Subject: Re: ipsec and netbsd and wireless
To: Joe <josepha48@yahoo.com>
From: Daniel Eggert <danieleggert@mac.com>
List: netbsd-help
Date: 01/21/2003 13:33:16
Hi Joe,
What's the total output of
netstat -p ipsec
Do you have some sort of firewall set up?
Daniel
On s=F8ndag, jan 19, 2003, at 22:25 Europe/Copenhagen, Joe wrote:
>
<snip>
> I now want to set up ipsec. So I read the handbook, and
> searched the net.
What exactly do want IPsec to do?
> Before ipsec
> ping wireless laptop to xl1 gives normal reply
>
> After ipsec
> ping wireless laptop to xl1 gives NO response
>
> I can access the internet though. I run netstat -sn -p
> ipsec on both machines and it seems that both are sending
> outbound packets correctly
> eg:
> 55 outbound packets processed successfully
>
> however I also see:
> eg:
> 35 inbound packets with no SA available
What's the total output of
netstat -p ipsec
..and aha! There's somthing: 35 packet's didn't have a SA (Security=20
Association).
In your ipsec.conf there's no rule for the ipsec package... (read on)
> I want to secure traffic between xl1 and my laptop. esp
> would be fine, as I have read that you cannot use ah with natd.
> I also want to use ipcomp.
>
> The basic setup is:
> ipsec.conf:
> add <machine a ip> <machine b ip> esp 7000 -E <env type from man
> pg) "the key";
> add <machine b ip> <machine a ip> esp 17000 -E <env type from
> man pg) "the key";
> add <machine a ip> <machine b ip> ipcomp 7002 -C deflate;
> add <machine b ip> <machine a ip> ipcomp 17002 -C deflate;
> spdadd <machine a ip> <machine b ip> -P out esp/transport//use
> ipcomp/transport//use;
> spdadd <machine b ip> <machine a ip> -P in esp/transport//use
> ipcomp/transport//use;
The first lines add Security Association Database (SAD) entries, the=20
last two line add Security Policy Database (SPD) entries.
Some packets (the 35 above) match some SP (Security Policy), but=20
there=92s no matching (Security Association). That's you problem.
Make sure you've got those ip=92s right. For the example above <machine =
a=20
ip> needs to be the ip of the machine itself.
> the difference are the spdadd's on the machines the client is
> swithced the in and out statements. This is what I have read.
>
> So how do I tell is this is actually working, and why cannot I
> ping the machine after starting ipsec?
Your ping packets are dropped by IPsec. Try to look at
netstat -p ipsec
output while ping=92ing.
Hope this helps. Let me know.
Daniel