From owner-freebsd-net@FreeBSD.ORG Tue Jun 22 17:33:55 2010 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 32D9C1065672 for ; Tue, 22 Jun 2010 17:33:55 +0000 (UTC) (envelope-from ralf@dzie-ciuch.pl) Received: from mail.ewipo.pl (mail.ewipo.pl [94.23.240.128]) by mx1.freebsd.org (Postfix) with ESMTP id E99288FC1E for ; Tue, 22 Jun 2010 17:33:54 +0000 (UTC) Received: from mail.ewipo.pl (localhost [127.0.0.1]) by mail.ewipo.pl (Postfix) with ESMTP id 74DD622919; Tue, 22 Jun 2010 19:33:47 +0200 (CEST) X-Virus-Scanned: amavisd-new at wrealizacji.pl Received: from mail.ewipo.pl ([127.0.0.1]) by mail.ewipo.pl (mail.ewipo.pl [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l2mDzDXd3GBf; Tue, 22 Jun 2010 19:33:45 +0200 (CEST) Received: by mail.ewipo.pl (Postfix, from userid 80) id 7EBBE22902; Tue, 22 Jun 2010 19:33:45 +0200 (CEST) To: David DeSimone X-PHP-Script: poczta.wrealizacji.pl/index.php for 89.250.193.50 MIME-Version: 1.0 Date: Tue, 22 Jun 2010 19:33:45 +0200 From: In-Reply-To: <20100622171944.GQ2620@verio.net> References: <87260c422232fa7409a4b374341dd106@ewipo.pl> <20100622171944.GQ2620@verio.net> Message-ID: <7255fc10973166ff686d074fba3fc0f6@ewipo.pl> X-Sender: ralf@dzie-ciuch.pl User-Agent: EWIPO Webmail/0.3.1 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=UTF-8 Cc: freebsd-net@freebsd.org Subject: Re: vpn trouble X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Jun 2010 17:33:55 -0000 Hi, I try to set VPN like I wrote earlier. 78.x is server and this is not NAT. He dont forward anything. >> I try to configure VPN over my server and my client >> >> Sheme is like this >> 78.x.x.x <--> 95.x.x.x <--> 10.10.1.90 > > Are you trying to set up IPSEC tunneling of networks behind these > gateways, or are you only trying to secure traffic between the peers > themselves? I try to set tunnel behing my server 78.x and gateway 95.x translating packets to 10.x. I can only set 78.x side. > > The fact that you don't receive any reply to your IKE packets would > indicate something basic, like something is blocking traffic. But how to check it? Telnet to port 500 wont work. But when I set SSH to listen on port 500 I can login, port is not blocked > >> # setkey -DP >> 10.10.1.90[any] 78.x.x.x[any] any >> in ipsec >> esp/tunnel/95.x.x.x-78.x.x.x/require >> created: Jun 22 15:39:25 2010 lastused: Jun 22 15:39:25 2010 >> lifetime: 0(s) validtime: 0(s) >> spid=16461 seq=1 pid=83142 >> refcnt=1 >> 78.x.x.x[any] 10.10.1.90[any] any >> out ipsec >> esp/tunnel/78.x.x.x-95.x.x.x/require >> created: Jun 22 15:39:25 2010 lastused: Jun 22 15:40:50 2010 >> lifetime: 0(s) validtime: 0(s) >> spid=16460 seq=0 pid=83142 >> refcnt=1 > > Your IPSEC policy specifies "esp/tunnel" mode, but if you are not > actually encapsulating traffic originating from somewhere else, you > might do better to just use "transport" mode to encrypt without > encapsulation. Hmmm, I don't understand it? I set policy only for there IP's and connection for it is ESP encrypced > >> And tcpdump >> #tcpdump -i bce1 host 95.x.x.x >> >> >> 15:53:47.355130 IP 78.x.x.x.isakmp > 95.x.x.x.isakmp: isakmp: phase 1 I >> ident >> 15:54:07.003371 IP 78.x.x.x.isakmp > 95.x.x.x.isakmp: isakmp: phase 1 I >> ident >> 15:57:39.067765 IP 78.x.x.x.isakmp > 95.x.x.x.isakmp: isakmp: phase 1 I >> ident > > My first thought was that your IPSEC policy attempts to encrypt all > traffic between you and your peers, but the IKE traffic is also traffic > between you and your peers, so doesn't it lead to a policy loop of some > sort? Will the IPSEC layer attempt to capture and encrypt the IKE > packets? Can you explain how can I check it? I new on it and I don't understand some things. Regards Ralf