search for: spdadd

Displaying 20 results from an estimated 34 matches for "spdadd".

Did you mean: sp_add
2005 Apr 27
5
26sec kame ipsec tunnel : packets leave unencrypted...
Hi everyone, First of all, this is my first post in this ML, so I''m not sure that this is the right place for my question (please don''t shoot me down ;)). For the record, I''ve been reading and using LARTC for almost 3 years now, and it''s a great help for anyone who wants to learn linux networking. My problem: I want to setup a tunnel for the following
2007 Sep 19
0
Exclude service from IPSec, using ipsec-tools
...en a Linux Box (CentOS 4) and Check Point FW-1 (NGX R65) and I actually already done this. However I''m having a problem with Policy "none" when using ports, for example, I want to exclude from VPN the "ssh" service, so my commands to setkey was. # Excluded services ssh spdadd 172.20.0.0/16[any] 172.16.0.0/16[22] tcp -P out none ; spdadd 172.16.0.0/16[22] 172.20.0.0/16[any] tcp -P in none ; spdadd 172.20.0.0/16[22] 172.16.0.0/16[any] tcp -P out none ; spdadd 172.16.0.0/16[any] 172.20.0.0/16[22] tcp -P in none ; spdadd 172.20.14.168 172.16.0.0/16 any -P out ipsec esp/tu...
2007 Mar 05
1
File exists?
...unnel mode add 10.33.15.151 10.33.15.145 esp 0x301 -m tunnel -E 3des-cbc 0xE0C9C70351CD3B4E2D9024FC1CACBC8B0D288E6981417259 -A hmac-md5 0x8FC64D13209EFC7732D4A9A1159BA758; <======== line 33 # Add policy for 172.16.113.0/24 -> 192.168.19.0/24 over # the 10.33.15.145-10.31.8.96 tunnel spdadd 172.16.113.0/24 192.168.19.0/24 any -P out ipsec esp/tunnel/10.33.15.145-10.31.8.96/require; # Add policy for 192.168.19.0/24 -> 172.16.113.0/24 over # the 10.31.8.96-10.33.15.145 tunnel spdadd 192.168.19.0/24 172.16.113.0/24 any -P in ipsec esp/tunnel/10.31.8.96-10.33.15.145/require;...
2004 Oct 06
7
Re: IPsec problems with tunneled networks
class wrote on 06/10/2004 11:18:48: > Hello, I have the following situation: > > 192.168.176.0/24 ------ A ========== B ------ 192.168.177.0/24 > 192.168.176.2 pop3 ipsec > racoon > > > policy: (Machine A and B) > ------- > loc vpn ACCEPT > vpn loc ACCEPT > all
2004 Oct 06
7
Re: IPsec problems with tunneled networks
class wrote on 06/10/2004 11:18:48: > Hello, I have the following situation: > > 192.168.176.0/24 ------ A ========== B ------ 192.168.177.0/24 > 192.168.176.2 pop3 ipsec > racoon > > > policy: (Machine A and B) > ------- > loc vpn ACCEPT > vpn loc ACCEPT > all
2004 Apr 10
2
IPSec debug
Hi, I have FreeBSD box with network interface having y.y.y.y ip address. On same box i configure next ipsec ploicys to process trafic from hardware ipsec enabled device. spdadd 0.0.0.0/0 x.x.x.x/24 any -P out ipsec esp/tunnel/y.y.y.y-z.z.z.z/require; spdadd x.x.x.x/24 0.0.0.0/0 any -P in ipsec esp/tunnel/z.z.z.z-y.y.y.y/require; Is it possible to see decrypted incoming packets, and outgoing packets before are they encrypted -- Best regards, Nikolay...
2003 May 15
2
FW: iHEADS UP: ipsec packet filtering change
...s ipv4 <=> ipv6 type tunnels. A few of ipsec how-to's mention > using gif tunnels and I've been tripped up by it, too. > > ipsec is much easier without the gif tunnels. The ipsec policy > definition is explained in the setkey man page. Basically for tunnels > it is: spdadd ${remote net} ${local net} any -P in ipsec > esp/tunnel/${remote gateway}-${local gateway}/unqiue; and > spdadd ${local > net} ${remote net} any -P out ipsec esp/tunnel/${local > gateway}-${remote > gateway}/unique; I have seen this said before. I've also seen it said that gif...
