From owner-freebsd-net@FreeBSD.ORG Tue Jun 22 17:42:12 2010 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C49861065674 for ; Tue, 22 Jun 2010 17:42:12 +0000 (UTC) (envelope-from ralf@dzie-ciuch.pl) Received: from mail.ewipo.pl (mail.ewipo.pl [94.23.240.128]) by mx1.freebsd.org (Postfix) with ESMTP id 8576B8FC12 for ; Tue, 22 Jun 2010 17:42:12 +0000 (UTC) Received: from mail.ewipo.pl (localhost [127.0.0.1]) by mail.ewipo.pl (Postfix) with ESMTP id 479F722910; Tue, 22 Jun 2010 19:42:05 +0200 (CEST) X-Virus-Scanned: amavisd-new at wrealizacji.pl Received: from mail.ewipo.pl ([127.0.0.1]) by mail.ewipo.pl (mail.ewipo.pl [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RJirvvi0h8Vi; Tue, 22 Jun 2010 19:42:03 +0200 (CEST) Received: by mail.ewipo.pl (Postfix, from userid 80) id A3E26228F9; Tue, 22 Jun 2010 19:42:03 +0200 (CEST) To: Maciej Suszko X-PHP-Script: poczta.wrealizacji.pl/index.php for 89.250.193.50 MIME-Version: 1.0 Date: Tue, 22 Jun 2010 19:42:03 +0200 From: In-Reply-To: <20100622190819.270aaa74@gda-arsenic> References: <87260c422232fa7409a4b374341dd106@ewipo.pl> <20100622143543.GA72020@zeninc.net> <20100622153541.GA72211@zeninc.net> <6caa9895ae1710b9f48a227116a4340c@ewipo.pl> <20100622190819.270aaa74@gda-arsenic> Message-ID: <4f378cfb416582c3081377ba714e508a@ewipo.pl> X-Sender: ralf@dzie-ciuch.pl User-Agent: EWIPO Webmail/0.3.1 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=UTF-8 Cc: freebsd-net@freebsd.org Subject: Re: vpn trouble X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Jun 2010 17:42:12 -0000 >> Hmmm, aggressive mode wasn't help :( >> Still I got only negotiation, so I try to send packets but I don't >> receive it at all. >> >> On my server 78.x.x.x I got ipfw allow all from any to any. >> On the other side 95.x.x.x they tell me that they do it everything >> right - only I can't connect :( >> >> Maybe I don't set route correctly? >> >> Is this mean that I don't receive password from other side? >> ERROR: phase1 negotiation failed due to time up. >> 5d300bcf894a18f5:0000000000000000 > > All the addresses you write about (despite of those x) and especially > this 10.10.1.90 sound familiar (anyway it might be conicidence). I've > got more than dozen working tunnels of this kind. You can try this way: > > Set up a gif tunnel in rc.conf: > > cloned_interfaces="gif0" > ifconfig_gif0="tunnel 78.x.x.x 95.x.x.x" > ifconfig_gif0_alias0="10.20.0.1 netmask 255.255.255.255 10.10.1.90" > > 10.20.0.1 is your internal end of the tunnel, so use any address from > beyond the net 10.10.1.90 is in. > > > in racoon.conf something like this: > > remote 95.x.x.x [500] > { > exchange_mode main,aggressive; > doi ipsec_doi; > situation identity_only; > my_identifier address 78.x.x.x; > peers_identifier address 95.x.x.x; > lifetime time 8 hour; > passive off; > proposal_check obey; > generate_policy off; > proposal { > encryption_algorithm 3des; > hash_algorithm md5; > authentication_method pre_shared_key; > dh_group 2; > } > } > > sainfo (address 10.20.0.1/32 any address 10.10.1.90/32 any) > { > pfs_group 2; > lifetime time 3600 sec; > encryption_algorithm 3des; > authentication_algorithm hmac_md5; > compression_algorithm deflate; > } > > The other side needs to know you have 10.20.0.1 on your side of the > tunnel - this way you should have working IPSEC bettween both 10. ends. So as you write they should set: ?? 10.20.0.1 (my ip on gif device) <-> 78.x <-> 95.x <-> 10.10.1.90 (other side) And additionaly I thing I should correct set spd policy to: spdadd 10.20.0.1 10.10.1.90 any -P out ipsec esp/tunnel/78.x.x.x-95.x.x.x/require; spdadd 10.10.1.90 10.20.0.1 any -P in ipsec esp/tunnel/95.x.x.x-78.x.x.x/require; Am I wrong? Regards Ralf