[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
openBSD testing doubts
Hi all,
we are working in openBSD2.9 ipsec code. we first tested for manual key
between two hosts .
In Host A:
sysctl -w net.inet.esp.enable=1
sysctl -w net.inet.esp.enable=1
ipsecadm new esp -spi 1000 -src HostA -dst HostB -forcetunnel enc
3des -auth sha1 -key
7762d8707255d974168cbb1d274f8bed4cbd3364dd -authkey
6a20367e21c66e5a40739db293cfef2a4e6659f
ipsecadm new esp -spi 1001 -src HostB -dst HostA -forcetunnel enc
3des -auth sha1 -key
7762d8707255d974168cbb1d274f8bed4cbd3364dd -authkey
6a20367e21c66e5a40739db293cfef2a4e6659f
ipsecadm flow -proto esp -dst HostB -addr HostA 255.255.255.255 HostB
255.255.255.255 -in -require
upto this working fine. but when i try to enter
ipsecadm flow -proto esp -dst HostB -addr HostA 255.255.255.255
HostB 255.255.255.255 -out -require
it's giving Sendto : not permitted error in runtime. so, i deleted this
line , i kept only inbound flow in HostA
Host B:
sysctl -w net.inet.esp.enable=1
sysctl -w net.inet.esp.enable=1
ipsecadm new esp -spi 1001 -src HostB -dst HostA -forcetunnel enc
3des -auth sha1 -key
7762d8707255d974168cbb1d274f8bed4cbd3364dd -authkey
6a20367e21c66e5a40739db293cfef2a4e6659f
ipsecadm new esp -spi 1000 -src HostB -dst HostA -forcetunnel enc
3des -auth sha1 -key
7762d8707255d974168cbb1d274f8bed4cbd3364dd -authkey
6a20367e21c66e5a40739db293cfef2a4e6659f
ipsecadm flow -proto esp -dst HostA -addr HostA 255.255.255.255 HostB
255.255.255.255 -in -require
upto this working fine. but when i try to enter
ipsecadm flow -proto esp -dst HostA -addr HostA 255.255.255.255
HostB 255.255.255.255 -out -require
it's giving Sendto : not permitted error in runtime. so, i deleted this
line , i kept only inbound flow in HostA
After this:
i checked both hosts with ping and tcpdump
it's giving
icmp_request
icmp_reply
then i kept different keys(enc and auth key) and tested between both
hosts.
again its giving
icmp_request
icmp_reply
i checked with both Hosts by using netstat -rn
it's giving correct SA details in both sides.
but i checked with netstat -ss -p esp
it's giving only
esp:
not giving any details .
i donno how actually we have to findout whether manual keying is working or
not.
Note: here i kept ipf.filter=NO in /etc/rc.conf and i enabled forwarded
capacity also(sysctl -w inet.net.forwarded.enable=1)
expecting ur reply,
thanks,
jeeva
Follow-Ups: