Re: IPSec between OpenBSD and FreeBSD

[Waldemar Brodkorb <wbx_(_at_)_luusa_(_dot_)_org>]

Remoin,
Matthias Teege wrote,

> Moin,
> 
> I try to encrypt a wireless link between an openbsd router with
> isakmpd and a freebsd router with racoon. The network looks like this:
> 
> 192.168.0.0/24 -|                                |- internet
>                 - 192.168.9.9 - - - 192.168.9.11 -
>                 | OpenBSD/ster      FreeBSD/bullet
> 192.168.2.0/24 -| isakmpd           racoon
> 
> 192.168.0.0/24 is a dmz and I want to encrypt all traffic from the dmz
> to the internet and reverse. Traffic from dmz to »..2.0/24« should be
> possible without encryption.
> 
> After setup and starting racoon the isakmpd shows me:
> 
> 165331.230650 Default x509_read_crls_from_dir: opendir
> ("/etc/isakmpd/crls/") failed: No such file or directory
> 165331.230949 Default x509_crl_init: x509_read_from_dir failed

Create a directory /etc/isakmpd/crls/

> 165357.182168 Default udp_create: address "" not understood

I think your isakmpd.conf is wrong.

> What does this message mean?

The daemon can not bind the UDP Port 500.

> isakmpd.conf
> [General]
> Policy-File=            /etc/isakmpd/isakmpd.policy
> Retransmits=5
> Exchange-max-time=120
> Listen-on=192.168.9.9

Is it possible that 192.168.9.9 does not exist?
ifconfig -a would be interesting.

Or some whitespace problems in your config.


> There is also another problem I see in the log of my packetfilter.
> After starting racoon and isakmpd all traffic fraom dmz to
> 192.168.2.0/24 goes to the defaultroute 192.168.9.11.

Because your SA's say so.
 ID-type=                IPV4_ADDR_SUBNET
 Network=                0.0.0.0
 Netmask=                0.0.0.0

> ipsecadm flow -dst 192.168.9.9 -addr 192.168.0.0/24 0.0.0.0/0
> -in -acquire
> ipsecadm flow -src 192.168.9.9 -addr 0.0.0.0/0 192.168.0.0/24
> -out -acquire

This means, your OpenBSD machine should sent all outgoing traffic
through the established tunnel.

bye
  Waldemar

-- 
8485 D0CE 2743 656E 867C  5C93 0317 AFD8 BE21 BD90