b0e/smime.bin


More information about the freebsd-hackers mailing list