2004 Apr 22
2
IPsec - got ESP going, but not AH
....0.0.1 10.0.0.10 esp 691 -E rijndael-cbc "1234567890123456"; add 10.0.0.10 10.0.0.1 esp 693 -E rijndael-cbc "1234567890123456"; add 10.0.0.1 10.0.0.10 ah 15700 -A hmac-md5 "1234567890123456"; add 10.0.0.10 10.0.0.1 ah 24500 -A hmac-md5 "1234567890123456"; spdadd 10.0.0.0/24 0.0.0.0/0 any -P out ipsec esp/tunnel/10.0.0.10-10.0.0.1/require ah/tunnel/10.0.0.10-10.0.0.1/require; spdadd 0.0.0.0/0 10.0.0.0/24 any -P in ipsec esp/tunnel/10.0.0.1-10.0.0.10/require ah/tunnel/10.0.0.1-10.0.0.10/require; rules for the gateway (encrypting + authen...
2005 Jun 30
0
Problem with IPSec tunnel, using IPv6 addresses, .........
..."ipv6readylogo3descbcout1" -A hmac-sha1 "ipv6readylogsha1out1"; add fe80::2b0:d0ff:fe6f:dfa0 fe80::2b0:d0ff:fe48:7ce7 esp 0xFEED -m transport -E 3des-cbc "ipv6readylogo3descbcin01" -A hmac-sha1 "ipv6readylogsha1in01"; # and specify what has to be encrypted spdadd fe80::2b0:d0ff:fe48:7ce7 fe80::2b0:d0ff:fe6f:dfa0 any -P out ipsec esp/transport/fe80::2b0:d0ff:fe48:7ce7-fe80::2b0:d0ff:fe6f:dfa0/require ; spdadd fe80::2b0:d0ff:fe6f:dfa0 fe80::2b0:d0ff:fe48:7ce7 any -P in ipsec esp/transport/fe80::2b0:d0ff:fe6f:dfa0-fe80::2b0:d0ff:fe48:7ce7/require ; ----------...
2003 May 22
0
VPN IPSEC WIRELESS
...10.0.0.0/24 -> 192.168.213.10 ) wi0 192.168.213.10/30 | | Wireless VPN | | 192.168.213.9/30 xl2 FreeBSD NATD ( divert natd all from any to any ) xl0 200.x.x.5/24 | 200.x.x.1/24 Router | | INTERNET NetBSD Node ( ipsec.conf ): spdadd 192.168.213.10 0.0.0.0/0 any -P out ipsec esp/tunnel/192.168.213.10-192.168.213.9/require; spdadd 0.0.0.0/0 192.168.213.10 any -P in ipsec esp/tunnel/192.168.213.9-192.168.213.10/require; FreeBSD Node ( ipsec.conf ): spdadd 0.0.0.0/0 192.168.213.10 any -P out ipsec esp/tunnel/192.168.213.9-192.168...
2004 Apr 03
0
IPSec Racoon and Port Forwarding
...|___________|priv_int 192.168.122.254 | | | ------------------ 192.168.122.0/24 Here is what I have in ipsec.conf on VPN Gateway (1): flush; spdflsuh; spdadd A.A.A.A/32 B.B.B.B/32 ipencap -P out ipsec esp/tunnel/A.A.A.A-B.B.B.B/require; spdadd B.B.B.B/32 A.A.A.A/32 ipencap -P in ipsec esp/tunnel/B.B.B.B-A.A.A.A/require; ifconfig output: dc0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 inet 192.168.121.253 netmask 0xffffff...
2006 May 31
0
IPSec tunnels and routing: strange behaviour
...10.70.1.0/24 gw 10.70.3.1'' was executed in C2) - Using Linux kernel 2.6.14.2 in all hosts. R1 and R2 use with native IPSec support, ipsec-tool version 0.5.2, racoon version 0.5.2. - A IPSec tunnel is configured R1-R2. Configuration for setkey in R1: #!/usr/sbin/setkey -f flush; spdflush; spdadd 10.70.1.0/24 10.70.3.0/24 any -P out ipsec esp/tunnel/10.1.1.123-10.1.1.106/require; spdadd 10.70.3.0/24 10.70.1.0/24 any -P in ipsec esp/tunnel/10.1.1.106-10.1.1.123/require; Configuration for setkey in R2. #!/usr/sbin/setkey -f flush; spdflush; spdadd 10.70.1.0/24 10.70.3.0/24 any -P in i...
2004 Sep 24
2
strange behavior of ipsec tunnel mode
...ime 300 sec; encryption_algorithm rijndael 256; authentication_algorithm hmac_sha1; compression_algorithm deflate; } padding { randomize on; randomize_length on; strict_check on; } script for setting up policy: #!/usr/bin/setkey -f flush; spdflush; spdadd 192.168.2.10/32 192.168.2.11/32 any -P out ipsec esp/tunnel/192.168.2.10-192.168.2.11/require ah/tunnel/192.168.2.10-192.168.2.11/require; spdadd 192.168.2.11/32 192.168.2.10/32 any -P in ipsec esp/tunnel/192.168.2.11-192.168.2.10/require ah/tunnel/1...
