Hi, At home I am trying to set the following up properly:
laptop -- (wireless, ipsec) --- gateway (4.7 STABLE) -- (PPPoE) -- Internet Laptop has 10.0.0.3, gateway has 10.0.0.1 on the internal sid, rl0. Between laptop and gateway the encrypted ipsec-connection (with racoon) works fine: # setkey -D 10.0.0.1 10.0.0.3 esp mode=transport spi=3634164961(0xd89cf4e1) reqid=0(0x00000000) E: 3des-cbc e8a6bc4b a8df41c3 84ce4915 7b2e1098 b6f223bd 1f63aeef A: hmac-md5 4c2ef855 7b04c03a bf2cdd93 7fea04b9 seq=0x00000008 replay=4 flags=0x00000000 state=mature created: Dec 2 12:45:09 2002 current: Dec 2 12:54:33 2002 diff: 564(s) hard: 28800(s) soft: 23040(s) last: Dec 2 12:53:31 2002 hard: 0(s) soft: 0(s) current: 1168(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 8 hard: 0 soft: 0 sadb_seq=1 pid=20801 refcnt=2 10.0.0.3 10.0.0.1 esp mode=transport spi=267555277(0x0ff291cd) reqid=0(0x00000000) E: 3des-cbc b2b15686 36ad0b6e b0f20bcb 321999c9 2895b898 80c1a85f A: hmac-md5 c69b094e 53c1f1ca 6d5b44b0 5588dd15 seq=0x00000014 replay=4 flags=0x00000000 state=mature created: Dec 2 12:45:09 2002 current: Dec 2 12:54:33 2002 diff: 564(s) hard: 28800(s) soft: 23040(s) last: Dec 2 12:54:29 2002 hard: 0(s) soft: 0(s) current: 4682(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 20 hard: 0 soft: 0 sadb_seq=0 pid=20801 refcnt=1 The gateway is connected to the net via a PPPoE-connection, using ppp(8) nat is being done. Is working for other machines on the 10.0.0.x-lan well. The problem is that I see packets (with tcpdump) from the laptop to outside being sent ipsec-encrypted by the laptop to the gateway. After that, the _encrypted_ packets are forwarded to the net, while they should be decrypted by the gateway first. If the gateway would decrypt all packets, I can work safely behind the 802.11b-link with all functionality (not only to the gateway, but also behind it). I hope someone can help me on this! The mailinglist archives and usenet archive did not help me... Configs: setkey -c << EOF spdadd 10.0.0.3 0.0.0.0/0 any -P in ipsec esp/transport//require; spdadd 10.0.0.0/0 10.0.0.3 any -P out ipsec esp/transport//require; EOF # ipfw show 00100 228 29370 allow ip from any to any via lo0 00300 0 0 deny ip from 127.0.0.0/8 to any 01000 123 25028 allow udp from 10.0.0.3 500 to any 500 in recv rl0 01000 29 5600 allow udp from any 500 to 10.0.0.3 500 out xmit rl0 01010 70 14560 allow esp from 10.0.0.3 to any via rl0 01010 36 6648 allow esp from any to 10.0.0.3 via rl0 02000 19 1280 allow ip from any to 10.0.0.3 via rl0 02000 83 11403 allow ip from 10.0.0.3 to any via rl0 03000 19 4314 deny ip from any to any via rl0 65000 2822 1043754 allow ip from any to any 65535 0 0 allow ip from any to any Pieter To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message
