George Hartzell writes:
I'd like to set up an IPsec connection between my laptop running
FreeBSD 4.7-REL-p3 and a Linksys BEFVP41 router w/ built in IPsec
capability.
[...]
I almost have things working!
I've fallen back to a very simple solution, it took me a while to
separate the fancy footwork in the various examples (the gif tunnels
and the fancy-dancing to support/enable NAT, etc...), but I finally
realized that what I needed was just pretty simple.
/usr/sbin/setkey -FP
/usr/sbin/setkey -F
/usr/sbin/setkey -c EOF
spdadd LAPTOP_IP/32 192.168.1.0/24 any -P out ipsec
esp/tunnel/LAPTOP_IP-LINKSYS_IP/require;
spdadd 192.168.1.0/24 LAPTOP_IP/32 any -P out ipsec
esp/tunnel/LINKSYS_IP-LAPTOP_IP/require;
EOF
and a racoon.conf that's almost exactly the example from the
racoon.conf man page.
Now I get the key exchange established, with racoon saying
IPsec-SA established: ESP/Tunnel 64.1.164.95-64.1.164.92 spi=387448327(0x1717fe07)
and the Linksys logging (in blue!) that the tunnel's been established.
Still, it doesn't quite work.
If I sit on my laptop and ping a machine on the private network, I
never see any replies. But, a tcpdump on the private network machine
shows the icmp requests and replies in the clear, and tcpdump on the
laptop shows the replies coming back through the ipsec gateway (foo is
the laptop, blah is the Linksys).
09:09:09.739914 foo.bar.com blah.bar.com: ESP(spi=0x1a1ef0f9,seq=0x111)
09:09:09.742049 blah.bar.com foo.bar.com: ESP(spi=0x0c053b00,seq=0x11f)
So, it seems that the replies are making it back to the laptop (or
close enough that the laptop can tcpdump them.
Anyone have any suggestions on where they might be getting stuck
and/or dropped on the floor? Suggestions on tools to dig around and
understand what's up?
g.
To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message
