[LARTC] 26sec kame ipsec tunnel : packets leave unencrypted...

lartc lartc at manchotnetworks.net
Thu Apr 28 15:44:19 CEST 2005 

hi sylvain,

what does "setkey -D" say?

cheers

charles

On Thu, 2005-04-28 at 10:16 +0200, Sylvain BERTRAND wrote:
> On Jeu 28 avril 2005 9:50, lartc a écrit :
> > salut sylvain,
> >
> > to do your vpn, you'll need a little bit more policy (if you want to set
> > your policy manually). here's an example shell script to set policy:
> >
> >
> >
> > #!/sbin/setkey -f
> > flush;
> > spdflush;
> >
> > #                        ======ESP======
> > #                        |              |
> > #Network Left --- Gateway Left --- Gateway Right --- Network Right
> >
> >
> > # ----- Gateway Left
> >
> > #spdadd            left_net/nn right_net/nn any -P out ipsec
> > #      esp/tunnel/left_gateway_ip-right_gateway_ip/require;
> >
> > #spdadd           right_net/nn left_net/nn any -P in ipsec
> > #      esp/tunnel/right_gateway_ip-left_gateway_ip/require;
> >
> > #spdadd           right_net/nn left_net/nn any -P fwd ipsec
> > #      esp/tunnel/right_gateway_ip-left_gateway_ip/require;
> >
> > # ----- Gateway Right
> >
> > #spdadd           right_net/nn left_net/nn any -P out ipsec
> > #      esp/tunnel/right_gateway_ip-left_gateway_ip/require;
> >
> > #spdadd            left_net/nn right_net/nn any -P in ipsec
> > #      esp/tunnel/left_gateway_ip-right_gateway_ip/require;
> >
> > #spdadd            left_net/nn right_net/nn any -P fwd ipsec
> > #      esp/tunnel/left_gateway_ip-right_gateway_ip/require;
> >
> >
> > # left side is then:
> >
> > spdadd           192.168.1.0/24 192.168.0.0/24 any -P out ipsec
> >       esp/tunnel/62.212.109.16-82.234.240.117/require;
> >
> > spdadd           192.168.0.0/24 192.168.1.0/24 any -P in ipsec
> >       esp/tunnel/82.234.240.117-62.212.109.16/require;
> >
> > spdadd           192.168.0.0/24 192.168.1.0/24 any -P in ipsec
> >       esp/tunnel/82.234.240.117-62.212.109.16/require;
> >
> > #EOF
> >
> > check "man racoon.conf"  and look at "generate_policy" and "passive"
> >
> > these options allow you to have one side of your vpn set as passive and
> > will build its policy based on the other side's request.
> >
> > cheers
> >
> > charles shick
> >
> 
> 
> 
> This is exactly what I did (except for the spdadd fw which is done
> automatically). I did not include the whole script in my original mail,
> but this really is what I did (below is my /etc/ipsec.conf file on
> 192.168.0.95).
> 
> I just don't get why packets leave unencrypted...
> 
> Regards,
> 
> Sylvain
> 
> 
> 
> 
> #!/usr/bin/setkey -f
> 
> # ipsec.conf
> 
> 
> flush;
> spdflush;
> 
> add 62.212.109.16 82.234.240.117 esp 0x201 -m tunnel -E 3des-cbc\
>     0x**** -A hmac-md5 0x****;
> 
> add 82.234.240.117 62.212.109.16 esp 0x301 -m tunnel -E 3des-cbc\
>     0x**** -A hmac-md5\ 0x****;
> 
> spdadd 192.168.1.0/24 192.168.0.0/24 any -P in ipsec\
>     esp/tunnel/62.212.109.16-82.234.240.117/require;
> 
> spdadd 192.168.0.0/24 192.168.1.0/24 any -P out ipsec\
>     esp/tunnel/82.234.240.117-62.212.109.16/require;
> 
> 
> 
>

More information about the LARTC mailing list