Hi all, I try since a few days to setting up IPsec for my wireless network. The internet gateway has a ral(4) device :
[EMAIL PROTECTED]: ~ $ ifconfig ral0 ral0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 lladdr 00:18:f8:a5:f3:34 description: WLAN Link groups: wlan media: IEEE802.11 autoselect hostap (autoselect mode 11b hostap) status: active ieee80211: nwid NUFNUFNUF chan 11 bssid 00:18:f8:a5:f3:34 100dBm inet6 fe80::218:f8ff:fea5:f334%ral0 prefixlen 64 scopeid 0x4 inet 192.168.4.1 netmask 0xffffff00 broadcast 192.168.4.255 In /etc/ipsec.conf I have : ike from any to 192.168.4.10 psk "test" I start isakmpd and I load rules with ipsecctl : [EMAIL PROTECTED]: ~ $ sudo isakmpd -K [EMAIL PROTECTED] : ~ $ sudo ipsecctl -vf /etc/ipsec.conf C set [Phase 1]:192.168.4.10=peer-192.168.4.10 force C set [peer-192.168.4.10]:Phase=1 force C set [peer-192.168.4.10]:Address=192.168.4.10 force C set [peer-192.168.4.10]:Authentication=test force C set [peer-192.168.4.10]:Configuration=mm-192.168.4.10 force C set [mm-192.168.4.10]:EXCHANGE_TYPE=ID_PROT force C add [mm-192.168.4.10]:Transforms=AES-SHA force C set [IPsec-0.0.0.0/0-192.168.4.10]:Phase=2 force C set [IPsec-0.0.0.0/0-192.168.4.10]:ISAKMP-peer=peer-192.168.4.10 force C set [IPsec-0.0.0.0 /0-192.168.4.10]:Configuration=qm-0.0.0.0/0- 192.168.4.10 force C set [IPsec-0.0.0.0/0-192.168.4.10]:Local-ID=lid-0.0.0.0 /0 force C set [IPsec-0.0.0.0/0-192.168.4.10]:Remote-ID=rid-192.168.4.10 force C set [qm-0.0.0.0/0-192.168.4.10]:EXCHANGE_TYPE=QUICK_MODE force C set [qm-0.0.0.0/0-192.168.4.10]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force C set [lid-0.0.0.0/0]:ID-type=IPV4_ADDR_SUBNET force C set [lid-0.0.0.0/0]:Network= 0.0.0.0 force C set [lid-0.0.0.0/0]:Netmask=0.0.0.0 force C set [rid-192.168.4.10]:ID-type=IPV4_ADDR force C set [rid-192.168.4.10]:Address=192.168.4.10 force C add [Phase 2]:Connections=IPsec-0.0.0.0/0-192.168.4.10 On the other side, my laptop has an iwi device. IPsec is configured that way : ike from any to any peer 192.168.4.1 psk "test" I start IPsec the same way than the gateway : [EMAIL PROTECTED]: ~ $ sudo isakmpd -K [EMAIL PROTECTED]: ~ $ sudo ipsecctl -vf /etc/pf.conf C set [Phase 1]: 192.168.4.1=peer-192.168.4.1 force C set [peer-192.168.4.1]:Phase=1 force C set [peer-192.168.4.1]:Address=192.168.4.1 force C set [peer-192.168.4.1]:Authentication=test force C set [peer-192.168.4.1]:Configuration=mm-192.168.4.1 force C set [mm-192.168.4.1]:EXCHANGE_TYPE=ID_PROT force C add [mm-192.168.4.1]:Transforms=AES-SHA force C set [IPsec-0.0.0.0/0- 0.0.0.0/0]:Phase=2 <http://0.0.0.0/0%5D:Phase=2>force C set [IPsec-0.0.0.0/0-0.0.0.0/0]:ISAKMP-peer=peer-192.168.4.1<http://0.0.0.0/0%5D:ISAKMP-peer=peer-192.168.4.1>force C set [IPsec-0.0.0.0/0- 0.0.0.0/0]:Configuration=qm-0.0.0.0/0-0.0.0.0/0<http://0.0.0.0/0%5D:Configuration=qm-0.0.0.0/0-0.0.0.0/0>force C set [IPsec-0.0.0.0/0-0.0.0.0/0]:Local-ID=lid-0.0.0.0/0<http://0.0.0.0/0%5D:Local-ID=lid-0.0.0.0/0>force C set [IPsec-0.0.0.0/0- 