[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
OBSD2.8 bridge and isakmpd probs
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: OBSD2.8 bridge and isakmpd probs
- From: Paul <pjdesign_(_at_)_yifan_(_dot_)_net>
- Date: Sat, 2 Dec 2000 15:09:20 +1100
I'm having trouble trying to implement a "bump in the wire" ipsec
gateway configuration as outlined in Keromytis and Wright's paper
"Transparent Network Security Policy Enforcement".
I have a feeling this is probably due to my failure to grasp some
fundamental step in the setup.
I have set up bridge0 with the following interfaces dc2 dc3 and enc1
using hostname/bridgename.if files and am using the isakmpd config
and policy files appended below.
My problem is that I don't seem to be getting any ipsec packets come
thru on enc0 and running isakmpd -d -DA=99 doesn't show any
indication of connection attempts (using mac pgpnet 7.0). I have
monitored the outside interface of the bridge using tcpdump -i dc2
udp and can see packets arriving on that interface.
20:01:39.141799 sss.ttt.uuu.vvv. 16442 > aaa.bbb.ccc.ddd.isakmp:
isakmp v1.0 exchange ID_PROT
cookie: 2300a4381652e218->0000000000000000 msgid: 00000000 len: 88
Having read the ipsec bridge section of brconfig(8) it would seem as
thought I need to associate an SA with the enc1, altho i can't see
how that should be done in a bridge configuration. I had assumed that
this would be handled by isakmpd but that doesn't seem to be the case.
The machine is running OpenBSD 2.8 stable from cvs'd source
downloaded 1dec00 .au time and compiled with all necessary kernel
options. I have rebuilt userland using the procedure documented in
if someone can shed some light i'd be grateful...
/etc/sysctl.conf - relevant options
# A configuration sample for the isakmpd ISAKMP/Oakley (aka IKE) daemon.
Comment: This policy accepts ESP SAs from a remote that uses the right password
Conditions: app_domain == "IPsec policy" &&
esp_present == "yes" &&
esp_enc_alg != "null" -> "true";
Visit your host, monkey.org