search for: spdadd

Hi everyone, First of all, this is my first post in this ML, so I''m not sure that this is the right place for my question (please don''t shoot me down ;)). For the record, I''ve been reading and using LARTC for almost 3 years now, and it''s a great help for anyone who wants to learn linux networking. My problem: I want to setup a tunnel for the following

...en a Linux Box (CentOS 4) and Check Point FW-1 (NGX R65) and I actually already done this. However I''m having a problem with Policy "none" when using ports, for example, I want to exclude from VPN the "ssh" service, so my commands to setkey was. # Excluded services ssh spdadd 172.20.0.0/16[any] 172.16.0.0/16[22] tcp -P out none ; spdadd 172.16.0.0/16[22] 172.20.0.0/16[any] tcp -P in none ; spdadd 172.20.0.0/16[22] 172.16.0.0/16[any] tcp -P out none ; spdadd 172.16.0.0/16[any] 172.20.0.0/16[22] tcp -P in none ; spdadd 172.20.14.168 172.16.0.0/16 any -P out ipsec esp/tu...

...unnel mode add 10.33.15.151 10.33.15.145 esp 0x301 -m tunnel -E 3des-cbc 0xE0C9C70351CD3B4E2D9024FC1CACBC8B0D288E6981417259 -A hmac-md5 0x8FC64D13209EFC7732D4A9A1159BA758; <======== line 33 # Add policy for 172.16.113.0/24 -> 192.168.19.0/24 over # the 10.33.15.145-10.31.8.96 tunnel spdadd 172.16.113.0/24 192.168.19.0/24 any -P out ipsec esp/tunnel/10.33.15.145-10.31.8.96/require; # Add policy for 192.168.19.0/24 -> 172.16.113.0/24 over # the 10.31.8.96-10.33.15.145 tunnel spdadd 192.168.19.0/24 172.16.113.0/24 any -P in ipsec esp/tunnel/10.31.8.96-10.33.15.145/require;...

class wrote on 06/10/2004 11:18:48: > Hello, I have the following situation: > > 192.168.176.0/24 ------ A ========== B ------ 192.168.177.0/24 > 192.168.176.2 pop3 ipsec > racoon > > > policy: (Machine A and B) > ------- > loc vpn ACCEPT > vpn loc ACCEPT > all

class wrote on 06/10/2004 11:18:48: > Hello, I have the following situation: > > 192.168.176.0/24 ------ A ========== B ------ 192.168.177.0/24 > 192.168.176.2 pop3 ipsec > racoon > > > policy: (Machine A and B) > ------- > loc vpn ACCEPT > vpn loc ACCEPT > all

Hi, I have FreeBSD box with network interface having y.y.y.y ip address. On same box i configure next ipsec ploicys to process trafic from hardware ipsec enabled device. spdadd 0.0.0.0/0 x.x.x.x/24 any -P out ipsec esp/tunnel/y.y.y.y-z.z.z.z/require; spdadd x.x.x.x/24 0.0.0.0/0 any -P in ipsec esp/tunnel/z.z.z.z-y.y.y.y/require; Is it possible to see decrypted incoming packets, and outgoing packets before are they encrypted -- Best regards, Nikolay...

...s ipv4 <=> ipv6 type tunnels. A few of ipsec how-to's mention > using gif tunnels and I've been tripped up by it, too. > > ipsec is much easier without the gif tunnels. The ipsec policy > definition is explained in the setkey man page. Basically for tunnels > it is: spdadd ${remote net} ${local net} any -P in ipsec > esp/tunnel/${remote gateway}-${local gateway}/unqiue; and > spdadd ${local > net} ${remote net} any -P out ipsec esp/tunnel/${local > gateway}-${remote > gateway}/unique; I have seen this said before. I've also seen it said that gif...

....0.0.1 10.0.0.10 esp 691 -E rijndael-cbc "1234567890123456"; add 10.0.0.10 10.0.0.1 esp 693 -E rijndael-cbc "1234567890123456"; add 10.0.0.1 10.0.0.10 ah 15700 -A hmac-md5 "1234567890123456"; add 10.0.0.10 10.0.0.1 ah 24500 -A hmac-md5 "1234567890123456"; spdadd 10.0.0.0/24 0.0.0.0/0 any -P out ipsec esp/tunnel/10.0.0.10-10.0.0.1/require ah/tunnel/10.0.0.10-10.0.0.1/require; spdadd 0.0.0.0/0 10.0.0.0/24 any -P in ipsec esp/tunnel/10.0.0.1-10.0.0.10/require ah/tunnel/10.0.0.1-10.0.0.10/require; rules for the gateway (encrypting + authen...

