[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Question about ipsec

To: misc@openbsd.org
Subject: Question about ipsec
From: Nicholas Janzen <nick@telin.com>
Date: Tue, 1 May 2001 13:29:15 -0700 (MST)

I'm having a little trouble with an ipsec tunnel. Hopeing someone can
point out what i have done wrong.

Here is my configuration:

I have 2 machines

A with external ip of 209.115.237.91
  with internal net of ips 192.168.0.0/24
B with external ip of 24.64.60.210
  with internal net of ips 90.0.0.0/24

I used one machine to generate the keys, then copied them to the other
machine.

Both machines are OpenBSD 2.8/i386

Machine A:
ipf.rules:
	pass in proto esp from 24.64.60.210/32 to 209.115.237.91/32
	pass out proto esp from 209.115.237.91/32 to 24.64.60.210/32
	pass in quick on enc0 from 90.0.0.0/24 to 192.168.0.0/24

	pass in from any to any
	pass out from any to any

netstat -rnf encap:
Source             Port  Destination        Port  Proto
SA(Address/Proto/Type/Direction)
192.168.0/24       0     24.64.60.210/32    0     0
209.115.237.91/50/require/in
192.168.0/24       0     90.0.0/24          0     0
209.115.237.91/50/require/in
209.115.237.91/32  0     24.64.60.210/32    0     0
209.115.237.91/50/require/in
209.115.237.91/32  0     90.0.0/24          0     0
209.115.237.91/50/require/in
24.64.60.210/32    0     192.168.0/24       0     0
209.115.237.91/50/require/out
24.64.60.210/32    0     209.115.237.91/32  0     0
209.115.237.91/50/require/out
90.0.0/24          0     192.168.0/24       0     0
209.115.237.91/50/require/out
90.0.0/24          0     209.115.237.91/32  0     0
209.115.237.91/50/require/out


Machine B
ipf.rules:
pass in proto esp from 209.115.237.91/32 to 24.64.60.210/32
pass out proto esp from 24.64.60.210/32 to 209.115.237.91/32
pass in quick on enc0 from 192.168.0.0/24 to 90.0.0.0/24

pass in from any to any
pass out from any to any

count in on xl0 from any to any
count out on xl0 from any to any
count in on ne3 from any to any
count out on ne3 from any to any

netstat -rnf encap:
Source             Port  Destination        Port  Proto
SA(Address/Proto/Type/Direction)
192.168.0/24       0     24.64.60.210/32    0     0
209.115.237.91/50/require/in
192.168.0/24       0     90.0.0/24          0     0
209.115.237.91/50/require/in
209.115.237.91/32  0     24.64.60.210/32    0     0
209.115.237.91/50/require/in
209.115.237.91/32  0     90.0.0/24          0     0
209.115.237.91/50/require/in
24.64.60.210/32    0     192.168.0/24       0     0
209.115.237.91/50/require/out
24.64.60.210/32    0     209.115.237.91/32  0     0
209.115.237.91/50/require/out
90.0.0/24          0     192.168.0/24       0     0
209.115.237.91/50/require/out
90.0.0/24          0     209.115.237.91/32  0     0
209.115.237.91/50/require/out


Both the machines display outgoing traffic on the enc0 using tcpdump -i
enc0

enc0: flags=101<UP,PROMISC> mtu 1536

13:24:35.540316 (authentic,confidential): SPI 0x00001000: 209.115.237.91 >
24.64.60.210: ip-proto-4 84
13:24:36.550942 (authentic,confidential): SPI 0x00001000: 209.115.237.91 >
24.64.60.210: ip-proto-4 84
13:24:37.560257 (authentic,confidential): SPI 0x00001000: 209.115.237.91 >
24.64.60.210: ip-proto-4 84

thanks for your help.

Follow-Ups:
- Re: Question about ipsec
  - From: Hakan Olsson <ho@crt.se>

Prev by Date: Re: files in install tarballs
Next by Date: RE: simple IPF and IPNAT but problem between chair and keyboard
Prev by thread: Re: What cvsup tag?
Next by thread: Re: Question about ipsec
Index(es):
- Date
- Thread