|MiNi0n|
November 5th, 2002, 16:09
Hey...
So... I posted to misc@openbsd then realized... shit... I should post here to my peers :oops:
I'm trying to IPSEC a wireless bridge that connects two buildings, using the IPSEC bridge info detailed in brconfig 8.
I've got the setup close but it's not quite there. Have a look and see if you all can help me out!:
Here's the general layout. f1 and f2 represent the OBSD boxes acting as bridges and IPSECing the connection across the wireless equipment (BR500). The PC's on either end of the bridge are on the same subnet, this is key for my setup else I'd have done this differently!
PC\............................................... .................../PC
PC- hub - f1 - BRE500 ~~~~ BRE500 - f2 - hub -PC
PC/.................................................. ................\PC
I'm currently testing this using the IPSEC bridge info found in brconfig(8) and am almost there. I have two OBSD boxes between my wirless now and I arbitrarily set the IP's to 192.168.254.1 and 192.168.254.2. The bridge NIC's have the majority of my network on one side and a box on the other side attempting to DHCP via the bridge. 192.168.254.1 and .2 can ping each other and I've setup ipsec flows according to the man page. If I tcpdump on the NIC's I can see all the network traffic on the bridge interface of 192.168.254.1, I can see esp traffic heading to and fro the IPSEC boxes and I can see the DHCP requests on the bridge interface of 192.168.254.2. However, the traffic never seems to reach the other side... ie. I don't see all the network traffic (arp etc.) on side of .2 and I never see the bootp DHCP reach the other side of .1?!?!
I'm missing something small here. I have to admit I'm not all that familiar with ipsecadm, I use isakmpd for all my VPN's. I like the concept of hardwiring these links with ipsecadm in this scenario and am enjoying the learning process. But, one thing I notice with ipsecadm is that when I set up the flows on one box, before I set up the one on the other, netstat -rn and /kern/ipsec show an SA?!?! Basically, I'm wondering, how do I ensure that there is a valid tunnel there?
Below are the params I'm using for the bridges.
---host br1: fxp0: 192.168.254.1 fxp1: bridged---
brconfig bridge0 add gif0 add fxp1
ifconfig gif0 giftunnel 192.168.254.1 192.168.254.2
ipsecadm new esp -spi 4242 -dst 192.168.254.2 -src 192.168.254.1 -enc blf -auth sha1 -keyfile /root/keyfile -authkeyfile /root/authkeyfile
ipsecadm flow -dst 192.168.254.2 -out -transport etherip -require -addr 192.168.254.1 255.255.255.0 192.168.254.2 255.255.255.0
ifconfig fxp1 up
ifconfig gif0 up
brconfig bridge0 up
---host br2: le1: 192.168.254.2 fxp0: bridged---
brconfig bridge0 add gif0 add fxp0
ifconfig gif0 giftunnel 192.168.254.2 192.168.254.1
ipsecadm new esp -spi 4242 -dst 192.168.254.1 -src 192.168.254.2 -enc blf -auth sha1 -keyfile /root/keyfile -authkeyfile /root/authkeyfile
ipsecadm flow -dst 192.168.254.1 -out -transport etherip -require -addr 192.168.254.2 255.255.255.0 192.168.254.1 255.255.255.0
ifconfig fxp0 up
ifconfig gif0 up
brconfig bridge0 up
So... I posted to misc@openbsd then realized... shit... I should post here to my peers :oops:
I'm trying to IPSEC a wireless bridge that connects two buildings, using the IPSEC bridge info detailed in brconfig 8.
I've got the setup close but it's not quite there. Have a look and see if you all can help me out!:
Here's the general layout. f1 and f2 represent the OBSD boxes acting as bridges and IPSECing the connection across the wireless equipment (BR500). The PC's on either end of the bridge are on the same subnet, this is key for my setup else I'd have done this differently!
PC\............................................... .................../PC
PC- hub - f1 - BRE500 ~~~~ BRE500 - f2 - hub -PC
PC/.................................................. ................\PC
I'm currently testing this using the IPSEC bridge info found in brconfig(8) and am almost there. I have two OBSD boxes between my wirless now and I arbitrarily set the IP's to 192.168.254.1 and 192.168.254.2. The bridge NIC's have the majority of my network on one side and a box on the other side attempting to DHCP via the bridge. 192.168.254.1 and .2 can ping each other and I've setup ipsec flows according to the man page. If I tcpdump on the NIC's I can see all the network traffic on the bridge interface of 192.168.254.1, I can see esp traffic heading to and fro the IPSEC boxes and I can see the DHCP requests on the bridge interface of 192.168.254.2. However, the traffic never seems to reach the other side... ie. I don't see all the network traffic (arp etc.) on side of .2 and I never see the bootp DHCP reach the other side of .1?!?!
I'm missing something small here. I have to admit I'm not all that familiar with ipsecadm, I use isakmpd for all my VPN's. I like the concept of hardwiring these links with ipsecadm in this scenario and am enjoying the learning process. But, one thing I notice with ipsecadm is that when I set up the flows on one box, before I set up the one on the other, netstat -rn and /kern/ipsec show an SA?!?! Basically, I'm wondering, how do I ensure that there is a valid tunnel there?
Below are the params I'm using for the bridges.
---host br1: fxp0: 192.168.254.1 fxp1: bridged---
brconfig bridge0 add gif0 add fxp1
ifconfig gif0 giftunnel 192.168.254.1 192.168.254.2
ipsecadm new esp -spi 4242 -dst 192.168.254.2 -src 192.168.254.1 -enc blf -auth sha1 -keyfile /root/keyfile -authkeyfile /root/authkeyfile
ipsecadm flow -dst 192.168.254.2 -out -transport etherip -require -addr 192.168.254.1 255.255.255.0 192.168.254.2 255.255.255.0
ifconfig fxp1 up
ifconfig gif0 up
brconfig bridge0 up
---host br2: le1: 192.168.254.2 fxp0: bridged---
brconfig bridge0 add gif0 add fxp0
ifconfig gif0 giftunnel 192.168.254.2 192.168.254.1
ipsecadm new esp -spi 4242 -dst 192.168.254.1 -src 192.168.254.2 -enc blf -auth sha1 -keyfile /root/keyfile -authkeyfile /root/authkeyfile
ipsecadm flow -dst 192.168.254.1 -out -transport etherip -require -addr 192.168.254.2 255.255.255.0 192.168.254.1 255.255.255.0
ifconfig fxp0 up
ifconfig gif0 up
brconfig bridge0 up