Re: FreeBSD IPSEC tunnel stoped working.
Peter Haight wrote:
Looks like the 'spi' are out of sync on the 2 machines. This is after a
quick glance, but I know on my IPSec setup, (with manual keys), the
spi's have to be such:
Stable in spi == Release out spi
Release in spi == Stable out spi
Are you using racoon? If not, post your ipsec script.
Here you go:
local_ip="XX.XX.XX.XX"
local_net_ip="10.10.1.1"
local_net_prefixlen="24"
remote_ip="YY.YY.YY.YY"
remote_net_ip="192.168.1.1"
remote_net_prefixlen="12"
remote_net_netmask="255.255.0.0"
ifconfig gif0 create
ifconfig gif0 tunnel ${local_ip} ${remote_ip}
ifconfig gif0 inet ${local_net_ip} ${remote_net_ip} netmask ${remote_net_netmask}
setkey -c << EOF
flush;
spdflush;
add XX.XX.XX.XX YY.YY.YY.YY esp 9991 -E blowfish-cbc "foobar";
add YY.YY.YY.YY XX.XX.XX.XX esp 9992 -E blowfish-cbc "foobar";
spdadd ${local_net_ip}/${local_net_prefixlen} ${remote_net_ip}/${remote_net_prefixlen} any -P out ipsec
esp/tunnel/${local_ip}-${remote_ip}/require; spdadd ${remote_net_ip}/${remote_net_prefixlen}
${local_net_ip}/${local_net_prefixlen} any -P in ipsec esp/tunnel/${remote_ip}-${local_ip}/require;
EOF
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message
This is ok on one machine. Copy the script to the other machine, and
swap out all of the 'local' variables with the values of the 'remote'
variables and vise versa. This will allow the keys to be configured
correctly. If this still does not work, let me know. I wrote a perl
program that will automatically configure a vpn tunnel for you, and it
produces 2 scripts. One for localhost and the other for remote host. It
works for me every time.
Steve
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message
Re: FreeBSD IPSEC tunnel stoped working.
> Looks like the 'spi' are out of sync on the 2 machines. This is after a
> quick glance, but I know on my IPSec setup, (with manual keys), the
> spi's have to be such:
>
> Stable in spi == Release out spi
> Release in spi == Stable out spi
>
> Are you using racoon? If not, post your ipsec script.
Here you go:
local_ip="XX.XX.XX.XX"
local_net_ip="10.10.1.1"
local_net_prefixlen="24"
remote_ip="YY.YY.YY.YY"
remote_net_ip="192.168.1.1"
remote_net_prefixlen="12"
remote_net_netmask="255.255.0.0"
ifconfig gif0 create
ifconfig gif0 tunnel ${local_ip} ${remote_ip}
ifconfig gif0 inet ${local_net_ip} ${remote_net_ip} netmask ${remote_net_netmask}
setkey -c << EOF
flush;
spdflush;
add XX.XX.XX.XX YY.YY.YY.YY esp 9991 -E blowfish-cbc "foobar";
add YY.YY.YY.YY XX.XX.XX.XX esp 9992 -E blowfish-cbc "foobar";
spdadd ${local_net_ip}/${local_net_prefixlen} ${remote_net_ip}/${remote_net_prefixlen}
any -P out ipsec
esp/tunnel/${local_ip}-${remote_ip}/require; spdadd
${remote_net_ip}/${remote_net_prefixlen}
${local_net_ip}/${local_net_prefixlen} any -P in ipsec
esp/tunnel/${remote_ip}-${local_ip}/require;
EOF
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message
Re: FreeBSD IPSEC tunnel stoped working.
Looks like the 'spi' are out of sync on the 2 machines. This is after a quick glance, but I know on my IPSec setup, (with manual keys), the spi's have to be such: Stable in spi == Release out spi Release in spi == Stable out spi Are you using racoon? If not, post your ipsec script. Steve Bertrand Peter Haight wrote: I had a FreeBSD IPSEC tunnel set up between two machines that stopped working when I upgraded one of the machines to a newer version of 4.7-STABLE. I'm not sure what the problem is. When I watch the packets on the outside interfaces, I see the packet go out from one host, the older (4.7-RELEASE) machine replies, but the new one never moves that reply packet back across the tunnel. 'netstat -sn -p ipsec' is reporting that packets are "violating process security policy". I'm pretty sure that is the problem, but I'm not sure what that means. Here's setkey -DP (4.7-STABLE): 192.168.1.1/24[any] 10.10.1.1/24[any] any in ipsec esp/tunnel/XX.XX.XX.XX-YY.YY.YY.YY/require spid=24 seq=1 pid=24319 refcnt=1 10.10.1.1/24[any] 192.168.1.1/24[any] any out ipsec esp/tunnel/YY.YY.YY.YY-XX.XX.XX.XX/require spid=23 seq=0 pid=24319 refcnt=1 setkey -DP (4.7-RELEASE): 10.10.1.1/24[any] 192.168.1.1/24[any] any in ipsec esp/tunnel/YY.YY.YY.YY-XX.XX.XX.XX/require spid=4 seq=1 pid=8760 refcnt=1 192.168.1.1/24[any] 10.10.1.1/24[any] any out ipsec esp/tunnel/XX.XX.XX.XX-YY.YY.YY.YY/require spid=3 seq=0 pid=8760 refcnt=1 netstat -sn -p ipsec (4.7-STABLE): ipsec: 1688 inbound packets processed successfully 1682 inbound packets violated process security policy 0 inbound packets with no SA available 0 invalid inbound packets 0 inbound packets failed due to insufficient memory 0 inbound packets failed getting SPI 0 inbound packets failed on AH replay check 0 inbound packets failed on ESP replay check 0 inbound packets considered authentic 0 inbound packets failed on authentication ESP input histogram: blowfish-cbc: 1688 588 outbound packets processed successfully 0 outbound packets violated process security policy 11 outbound packets with no SA available 0 invalid outbound packets 0 outbound packets failed due to insufficient memory 0 outbound packets with no route ESP output histogram: blowfish-cbc: 588 To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
FreeBSD IPSEC tunnel stoped working.
I had a FreeBSD IPSEC tunnel set up between two machines that stopped working when I upgraded one of the machines to a newer version of 4.7-STABLE. I'm not sure what the problem is. When I watch the packets on the outside interfaces, I see the packet go out from one host, the older (4.7-RELEASE) machine replies, but the new one never moves that reply packet back across the tunnel. 'netstat -sn -p ipsec' is reporting that packets are "violating process security policy". I'm pretty sure that is the problem, but I'm not sure what that means. Here's setkey -DP (4.7-STABLE): 192.168.1.1/24[any] 10.10.1.1/24[any] any in ipsec esp/tunnel/XX.XX.XX.XX-YY.YY.YY.YY/require spid=24 seq=1 pid=24319 refcnt=1 10.10.1.1/24[any] 192.168.1.1/24[any] any out ipsec esp/tunnel/YY.YY.YY.YY-XX.XX.XX.XX/require spid=23 seq=0 pid=24319 refcnt=1 setkey -DP (4.7-RELEASE): 10.10.1.1/24[any] 192.168.1.1/24[any] any in ipsec esp/tunnel/YY.YY.YY.YY-XX.XX.XX.XX/require spid=4 seq=1 pid=8760 refcnt=1 192.168.1.1/24[any] 10.10.1.1/24[any] any out ipsec esp/tunnel/XX.XX.XX.XX-YY.YY.YY.YY/require spid=3 seq=0 pid=8760 refcnt=1 netstat -sn -p ipsec (4.7-STABLE): ipsec: 1688 inbound packets processed successfully 1682 inbound packets violated process security policy 0 inbound packets with no SA available 0 invalid inbound packets 0 inbound packets failed due to insufficient memory 0 inbound packets failed getting SPI 0 inbound packets failed on AH replay check 0 inbound packets failed on ESP replay check 0 inbound packets considered authentic 0 inbound packets failed on authentication ESP input histogram: blowfish-cbc: 1688 588 outbound packets processed successfully 0 outbound packets violated process security policy 11 outbound packets with no SA available 0 invalid outbound packets 0 outbound packets failed due to insufficient memory 0 outbound packets with no route ESP output histogram: blowfish-cbc: 588 To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