..."ipv6readylogo3descbcout1" -A hmac-sha1 "ipv6readylogsha1out1"; add fe80::2b0:d0ff:fe6f:dfa0 fe80::2b0:d0ff:fe48:7ce7 esp 0xFEED -m transport -E 3des-cbc "ipv6readylogo3descbcin01" -A hmac-sha1 "ipv6readylogsha1in01"; # and specify what has to be encrypted spdadd fe80::2b0:d0ff:fe48:7ce7 fe80::2b0:d0ff:fe6f:dfa0 any -P out ipsec esp/transport/fe80::2b0:d0ff:fe48:7ce7-fe80::2b0:d0ff:fe6f:dfa0/require ; spdadd fe80::2b0:d0ff:fe6f:dfa0 fe80::2b0:d0ff:fe48:7ce7 any -P in ipsec esp/transport/fe80::2b0:d0ff:fe6f:dfa0-fe80::2b0:d0ff:fe48:7ce7/require ; ----------...

...10.0.0.0/24 -> 192.168.213.10 ) wi0 192.168.213.10/30 | | Wireless VPN | | 192.168.213.9/30 xl2 FreeBSD NATD ( divert natd all from any to any ) xl0 200.x.x.5/24 | 200.x.x.1/24 Router | | INTERNET NetBSD Node ( ipsec.conf ): spdadd 192.168.213.10 0.0.0.0/0 any -P out ipsec esp/tunnel/192.168.213.10-192.168.213.9/require; spdadd 0.0.0.0/0 192.168.213.10 any -P in ipsec esp/tunnel/192.168.213.9-192.168.213.10/require; FreeBSD Node ( ipsec.conf ): spdadd 0.0.0.0/0 192.168.213.10 any -P out ipsec esp/tunnel/192.168.213.9-192.168...

...|___________|priv_int 192.168.122.254 | | | ------------------ 192.168.122.0/24 Here is what I have in ipsec.conf on VPN Gateway (1): flush; spdflsuh; spdadd A.A.A.A/32 B.B.B.B/32 ipencap -P out ipsec esp/tunnel/A.A.A.A-B.B.B.B/require; spdadd B.B.B.B/32 A.A.A.A/32 ipencap -P in ipsec esp/tunnel/B.B.B.B-A.A.A.A/require; ifconfig output: dc0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 inet 192.168.121.253 netmask 0xffffff...

...10.70.1.0/24 gw 10.70.3.1'' was executed in C2) - Using Linux kernel 2.6.14.2 in all hosts. R1 and R2 use with native IPSec support, ipsec-tool version 0.5.2, racoon version 0.5.2. - A IPSec tunnel is configured R1-R2. Configuration for setkey in R1: #!/usr/sbin/setkey -f flush; spdflush; spdadd 10.70.1.0/24 10.70.3.0/24 any -P out ipsec esp/tunnel/10.1.1.123-10.1.1.106/require; spdadd 10.70.3.0/24 10.70.1.0/24 any -P in ipsec esp/tunnel/10.1.1.106-10.1.1.123/require; Configuration for setkey in R2. #!/usr/sbin/setkey -f flush; spdflush; spdadd 10.70.1.0/24 10.70.3.0/24 any -P in i...

...ime 300 sec; encryption_algorithm rijndael 256; authentication_algorithm hmac_sha1; compression_algorithm deflate; } padding { randomize on; randomize_length on; strict_check on; } script for setting up policy: #!/usr/bin/setkey -f flush; spdflush; spdadd 192.168.2.10/32 192.168.2.11/32 any -P out ipsec esp/tunnel/192.168.2.10-192.168.2.11/require ah/tunnel/192.168.2.10-192.168.2.11/require; spdadd 192.168.2.11/32 192.168.2.10/32 any -P in ipsec esp/tunnel/192.168.2.11-192.168.2.10/require ah/tunnel/1...

