Hello, This thread has been very helpful. I'm using FreeBSD 5.2.1 REL with kernels recompiled to support IPSEC. I've found the "trick" to exclude port 500 UDP packets allows ISAKMP traffic to be exchanged, e.g:
spdadd 192.168.20.1[500] 192.168.21.1[500] udp -P out none; spdadd 192.168.21.1[500] 192.168.20.1[500] udp -P in none; Unfortunately, I cannot follow this ipsec.conf entry with something like this for 'any' protocol: spdadd 192.168.20.1 192.168.21.1 any -P out ipsec esp/tunnel/192.168.20.1-192.168.21.1/require; spdadd 192.168.21.1 192.168.20.1 any -P in ipsec esp/tunnel/192.168.21.1-192.168.20.1/require; If I try to ping 192.168.20.1 from 192.168.21.1, I get this error on 192.168.20.1 from racoon: 2004-04-02 18:10:43: ERROR: isakmp_quick.c:2064:get_proposal_r(): policy found, but no IPsec required: 192.168.20.1/32[0] 192.168.21.1/32[0] proto=any dir=out 2004-04-02 18:10:43: ERROR: isakmp_quick.c:1071:quick_r1recv(): failed to get proposal for responder. 2004-04-02 18:10:43: ERROR: isakmp.c:1061:isakmp_ph2begin_r(): failed to pre-process packet. No traffic is exchanged. I've found that replacing the 'any' entry in the ipsec.conf with new entries for 'icmp' and 'tcp' allow those protocols to be protected by IPSec, e.g. for tcp: spdadd 192.168.20.1 192.168.21.1 tcp -P out ipsec esp/tunnel/192.168.20.1-192.168.21.1/require; spdadd 192.168.21.1 192.168.20.1 tcp -P in ipsec esp/tunnel/192.168.21.1-192.168.20.1/require; Unfortunately, I can't add an entry for 'udp' as that appears to conflict with the udp entry for port 500. I tried 'ip' in place of 'any', but that didn't seem to encrypt any traffic at all. Is my only alternative to upgrade from 5.2.1 to CURRENT if I want everything to be protected by IPSec (besides ISAKMP)? Thank you, Richard http://www.taosecurity.com __________________________________ Do you Yahoo!? Yahoo! Small Business $15K Web Design Giveaway http://promotions.yahoo.com/design_giveaway/ _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