0.0.0.0/0]:Remote-ID=rid-0.0.0.0/0<http://0.0.0.0/0%5D:Remote-ID=rid-0.0.0.0/0>force C set [qm-0.0.0.0/0-0.0.0.0/0]:EXCHANGE_TYPE=QUICK_MODE<http://0.0.0.0/0%5D:EXCHANGE_TYPE=QUICK_MODE>force C set [qm-0.0.0.0/0- 0.0.0.0/0]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE<http://0.0.0.0/0%5D:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE>force C set [lid-0.0.0.0/0]:ID-type=IPV4_ADDR_SUBNET force C set [lid-0.0.0.0/0]:Network=0.0.0.0 force C set [lid-0.0.0.0/0]:Netmask= 0.0.0.0 force C set [rid-0.0.0.0/0]:ID-type=IPV4_ADDR_SUBNET force C set [rid-0.0.0.0/0]:Network=0.0.0.0 force C set [rid-0.0.0.0/0]:Netmask= 0.0.0.0 force C add [Phase 2]:Connections=IPsec-0.0.0.0/0-0.0.0.0/0 C set [Phase 1]:192.168.4.1=peer-192.168.4.1 force C set [peer-192.168.4.1]:Phase=1 force C set [peer-192.168.4.1 ]:Address=192.168.4.1 force C set [peer-192.168.4.1]:Authentication=test force C set [peer-192.168.4.1]:Configuration=mm-192.168.4.1 force C set [mm-192.168.4.1]:EXCHANGE_TYPE=ID_PROT force C add [mm-192.168.4.1]:Transforms=AES-SHA force C set [IPsec-::/0-::/0]:Phase=2 force C set [IPsec-::/0-::/0]:ISAKMP-peer=peer-192.168.4.1 force C set [IPsec-::/0-::/0]:Configuration=qm-::/0-::/0 force C set [IPsec-::/0-::/0]:Local-ID=lid-::/0 force C set [IPsec-::/0-::/0]:Remote-ID=rid-::/0 force C set [qm-::/0-::/0]:EXCHANGE_TYPE=QUICK_MODE force C set [qm-::/0-::/0]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force C set [lid-::/0]:ID-type=IPV6_ADDR_SUBNET force C set [lid-::/0]:Network=:: force C set [lid-::/0]:Netmask=:: force C set [rid-::/0]:ID-type=IPV6_ADDR_SUBNET force C set [rid-::/0]:Network=:: force C set [rid-::/0]:Netmask=:: force C add [Phase 2]:Connections=IPsec-::/0-::/0 [EMAIL PROTECTED]: ~ $ sudo ipsecctl -sa FLOWS: flow esp in from 0.0.0.0/0 to 0.0.0.0/0 peer 192.168.4.1 srcid 192.168.4.10/32 dstid 192.168.4.1/32 type use flow esp out from 0.0.0.0/0 to 0.0.0.0/0 peer 192.168.4.1 srcid 192.168.4.10/32 dstid 192.168.4.1/32 type require SAD: esp tunnel from 192.168.4.10 to 192.168.4.1 spi 0x2ade7f1b auth hmac-sha2-256 enc aes esp tunnel from 192.168.4.1 to 192.168.4.10 spi 0x4476f5e3 auth hmac-sha2-256 enc aes On the gateway, I have : [EMAIL PROTECTED]: ~ $ sudo ipsecctl -sa FLOWS: flow esp in from 0.0.0.0/0 to 0.0.0.0/0 peer 192.168.4.10 srcid 192.168.4.1/32 dstid 192.168.4.10/32 type use flow esp out from 0.0.0.0/0 to 0.0.0.0/0 peer 192.168.4.10 srcid 192.168.4.1/32 dstid 192.168.4.10/32 type require SAD: esp tunnel from 192.168.4.10 to 192.168.4.1 spi 0x085bb93f auth hmac-sha2-256 enc aes esp tunnel from 192.168.4.1 to 192.168.4.10 spi 0x62cbaa80 auth hmac-sha2-256 enc aes When the client has associate with the gateway, no trafic except IPsec pass through de gateway. It seems correct, since the flow on the gateway is from 0.0.0.0/0 to 0.0.0.0/0. But I don't understand why the rule 'ike from any to 192.168.4.10 psk "test"' on the gateway is resulting in "from 0.0.0.0/0to 0.0.0.0/0" in IPsec flows. Am I doing something wrong ? Mattieu -- Mattieu Baptiste "/earth is 102% full ... please delete anyone you can."