tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

IPsec vs ssh

I'm experimenting with IPsec and have found that once I have
a tunnel working between a pair of NetBSD hosts running IPsec,
I can no longer ssh directly from one to the other - or that
once I load ipsec.conf, ssh sessions freeze.

The reason for this is that I suspect the SPD (ipsec.conf)
ends up specifying that the packets for ssh between the two
hosts are to be encrypted and wrapped up by each end point
before being sent to the other end.

The man page for setkey seems to suggest that there is a priority
mechanism that would allow me to create a "none" SPD for ssh
packets but setkey on NetBSD doesn't support this. If I understand
correctly, if it was present then I would do something like this:

spdadd A.B.C.D/32 E.F.G.0/24 any -P in priority low ipsec 
spdadd E.F.G.0/24 A.B.C.D/32 any -P out priority low ipsec 
spdadd A.B.C.D/32[22] E.F.G.0/24[any] tcp -P in priority high none;
spdadd E.F.G.0/24[any] A.B.C.D/32[22] tcp -P out priority high none;

So that the policy for packets matching ssh have a higher priority than
the others and result in no action being taken by IPsec with them.

Some questions..

1) How do I enable priority policies in NetBSD?
2) Will they work if I do enable them?
3) Is there another way to achieve this?


Home | Main Index | Thread Index | Old Index