Re: IPSec troubles

From: Richard Bejtlich (richard_bejtlich_at_yahoo.com)
Date: 04/03/04

  • Next message: Ruslan Ermilov: "Re: [PATCH] TX algorithms, missetting IFF_OACTIVE and if_timer" 
    Date: Fri, 2 Apr 2004 15:19:42 -0800 (PST)
To: freebsd-net@freebsd.org

    Hello,

    This thread has been very helpful. I'm using FreeBSD
    5.2.1 REL with kernels recompiled to support IPSEC.
    I've found the "trick" to exclude port 500 UDP packets
    allows ISAKMP traffic to be exchanged, e.g:

    spdadd 192.168.20.1[500] 192.168.21.1[500] udp -P out
    none;
    spdadd 192.168.21.1[500] 192.168.20.1[500] udp -P in
    none;

    Unfortunately, I cannot follow this ipsec.conf entry
    with something like this for 'any' protocol:

    spdadd 192.168.20.1 192.168.21.1 any -P out ipsec
    esp/tunnel/192.168.20.1-192.168.21.1/require;
    spdadd 192.168.21.1 192.168.20.1 any -P in ipsec
    esp/tunnel/192.168.21.1-192.168.20.1/require;

    If I try to ping 192.168.20.1 from 192.168.21.1, I get
    this error on 192.168.20.1 from racoon:

    2004-04-02 18:10:43: ERROR:
    isakmp_quick.c:2064:get_proposal_r(): policy found,
    but no IPsec required: 192.168.20.1/32[0]
    192.168.21.1/32[0] proto=any dir=out
    2004-04-02 18:10:43: ERROR:
    isakmp_quick.c:1071:quick_r1recv(): failed to get
    proposal for responder.
    2004-04-02 18:10:43: ERROR:
    isakmp.c:1061:isakmp_ph2begin_r(): failed to
    pre-process packet.

    No traffic is exchanged.

    I've found that replacing the 'any' entry in the
    ipsec.conf with new entries for 'icmp' and 'tcp' allow
    those protocols to be protected by IPSec, e.g. for
    tcp:

    spdadd 192.168.20.1 192.168.21.1 tcp -P out ipsec
    esp/tunnel/192.168.20.1-192.168.21.1/require;
    spdadd 192.168.21.1 192.168.20.1 tcp -P in ipsec
    esp/tunnel/192.168.21.1-192.168.20.1/require;

    Unfortunately, I can't add an entry for 'udp' as that
    appears to conflict with the udp entry for port 500.

    I tried 'ip' in place of 'any', but that didn't seem
    to encrypt any traffic at all.

    Is my only alternative to upgrade from 5.2.1 to
    CURRENT if I want everything to be protected by IPSec
    (besides ISAKMP)?

    Thank you,

    Richard
    http://www.taosecurity.com

    __________________________________
    Do you Yahoo!?
    Yahoo! Small Business $15K Web Design Giveaway
    http://promotions.yahoo.com/design_giveaway/
    _______________________________________________
    freebsd-net@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-net
    To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"

  • Next message: Ruslan Ermilov: "Re: [PATCH] TX algorithms, missetting IFF_OACTIVE and if_timer"

    Relevant Pages

    • Re: =?iso-8859-15?Q?Verst=E4ndnisfrage?= IPSec; NAT; NAT-T
      ... IPSec Passthrough ... Der Trick bei NAT Traversal scheint ja zu sein, ... Port 500 UDP auf diesen, ... Der eigentliche IPSEC tunnel wird dann nach Standard ueber UDP Port ...
      (de.comp.security.firewall)
    • Re: VPNclient, protocol ESP, AH and firewall
      ... >> All IPsec pages I've read, for example in Google, to bring IPsec ... the inner NIC of my firewall and 'udprelay' put all UDP 500 and 4500 ... I don't have any information about the remote ... but I can't see any interface or any routing ...
      (comp.os.linux.networking)
    • Re: ISA and Checkpoint NG VPN Client
      ... SecuRemote & SecureClient specific connections ... IPSEC and IKE ... UDP 2746 or another port ...
      (microsoft.public.isaserver)
    • Re: Cisco 837 Easy VPN Server
      ... sh cry ipsec sa shows me that ipsec sa has not been established correctly - ... UDP or TCP? ... > sh crypto ipsec sa ... > inbound esp sas: ...
      (comp.dcom.sys.cisco)
    • Re: question on tunnels (VPN)
      ... >>I then set up IPSEC to encrypt the UDP packets.. ... In addition to this we have ipsec set up as follows: ... spdadd bb.bb.bb.bb aa.aa.aa.aa any -P out ipsec esp/transport//require; ...
      (freebsd-net)