From: Michal L. <mi...@lo...> - 2004-05-24 07:40:32
|
On Sun, 23 May 2004 bo...@vs... wrote: > Internet <--> Gateway A ---/-----------\--- Gateway D <--> NET 3 > (10.0.1.1) | Radio | (10.1.0.4) (10.11.0.0/16) > | Ethernet | > | very | > | insecure | > | medium | > NET 1 <--> Gateway B ---\-----------/--- Gateway C <--> NET 2 > (10.2.0.0/16) (10.0.1.2) (10.1.0.3) (10.10.1.0/24) > > > What I have already done is something like this: > > spdadd 10.0.1.0/24 10.0.1.0/24 tcp -P in ipsec esp/transport//require > ah/transport//require; > spdadd 10.0.1.0/24 10.0.1.0/24 tcp -P out ipsec esp/transport//require > ah/transport//require; > > But this seems to not do the trick! It only works for direct traffic > between, say, 10.0.1.1 and 10.0.1.2, but doesn't work for 10.2.0.99 > accessing 10.10.1.123. > > How would I achieve my task? You need to define tunnel policies as well. E.g. for connecting Net1 and Net2 set this on Gateway B: spdadd 10.2.0.0/16 10.10.1.0/24 any -P out ipsec esp/tunnel/10.0.1.2-10.1.0.3/require; [and vice versa for the other direction]. BTW1 - There is almost no need to require both ESP and AH protocols in one rule. ESP has enough abilities to ensure the packet authenticity and using AH in this case is useless. BTW2 - If you want to encrypt really ALL traffic, not only TCP, use the keyword 'any' instead of 'tcp' in the rule. Michal Ludvig -- * A mouse is a device used to point at the xterm you want to type in. * Personal homepage - http://www.logix.cz/michal |