netbsd-help: ipsec and netbsd and wireless
Subject: ipsec and netbsd and wireless
To: None
<netbsd-help@netbsd.org>
From: Joe
<josepha48@yahoo.com>
List: netbsd-help
Date: 01/19/2003 13:25:58
Hello,
I have set up a nice little gateway / router using FreeBSD.
It works very nice so far. I have a laptop running NetBSD.
I desperatly need help with ipsec. I have searched the
internet and read the faq's. My problem is that I have not
found an easy way to tell if it is working. I am guessing it is
not.
Here is the setup.
3 interfaces: xl0, xl1, wi0
xl0 is the external interface. all trafic is natted through
this interface
xl1 is the internal wired interface
wi0 is the wireless interface
xl1 -> xl0 works fine
wi0 -> xl1 are bridged (sysctl
net.link.ether.bridge_cfg="wi0 xl1"), this also works fine
I have enabled 128 bit wep, as a quick and dirty way of
getting the network 'somewhat' secure. At least the data is not
in clear text. There is little threat from a wireless hacker
here too, as there is not sufficient range (tested, much
concrete here)
I now want to set up ipsec. So I read the handbook, and
searched the net.
Before ipsec
ping wireless laptop to xl1 gives normal reply
After ipsec
ping wireless laptop to xl1 gives NO response
I can access the internet though. I run netstat -sn -p
ipsec on both machines and it seems that both are sending
outbound packets correctly
eg:
55 outbound packets processed successfully
however I also see:
eg:
35 inbound packets with no SA available
I want to secure traffic between xl1 and my laptop. esp
would be fine, as I have read that you cannot use ah with natd.
I also want to use ipcomp.
The basic setup is:
ipsec.conf:
add <machine a ip> <machine b ip> esp 7000 -E <env type from man
pg) "the key";
add <machine b ip> <machine a ip> esp 17000 -E <env type from
man pg) "the key";
add <machine a ip> <machine b ip> ipcomp 7002 -C deflate;
add <machine b ip> <machine a ip> ipcomp 17002 -C deflate;
spdadd <machine a ip> <machine b ip> -P out esp/transport//use
ipcomp/transport//use;
spdadd <machine b ip> <machine a ip> -P in esp/transport//use
ipcomp/transport//use;
the difference are the spdadd's on the machines the client is
swithced the in and out statements. This is what I have read.
So how do I tell is this is actually working, and why cannot I
ping the machine after starting ipsec?
Also shouldn't I be able to do this setup (bridging / nat) with
ipsec?
Thanks,
Joe
__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com