IPSec troubles

[Richard Bejtlich]

Hello,

This thread has been very helpful.  I'm using FreeBSD
5.2.1 REL with kernels recompiled to support IPSEC. 
I've found the "trick" to exclude port 500 UDP packets
allows ISAKMP traffic to be exchanged, e.g:

spdadd 192.168.20.1[500] 192.168.21.1[500] udp -P out
none;
spdadd 192.168.21.1[500] 192.168.20.1[500] udp -P in
none;

Unfortunately, I cannot follow this ipsec.conf entry
with something like this for 'any' protocol:

spdadd 192.168.20.1 192.168.21.1 any -P out ipsec
esp/tunnel/192.168.20.1-192.168.21.1/require;
spdadd 192.168.21.1 192.168.20.1 any -P in ipsec
esp/tunnel/192.168.21.1-192.168.20.1/require;

If I try to ping 192.168.20.1 from 192.168.21.1, I get
this error on 192.168.20.1 from racoon:

2004-04-02 18:10:43: ERROR:
isakmp_quick.c:2064:get_proposal_r(): policy found,
but no IPsec required: 192.168.20.1/32[0]
192.168.21.1/32[0] proto=any dir=out
2004-04-02 18:10:43: ERROR:
isakmp_quick.c:1071:quick_r1recv(): failed to get
proposal for responder.
2004-04-02 18:10:43: ERROR:
isakmp.c:1061:isakmp_ph2begin_r(): failed to
pre-process packet.

No traffic is exchanged.

I've found that replacing the 'any' entry in the
ipsec.conf with new entries for 'icmp' and 'tcp' allow
those protocols to be protected by IPSec, e.g. for
tcp:

spdadd 192.168.20.1 192.168.21.1 tcp -P out ipsec
esp/tunnel/192.168.20.1-192.168.21.1/require;
spdadd 192.168.21.1 192.168.20.1 tcp -P in ipsec
esp/tunnel/192.168.21.1-192.168.20.1/require;

Unfortunately, I can't add an entry for 'udp' as that
appears to conflict with the udp entry for port 500.

I tried 'ip' in place of 'any', but that didn't seem
to encrypt any traffic at all.

Is my only alternative to upgrade from 5.2.1 to
CURRENT if I want everything to be protected by IPSec
(besides ISAKMP)?

Thank you,

Richard
http://www.taosecurity.com

__________________________________
Do you Yahoo!?
Yahoo! Small Business $15K Web Design Giveaway 
http://promotions.yahoo.com/design_giveaway/