On Sun, 23 Feb 2003 09:47:05 -0800, "Sam Leffler" <sam@errno.com> said: > >> Add a new config option IPSEC_FILTERGIF to control whether or not >> packets coming out of a GIF tunnel are re-processed by ipfw, >> et. al. By default they are not reprocessed. With the option they >> are. > > This may affect your ipfw/ipf rules. If you are happy with

Hello. I try to configure IPSEC to bybass ssh protocol. For example: setkey -FP setkey -F setkey -c << EOF spdadd 10.1.1.1/32 10.6.10.50[22] tcp -P in none ; spdadd 10.1.1.1/32 10.6.10.50 tcp -P in ipsec ah/transport//require ; EOF (Pass incoming ssh packets to 10.6.10.50, block other tcp packets) This works under fresh 7-CURRENT(FAST_IPSEC). On fresh 6-STABLE (neither FAST_IPSEC nor KAME IPSEC) it doesn'...

...c "host1tohost2host1tohost2" -A hmac-sha1 "host1tohost2hmacsha1"; add fe80::2b0:d0ff:fe48:7ce7 fe80::2b0:d0ff:fe6f:dfa0 esp 0xFEAD -m transport -E 3des-cbc "host2tohost1host2tohost1" -A hmac-sha1 "host2tohost1hmacsha1"; # and specify what has to be encrypted spdadd fe80::2b0:d0ff:fe6f:dfa0 fe80::2b0:d0ff:fe48:7ce7 any -P out ipsec esp/transport/fe80::2b0:d0ff:fe6f:dfa0-fe80::2b0:d0ff:fe48:7ce7/require ; spdadd fe80::2b0:d0ff:fe48:7ce7 fe80::2b0:d0ff:fe6f:dfa0 any -P in ipsec esp/transport/fe80::2b0:d0ff:fe48:7ce7-fe80::2b0:d0ff:fe6f:dfa0/require ; ----------...

...to the other end. > > The tunnel is not using racoon yet. I figure that I should be able > to see > some traffic going back and forth before I use racoon to manage > keys. The > tunnel was created by the following lines on one host, and reversed on > the other: > > spdadd 192.168.1.0/24 192.168.0.0/24 any -P in ipsec > esp/tunnel/190.41.95.135-201.240.151.15/require; > spdadd 192.168.0.0/24 192.168.1.0/24 any -P out ipsec > esp/tunnel/201.240.151.15-190.41.95.135/require; > > If any one can shed some more light on this, I would appreciate it. > &gt...

..."ipv6readylogo3descbcout1" -A hmac-sha1 "ipv6readylogsha1out1"; add fe80::2b0:d0ff:fe6f:dfa0 fe80::2b0:d0ff:fe48:7ce7 esp 0xFEED -m transport -E 3des-cbc "ipv6readylogo3descbcin01" -A hmac-sha1 "ipv6readylogsha1in01"; # and specify what has to be encrypted spdadd fe80::2b0:d0ff:fe48:7ce7 fe80::2b0:d0ff:fe6f:dfa0 any -P out ipsec esp/transport/fe80::2b0:d0ff:fe48:7ce7-fe80::2b0:d0ff:fe6f:dfa0/require ; spdadd fe80::2b0:d0ff:fe6f:dfa0 fe80::2b0:d0ff:fe48:7ce7 any -P in ipsec esp/transport/fe80::2b0:d0ff:fe6f:dfa0-fe80::2b0:d0ff:fe48:7ce7/require ; ----------...

Hello. I wonder how just correct couple of spdadd commands like spdadd 192.168.1.0/24 192.168.2.0/24 any -P out ipsec esp/tunnel/10.1.0.1-10.2.0.1/require; spdadd 192.168.2.0/24 192.168.1.0/24 any -P in ipsec esp/tunnel/10.2.0.1-10.1.0.1/require; makes _routing_ of packets from 192.168.1/24 into 192.168.2/24. If I understand correctly how it wo...

Hi, Thanks to some pointers from Christian Kratzer, I am now able to join the office VPN from a random WiFi hotspot. With the configuration files changes detailed below, from a public WiFi hotspot I can now use this 3 step procedure to login to the office VPN. 1) While at hotspot, boot up my -STABLE laptop. 2) Insert wireless card. 3) "rsh server" This procedure works for a DHCP