netbsd-help: Re: ipsec and netbsd and wireless

Subject: Re: ipsec and netbsd and wireless
To: Joe <josepha48@yahoo.com>
From: Daniel Eggert <danieleggert@mac.com>
List: netbsd-help
Date: 01/21/2003 13:33:16
Hi Joe,

What's the total output of
	netstat -p ipsec
Do you have some sort of firewall set up?

Daniel

On s=F8ndag, jan 19, 2003, at 22:25 Europe/Copenhagen, Joe wrote:

>

<snip>

>      I now want to set up ipsec.  So I read the handbook, and
> searched the net.

What exactly do want IPsec to do?

>      Before ipsec
>          ping wireless laptop to xl1 gives normal reply
>
>      After ipsec
>          ping wireless laptop to xl1 gives NO response
>
>      I can access the internet though.  I run netstat -sn -p
> ipsec on both machines and it seems that both are sending
> outbound packets correctly
>  eg:
>      55 outbound packets processed successfully
>
>       however I also see:
>  eg:
>      35 inbound packets with no SA available

What's the total output of
	netstat -p ipsec
..and aha! There's somthing: 35 packet's didn't have a SA (Security=20
Association).

In your ipsec.conf there's no rule for the ipsec package... (read on)

>     I want to secure traffic between xl1 and my laptop.  esp
> would be fine, as I have read that you cannot use ah with natd.
> I also want to use ipcomp.
>
>     The basic setup is:
> ipsec.conf:
> add <machine a ip> <machine b ip> esp 7000 -E <env type from man
> pg) "the key";
> add <machine b ip> <machine a ip> esp 17000 -E <env type from
> man pg) "the key";
> add <machine a ip> <machine b ip> ipcomp 7002 -C deflate;
> add <machine b ip> <machine a ip> ipcomp 17002 -C deflate;
> spdadd <machine a ip> <machine b ip> -P out esp/transport//use
> ipcomp/transport//use;
> spdadd <machine b ip> <machine a ip> -P in esp/transport//use
> ipcomp/transport//use;

The first lines add Security Association Database (SAD) entries, the=20
last two line add Security Policy Database (SPD) entries.

Some packets (the 35 above) match some SP (Security Policy), but=20
there=92s no matching (Security Association). That's you problem.

Make sure you've got those ip=92s right. For the example above <machine =
a=20
ip> needs to be the ip of the machine itself.

> the difference are the spdadd's on the machines the client is
> swithced the in and out statements.  This is what I have read.
>
> So how do I tell is this is actually working, and why cannot I
> ping the machine after starting ipsec?

Your ping packets are dropped by IPsec. Try to look at
	netstat -p ipsec
output while ping=92ing.

Hope this helps. Let me know.

Daniel