Re: [Ipsec-tools-devel] (no subject)

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

On Sun, 23 May 2004 bo...@vs... wrote:

> Internet <--> Gateway A ---/-----------\--- Gateway D <--> NET 3
>               (10.0.1.1)   |   Radio   |    (10.1.0.4)   (10.11.0.0/16)
>                            |  Ethernet |
>                            | very      |
>                            |  insecure |
>                            |   medium  |
>    NET 1 <--> Gateway B ---\-----------/--- Gateway C <--> NET 2
> (10.2.0.0/16) (10.0.1.2)                    (10.1.0.3)    (10.10.1.0/24)
>
>
> What I have already done is something like this:
>
> spdadd 10.0.1.0/24 10.0.1.0/24 tcp -P in  ipsec esp/transport//require
>                                                 ah/transport//require;
> spdadd 10.0.1.0/24 10.0.1.0/24 tcp -P out ipsec esp/transport//require
>                                                 ah/transport//require;
>
> But this seems to not do the trick! It only works for direct traffic
> between, say, 10.0.1.1 and 10.0.1.2, but doesn't work for 10.2.0.99
> accessing 10.10.1.123.
>
> How would I achieve my task?

You need to define tunnel policies as well. E.g. for connecting Net1 and
Net2 set this on Gateway B:
spdadd 10.2.0.0/16 10.10.1.0/24 any -P out ipsec
	esp/tunnel/10.0.1.2-10.1.0.3/require;
[and vice versa for the other direction].

BTW1 - There is almost no need to require both ESP and AH protocols in one
rule. ESP has enough abilities to ensure the packet authenticity and using
AH in this case is useless.

BTW2 - If you want to encrypt really ALL traffic, not only TCP, use the
keyword 'any' instead of 'tcp' in the rule.

Michal Ludvig
-- 
* A mouse is a device used to point at the xterm you want to type in.
* Personal homepage - http://www.logix.cz/michal