About IPsec ...
souris
souris at nerim.net
Mon May 19 06:47:08 PDT 2003
Hi,
I tryed to make IPSEC between 2 computers : Freebsd 4.8 and NetBSD 1.5.2
While following the handbook : http://www.fr.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html
I noticed something.
<From Handbook>
setkey -c
spdadd 10.2.3.4 10.6.7.8 any -P out ipsec
ah/transport/10.2.3.4-10.6.7.8/require ;
^D
At B:
# setkey -c
spdadd 10.6.7.8 10.2.3.4 any -P out ipsec
esp/transport/10.6.7.8-10.2.3.4/require ;
spdadd 10.6.7.8 10.2.3.4 any -P out ipsec
ah/transport/10.6.7.8-10.2.3.4/require ;
^D
</From Handbook>
>From A: only "OUT" traffic is set
>From B: 2 "OUT" traffics are set. It seems to be two differents protocols ... so it doesn't matters, but still no "IN" traffic is set.
I tryed to simulate exactly the same than the handbook, and setkey gave me an error :
root at sexy 14:19 /home/souris$ setkey -c
spdadd 10.6.7.8 10.2.3.4 any -P out ipsec
esp/transport/10.6.7.8-10.2.3.4/require ;
spdadd 10.6.7.8 10.2.3.4 any -P out ipsec
ah/transport/10.6.7.8-10.2.3.4/require ;
The result of line 4: File exists.
(I've just flushed all the setkey's rules before doing that)
In the others examples, like IPV6 etc ... there is an OUT and IN traffic set. It seems that without "IN" traffic set, IPSEC don't work ... Traffic go out but not IN :
14:05:07.973207 10.6.7.8 > 10.2.3.4: AH(spi=0x000003e8,seq=0x37d813cc): icmp: echo request
14:05:08.979010 10.6.7.8 > 10.2.3.4: AH(spi=0x000003e8,seq=0x99378b78): icmp: echo request
I am obviously not the first one to use this book, but there is an mistake somewhere ...
May somebody help me?
thx
--
souris
More information about the freebsd-net
mailing list