2003 May 11
1
iHEADS UP: ipsec packet filtering change
On Sun, 23 Feb 2003 09:47:05 -0800, "Sam Leffler" <sam@errno.com> said: > >> Add a new config option IPSEC_FILTERGIF to control whether or not >> packets coming out of a GIF tunnel are re-processed by ipfw, >> et. al. By default they are not reprocessed. With the option they >> are. > > This may affect your ipfw/ipf rules. If you are happy with
2006 May 26
0
IPSEC - tcp port match
Hello. I try to configure IPSEC to bybass ssh protocol. For example: setkey -FP setkey -F setkey -c << EOF spdadd 10.1.1.1/32 10.6.10.50[22] tcp -P in none ; spdadd 10.1.1.1/32 10.6.10.50 tcp -P in ipsec ah/transport//require ; EOF (Pass incoming ssh packets to 10.6.10.50, block other tcp packets) This works under fresh 7-CURRENT(FAST_IPSEC). On fresh 6-STABLE (neither FAST_IPSEC nor KAME IPSEC) it doesn'...
2005 Jul 01
1
Problem with IPSec tunnel, using IPv6 addresses, between Two FreeBSD systems.....
...c "host1tohost2host1tohost2" -A hmac-sha1 "host1tohost2hmacsha1"; add fe80::2b0:d0ff:fe48:7ce7 fe80::2b0:d0ff:fe6f:dfa0 esp 0xFEAD -m transport -E 3des-cbc "host2tohost1host2tohost1" -A hmac-sha1 "host2tohost1hmacsha1"; # and specify what has to be encrypted spdadd fe80::2b0:d0ff:fe6f:dfa0 fe80::2b0:d0ff:fe48:7ce7 any -P out ipsec esp/transport/fe80::2b0:d0ff:fe6f:dfa0-fe80::2b0:d0ff:fe48:7ce7/require ; spdadd fe80::2b0:d0ff:fe48:7ce7 fe80::2b0:d0ff:fe6f:dfa0 any -P in ipsec esp/transport/fe80::2b0:d0ff:fe48:7ce7-fe80::2b0:d0ff:fe6f:dfa0/require ; ----------...
2007 Mar 16
0
freebsd-security Digest, Vol 201, Issue 2
...to the other end. > > The tunnel is not using racoon yet. I figure that I should be able > to see > some traffic going back and forth before I use racoon to manage > keys. The > tunnel was created by the following lines on one host, and reversed on > the other: > > spdadd 192.168.1.0/24 192.168.0.0/24 any -P in ipsec > esp/tunnel/190.41.95.135-201.240.151.15/require; > spdadd 192.168.0.0/24 192.168.1.0/24 any -P out ipsec > esp/tunnel/201.240.151.15-190.41.95.135/require; > > If any one can shed some more light on this, I would appreciate it. > &gt...
2005 Jun 30
1
Problem with IPSec tunnel, using IPv6 addresses, between Two FreeBSD systems...?
..."ipv6readylogo3descbcout1" -A hmac-sha1 "ipv6readylogsha1out1"; add fe80::2b0:d0ff:fe6f:dfa0 fe80::2b0:d0ff:fe48:7ce7 esp 0xFEED -m transport -E 3des-cbc "ipv6readylogo3descbcin01" -A hmac-sha1 "ipv6readylogsha1in01"; # and specify what has to be encrypted spdadd fe80::2b0:d0ff:fe48:7ce7 fe80::2b0:d0ff:fe6f:dfa0 any -P out ipsec esp/transport/fe80::2b0:d0ff:fe48:7ce7-fe80::2b0:d0ff:fe6f:dfa0/require ; spdadd fe80::2b0:d0ff:fe6f:dfa0 fe80::2b0:d0ff:fe48:7ce7 any -P in ipsec esp/transport/fe80::2b0:d0ff:fe6f:dfa0-fe80::2b0:d0ff:fe48:7ce7/require ; ----------...
2005 Dec 05
4
IPSec tunnel and routing
Hello. I wonder how just correct couple of spdadd commands like spdadd 192.168.1.0/24 192.168.2.0/24 any -P out ipsec esp/tunnel/10.1.0.1-10.2.0.1/require; spdadd 192.168.2.0/24 192.168.1.0/24 any -P in ipsec esp/tunnel/10.2.0.1-10.1.0.1/require; makes _routing_ of packets from 192.168.1/24 into 192.168.2/24. If I understand correctly how it wo...
2003 Aug 18
3
dynamic IPSEC: Holy grail sighted
Hi, Thanks to some pointers from Christian Kratzer, I am now able to join the office VPN from a random WiFi hotspot. With the configuration files changes detailed below, from a public WiFi hotspot I can now use this 3 step procedure to login to the office VPN. 1) While at hotspot, boot up my -STABLE laptop. 2) Insert wireless card. 3) "rsh server" This procedure works for a DHCP