From owner-freebsd-net@FreeBSD.ORG Tue Jun 22 17:25:34 2010 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 354AB106564A for ; Tue, 22 Jun 2010 17:25:34 +0000 (UTC) (envelope-from maciej@suszko.eu) Received: from mail.suszko.eu (suszko.eu [174.136.96.226]) by mx1.freebsd.org (Postfix) with ESMTP id F3BA98FC14 for ; Tue, 22 Jun 2010 17:25:33 +0000 (UTC) Received: from oxygen.suszko.eu (localhost [127.0.0.1]) by mail.suszko.eu (Postfix) with ESMTP id B61053F47D; Tue, 22 Jun 2010 17:00:34 +0000 (UTC) X-Virus-Scanned: amavisd-new using ClamaAV Received: from gda-arsenic (unknown [62.61.57.118]) by mail.suszko.eu (Postfix) with ESMTPSA id 94F6E3F474; Tue, 22 Jun 2010 17:00:33 +0000 (UTC) Date: Tue, 22 Jun 2010 19:08:19 +0200 From: Maciej Suszko To: freebsd-net@freebsd.org Message-ID: <20100622190819.270aaa74@gda-arsenic> In-Reply-To: <6caa9895ae1710b9f48a227116a4340c@ewipo.pl> References: <87260c422232fa7409a4b374341dd106@ewipo.pl> <20100622143543.GA72020@zeninc.net> <20100622153541.GA72211@zeninc.net> <6caa9895ae1710b9f48a227116a4340c@ewipo.pl> X-Mailer: Claws Mail 3.7.6 (GTK+ 2.20.1; amd64-portbld-freebsd8.1) Mime-Version: 1.0 Content-Type: multipart/signed; micalg=PGP-SHA1; boundary="Sig_/Ify9D1+r8WdySmm7nNrXHH0"; protocol="application/pgp-signature" Subject: Re: vpn trouble X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Jun 2010 17:25:34 -0000 --Sig_/Ify9D1+r8WdySmm7nNrXHH0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable wrote: >=20 > Hmmm, aggressive mode wasn't help :( > Still I got only negotiation, so I try to send packets but I don't > receive it at all. >=20 > On my server 78.x.x.x I got ipfw allow all from any to any. > On the other side 95.x.x.x they tell me that they do it everything > right - only I can't connect :( >=20 > Maybe I don't set route correctly? >=20 > Is this mean that I don't receive password from other side? > ERROR: phase1 negotiation failed due to time up. > 5d300bcf894a18f5:0000000000000000 All the addresses you write about (despite of those x) and especially this 10.10.1.90 sound familiar (anyway it might be conicidence). I've got more than dozen working tunnels of this kind. You can try this way: Set up a gif tunnel in rc.conf: cloned_interfaces=3D"gif0" ifconfig_gif0=3D"tunnel 78.x.x.x 95.x.x.x" ifconfig_gif0_alias0=3D"10.20.0.1 netmask 255.255.255.255 10.10.1.90" 10.20.0.1 is your internal end of the tunnel, so use any address from beyond the net 10.10.1.90 is in. in racoon.conf something like this: remote 95.x.x.x [500] { exchange_mode main,aggressive; doi ipsec_doi; situation identity_only; my_identifier address 78.x.x.x; peers_identifier address 95.x.x.x; lifetime time 8 hour; passive off; proposal_check obey; generate_policy off; proposal { encryption_algorithm 3des; hash_algorithm md5; authentication_method pre_shared_key; dh_group 2; } } sainfo (address 10.20.0.1/32 any address 10.10.1.90/32 any) { pfs_group 2; lifetime time 3600 sec; encryption_algorithm 3des; authentication_algorithm hmac_md5; compression_algorithm deflate; } The other side needs to know you have 10.20.0.1 on your side of the tunnel - this way you should have working IPSEC bettween both 10. ends. --=20 regards, Maciej Suszko. --Sig_/Ify9D1+r8WdySmm7nNrXHH0 Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (FreeBSD) iEYEARECAAYFAkwg7gYACgkQCikUk0l7iGpjvgCffAp8jZSl0tP13FvNKw9dvDfI ToQAniSrDHXL4ZP8RPJsCKgEHIAKGAzC =AGWW -----END PGP SIGNATURE----- --Sig_/Ify9D1+r8WdySmm7nNrXHH0--