[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

IPsec question

To: misc@openbsd.org
Subject: IPsec question
From: emre@interniq.org
Date: Mon, 27 Mar 2000 13:11:43 -0700 (MST)

Hey guys,

I followed the scenario in the FAQ and tried a basic VPN between two
openbsd boxes (titanium and silicon). Here is what I did so far:

On titanium (192.168.25.1):

# ipsecadm new esp -spi 1000 -src 192.168.25.1 -dst 192.168.25.9
-forcetunnel -enc blf -auth sha1 -key
7762d8707255d974168cbb1d274f8bed4cbd3364 -authkey
6a20367e21c66e5a40739db293cf2ef2a4e6659f

# ipsecadm new esp -spi 1001 -dst 192.168.25.1 -src 192.168.25.9
-forcetunnel -enc blf -auth sha1 -key 
7762d8707255d974168cbb1d274f8bed4cbd3364 -authkey 
6a20367e21c66e5a40739db293cf2ef2a4e6659f


And on silicon (192.168.25.9):

# ipsecadm new esp -spi 1001 -src 192.168.25.9 -dst 192.168.25.1
-forcetunnel -enc blf -auth sha1 -key
7762d8707255d974168cbb1d274f8bed4cbd3364 -authkey
6a20367e21c66e5a40739db293cf2ef2a4e6659f

# ipsecadm new esp -spi 1000 -dst 192.168.25.9 -src 192.168.25.1
-forcetunnel -enc blf -auth sha1 -key
7762d8707255d974168cbb1d274f8bed4cbd3364 -authkey
6a20367e21c66e5a40739db293cf2ef2a4e6659f


And then the flows:

titanium (192.168.25.1):

# ipsecadm flow -proto esp -dst 192.168.25.9 -spi 1000 -addr 192.168.25.1
255.255.255.255 192.168.25.9 255.255.255.255 -local


silicon (192.168.25.9):

# ipsecadm flow -proto esp -dst 192.168.5.1 -spi 1001 -addr 192.168.25.9
255.255.255.255 192.168.25.1 255.255.255.255 -local


titanium didn't give me error messages, silicon however gave this:
ipsecadm: Warning: option local has been deprecated
pfkey: No such process

when I created the flow.  It seems to work, but only one host is
encrypting the stuff.  I did a tcpdump -ni le0 on silicon:

19:15:20.455649 esp 192.168.25.1 > 192.168.25.9 spi 0x00001000 seq 216 len
84
19:15:21.454065 192.168.25.9.22 > 192.168.25.1.18685: P
15292:15520(228) ack 21 win 17376 <nop,nop,timestamp 5008 5466> [tos 0x10]
19:15:21.455981 esp 192.168.25.1 > 192.168.25.9 spi 0x00001000 seq 217 len
84
19:15:22.453820 192.168.25.9.22 > 192.168.25.1.18685: P
15520:15748(228) ack 21 win 17376 <nop,nop,timestamp 5010 5468> [tos 0x10]
19:15:22.455691 esp 192.168.25.1 > 192.168.25.9 spi 0x00001000 seq 218 len
84
19:15:23.453913 192.168.25.9.22 > 192.168.25.1.18685: P
15748:15976(228) ack 21 win 17376 <nop,nop,timestamp 5012 5470> [tos 0x10]
19:15:23.455745 esp 192.168.25.1 > 192.168.25.9 spi 0x00001000 seq 219 len
84
19:15:24.453792 192.168.25.9.22 > 192.168.25.1.18685: P
15976:16204(228) ack 21 win 17376 <nop,nop,timestamp 5014 5472> [tos 0x10]
19:15:24.455675 esp 192.168.25.1 > 192.168.25.9 spi 0x00001000 seq 220 len
84

Looks like only titanium is encrypting the packets.  Does anyone know what
the problem is? titanium is a obsd 2.6/i386 CURRENT box, silicon is a
obsd 2.6/sparc CURRENT box.

Thanks!

Prev by Date: Re: RFC: The OpenBSD Resource Map
Next by Date: pkg_add problem solved
Prev by thread: OpenBSD Resource Map, Part II
Next by thread: pkg_add problem solved
Index(es):
- Date
- Thread