[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

OpenBSD - IPSec - FreeBSD



hello everyone,
this question was brought up recently but not answered. 
some weird things happened:
I tried to get the IPSec working between obsd and fbsd.
I'm running obsd snapshot (08/03) generic kernel, freebsd 4.4 rc.
so anyways..
fbsd= 192.168.2.2, obsd= 192.168.2.5

on OpenBSD I do:
ipsecadm new esp -spi 1000 -src 192.168.2.5 -dst 192.168.2.2 -forcetunnel -enc
blf -auth sha1 -key 7762d8707255d974168cbb1d274f8bed4cbd3364 -authkey
6a20367e21c66e5a40739db293cf2ef2a4e6659f
ipsecadm new esp -spi 1001 -src 192.168.2.2 -dst 192.168.2.5 -forcetunnel -enc 
blf -auth sha1 -key 81191bf1c3342233497d644a8d8e7787b41e255a -authkey
3efe357f8a16f4b12a478cce580289a3bc55b731

ipsecadm flow -dst 192.168.2.5 -proto esp -addr 192.168.2.2 255.255.255.255
192.168.2.5 255.255.255.255 -out -require
ipsecadm flow -dst 192.168.2.2 -proto esp -addr 192.168.2.5 255.255.255.255 
192.168.2.2 255.255.255.255 -out -require
ipsecadm flow -dst 192.168.2.5 -proto esp -addr 192.168.2.2 255.255.255.255 
192.168.2.5 255.255.255.255 -in -require
ipsecadm flow -dst 192.168.2.2 -proto esp -addr 192.168.2.5 255.255.255.255
192.168.2.2 255.255.255.255 -in -require

on FreeBSD:
add 192.168.2.2 192.168.2.5 esp 0x1001 -m tunnel -E blowfish-cbc
0x81191bf1c3342233497d644a8d8e7787b41e255a -A hmac-sha1 
0x3efe357f8a16f4b12a478cce580289a3bc55b731;
add 192.168.2.5 192.168.2.2 esp 0x1000 -m tunnel -E blowfish-cbc 
0x7762d8707255d974168cbb1d274f8bed4cbd3364 -A hmac-sha1 
0x6a20367e21c66e5a40739db293cf2ef2a4e6659f;
spdadd 192.168.2.2 192.168.2.5 any -P out ipsec esp/tunnel/192.168.2.2-192.168.2.5/require;
spdadd 192.168.2.5 192.168.2.2 any -P in ipsec esp/tunnel/192.168.2.5-192.168.2.2/require;

here is the output of tcpdump -i xl0 on my obsd box when I ping fbsd box from
obsd:
02:25:59.238431 esp 192.168.2.5 > 192.168.2.2 spi 0x00001000 seq 1 len116
02:25:59.239050 esp 192.168.2.2 > 192.168.2.5 spi 0x00001001 seq 1 len116
02:26:00.240146 esp 192.168.2.5 > 192.168.2.2 spi 0x00001000 seq 2 len116
02:26:00.240419 esp 192.168.2.2 > 192.168.2.5 spi 0x00001001 seq 2 len116
02:26:01.250124 esp 192.168.2.5 > 192.168.2.2 spi 0x00001000 seq 3 len116
02:26:01.250414 esp 192.168.2.2 > 192.168.2.5 spi 0x00001001 seq 3 len116
02:26:02.260115 esp 192.168.2.5 > 192.168.2.2 spi 0x00001000 seq 4 len116
02:26:02.260395 esp 192.168.2.2 > 192.168.2.5 spi 0x00001001 seq 4 len116

here is the output of tcpdump -i xl0 on my obsd box when I ping obsd box from
fbsd:
02:27:33.475479 esp 192.168.2.2 > 192.168.2.5 spi 0x00001001 seq 5 len116
02:27:34.477338 esp 192.168.2.2 > 192.168.2.5 spi 0x00001001 seq 6 len116
02:27:35.487274 esp 192.168.2.2 > 192.168.2.5 spi 0x00001001 seq 7 len116 
02:27:36.497242 esp 192.168.2.2 > 192.168.2.5 spi 0x00001001 seq 8 len116
02:27:37.507222 esp 192.168.2.2 > 192.168.2.5 spi 0x00001001 seq 9 len116
02:27:38.517220 esp 192.168.2.2 > 192.168.2.5 spi 0x00001001 seq 10 len116

what I see is that the fbsd box actually receives and responds to pinging
from the obsd box. ping is not successfull though, because (I think) there is
something wrong with SPI 1001.
here is what I think the problem is:
#cat /kern/ipsec
Hashmask: 31, policy entries: 4
SPI = 00001000, Destination = 192.168.2.2, Sproto = 50
	Established 160 seconds ago
	Source = 192.168.2.5
	Flags (00011000) = <tunneling,usedtunnel>
	Crypto ID: 1
	xform = <IPsec ESP>
		Encryption = <Blowfish>
		Authentication = <HMAC-SHA1>
	336 bytes processed by this SA
	Last used 141 seconds ago
	Expirations: 
		(none)

SPI = 00001001, Destination = 192.168.2.5, Sproto = 50
	Established 160 seconds ago
	Source = 192.168.2.2
	Flags (00001000) = <tunneling>
	Crypto ID: 2
	xform = <IPsec ESP>
		Encryption = <Blowfish>
		Authentication = <HMAC-SHA1>
	880 bytes processed by this SA
	Last used 45 seconds ago
	Expirations:
		(none)

in the first case I see flags equals to <tunneling,usedtunnel>
and in the second one it is just <tunneling>.

any idea on that one?
I appreciate any help, thanks in advance.

Igor



Visit your host, monkey.org