Linksyses are pretty bad,
some experiences I've had with them are:
1. pfctl -e will enable my firewall but the linksys'es freaks out and
drops the TCP (this does not happen when the boxes were connected with
cross-overs)
2. wireless ethernet bridge won't pass broadcast DCHP traffic
3. yet again drop TCP connections when mounting NFS shares
My advice is to use the DMZ functionality (the linksys will work as just
a modem) and connect an openbsd box to that to use as your gateway.
KISS or pull your hair out!
Have a nice day,
Travers
On Wednesday 08 February 2006 02:19, Jack Culpepper wrote:
> Hi All,
>
> I've put in a few hours of effort, and I've been unable to get my
> Linksys WAG54G DSL router/wireless/VPN thinger (running Linux &
> FreeS/WAN apparently) to talk to my OpenBSD 3.5 system via IPSec.
> I've tried both automatic and manual keying, to no avail.. I believe
> there are several models of this device that have approximately the
> same interface.
>
> I've looked around, but haven't found any nice instructions for doing
> this. I've also checked the mailing list. I see hints that it is
> possible, but no good step-by-step guides, and getting it to work is
> non-trivial. There are no useful hints in the Linksys log.
>
> Has anyone done this, and if so, could you please clue me in?
>
> On the Linksys side I used:
>
> IPSec PassThrough: (Tried both)
> Local Secure Group: Subnet ..
> Remote Secure Group: Subnet ..
> Encryption: 3DES
> Authentication: SHA
>
> Key Management: Manual
> Encryption Key: 123456789012345678901234
> Authentication Key: 12345678901234567890
>
> So then on the OpenBSD end, those correspond to:
>
> Encryption Key: 3132333435363738393a3132333435363738393a31323334
> Authentication Key: 3132333435363738393a3132333435363738393a
>
> Right? Because on the Linksys web interface, each character is a
> byte, and on the OpenBSD side, each pair of hex characters is a byte.
>
> Inbound SPI: 0x 101
> Outbound SPI: 0x 100
>
> I tried swapping the SPIs. Didn't help.
>
> The OpenBSD side comes directly from the vpn(8) man page:
>
> /sbin/ipsecadm new esp -src $GATEWAY_B -dst $GATEWAY_A \
> -forcetunnel -spi 100 -enc 3des -auth sha1 \
> -keyfile enc_key -authkeyfile auth_key
>
> /sbin/ipsecadm new esp -src $GATEWAY_A -dst $GATEWAY_B \
> -forcetunnel -spi 101 -enc 3des -auth sha1 \
> -keyfile enc_key -authkeyfile auth_key
>
> ipsecadm flow -out -require -proto esp \
> -src $GATEWAY_A -dst $GATEWAY_B \
> -addr $NETWORK_A $NETWORK_B
> ipsecadm flow -in -require -proto esp \
> -src $GATEWAY_A -dst $GATEWAY_B \
> -addr $NETWORK_B $NETWORK_A
>
> # want to talk straight from one router to the other, so..
>
> ipsecadm flow -out -require -proto esp \
> -src $GATEWAY_A -dst $GATEWAY_B \
> -addr ${GATEWAY_A}/32 $NETWORK_B
> ipsecadm flow -in -require -proto esp \
> -src $GATEWAY_A -dst $GATEWAY_B \
> -addr $NETWORK_B ${GATEWAY_A}/32
>
> ipsecadm flow -out -require -proto esp \
> -src $GATEWAY_A -dst $GATEWAY_B \
> -addr ${GATEWAY_A}/32 ${GATEWAY_B}/32
> ipsecadm flow -in -require -proto esp \
> -src $GATEWAY_A -dst $GATEWAY_B \
> -addr ${GATEWAY_B}/32 ${GATEWAY_A}/32
>
> Thanks,
>
> Jack
