netbsd-help: ipsec and netbsd and wireless

Subject: ipsec and netbsd and wireless
To: None <netbsd-help@netbsd.org>
From: Joe <josepha48@yahoo.com>
List: netbsd-help
Date: 01/19/2003 13:25:58
Hello, 
    I have set up a nice little gateway / router using FreeBSD. 
It works very nice so far.  I have a laptop running NetBSD.

    I desperatly need help with ipsec.  I have searched the
internet and read the faq's.  My problem is that I have not
found an easy way to tell if it is working.  I am guessing it is
not.

    Here is the setup.  

    3 interfaces:  xl0, xl1, wi0

    xl0 is the external interface. all trafic is natted through
this interface

    xl1 is the internal wired interface

    wi0 is the wireless interface

    xl1 -> xl0 works fine

    wi0 -> xl1 are bridged (sysctl
net.link.ether.bridge_cfg="wi0 xl1"), this also works fine

    I have enabled 128 bit wep, as a quick and dirty way of
getting the network 'somewhat' secure.  At least the data is not
in clear text.  There is little threat from a wireless hacker
here too, as there is not sufficient range (tested, much
concrete here)

     I now want to set up ipsec.  So I read the handbook, and
searched the net.

     Before ipsec
         ping wireless laptop to xl1 gives normal reply

     After ipsec
         ping wireless laptop to xl1 gives NO response

     I can access the internet though.  I run netstat -sn -p
ipsec on both machines and it seems that both are sending
outbound packets correctly 
 eg: 
     55 outbound packets processed successfully

      however I also see:
 eg:
     35 inbound packets with no SA available

    I want to secure traffic between xl1 and my laptop.  esp
would be fine, as I have read that you cannot use ah with natd. 
I also want to use ipcomp.

    The basic setup is:
ipsec.conf:
add <machine a ip> <machine b ip> esp 7000 -E <env type from man
pg) "the key";
add <machine b ip> <machine a ip> esp 17000 -E <env type from
man pg) "the key";
add <machine a ip> <machine b ip> ipcomp 7002 -C deflate;
add <machine b ip> <machine a ip> ipcomp 17002 -C deflate;
spdadd <machine a ip> <machine b ip> -P out esp/transport//use
ipcomp/transport//use;
spdadd <machine b ip> <machine a ip> -P in esp/transport//use
ipcomp/transport//use;

the difference are the spdadd's on the machines the client is
swithced the in and out statements.  This is what I have read.

So how do I tell is this is actually working, and why cannot I
ping the machine after starting ipsec?

Also shouldn't I be able to do this setup (bridging / nat) with
ipsec?

Thanks, 
Joe  

__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com