Date: Tue, 22 Jun 2010 20:11:30 +0200 From: Maciej Suszko <maciej@suszko.eu> To: <ralf@dzie-ciuch.pl> Cc: freebsd-net@freebsd.org Subject: Re: vpn trouble Message-ID: <20100622201130.5824d585@gda-arsenic> In-Reply-To: <4f378cfb416582c3081377ba714e508a@ewipo.pl> References: <87260c422232fa7409a4b374341dd106@ewipo.pl> <20100622143543.GA72020@zeninc.net> <c5781e9db1e6339b5b23c0c403c68d9a@ewipo.pl> <20100622153541.GA72211@zeninc.net> <6caa9895ae1710b9f48a227116a4340c@ewipo.pl> <20100622190819.270aaa74@gda-arsenic> <4f378cfb416582c3081377ba714e508a@ewipo.pl>
next in thread | previous in thread | raw e-mail | index | archive | help
--Sig_/3A.lGlBAur05zO14p_5oVjJ Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable <ralf@dzie-ciuch.pl> wrote: >=20 >=20 > >> Hmmm, aggressive mode wasn't help :( > >> Still I got only negotiation, so I try to send packets but I don't > >> receive it at all. > >>=20 > >> On my server 78.x.x.x I got ipfw allow all from any to any. > >> On the other side 95.x.x.x they tell me that they do it everything > >> right - only I can't connect :( > >>=20 > >> Maybe I don't set route correctly? > >>=20 > >> Is this mean that I don't receive password from other side? > >> ERROR: phase1 negotiation failed due to time up. > >> 5d300bcf894a18f5:0000000000000000 > >=20 > > All the addresses you write about (despite of those x) and > > especially this 10.10.1.90 sound familiar (anyway it might be > > conicidence). I've got more than dozen working tunnels of this > > kind. You can try this way: > >=20 > > Set up a gif tunnel in rc.conf: > >=20 > > cloned_interfaces=3D"gif0" > > ifconfig_gif0=3D"tunnel 78.x.x.x 95.x.x.x" > > ifconfig_gif0_alias0=3D"10.20.0.1 netmask 255.255.255.255 10.10.1.90" > >=20 > > 10.20.0.1 is your internal end of the tunnel, so use any address > > from beyond the net 10.10.1.90 is in. > >=20 > >=20 > > in racoon.conf something like this: > >=20 > > remote 95.x.x.x [500] > > { > > exchange_mode main,aggressive; > > doi ipsec_doi; > > situation identity_only; > > my_identifier address 78.x.x.x; > > peers_identifier address 95.x.x.x; > > lifetime time 8 hour; > > passive off; > > proposal_check obey; > > generate_policy off; > > proposal { > > encryption_algorithm 3des; > > hash_algorithm md5; > > authentication_method pre_shared_key; > > dh_group 2; > > } > > } > >=20 > > sainfo (address 10.20.0.1/32 any address 10.10.1.90/32 any) > > { > > pfs_group 2; > > lifetime time 3600 sec; > > encryption_algorithm 3des; > > authentication_algorithm hmac_md5; > > compression_algorithm deflate; > > } > >=20 > > The other side needs to know you have 10.20.0.1 on your side of the > > tunnel - this way you should have working IPSEC bettween both 10. > > ends. >=20 > So as you write they should set: ?? > 10.20.0.1 (my ip on gif device) <-> 78.x <-> 95.x <-> 10.10.1.90 > (other side) Yes, indeed. > And additionaly I thing I should correct set spd policy to: >=20 > spdadd 10.20.0.1 10.10.1.90 any -P out ipsec > esp/tunnel/78.x.x.x-95.x.x.x/require; > spdadd 10.10.1.90 10.20.0.1 any -P in ipsec > esp/tunnel/95.x.x.x-78.x.x.x/require; >=20 > Am I wrong? No, you're right :) You can set up the tunnel first - check whether both 10. are accessible from both sides, then you "cover" communication between them with IPSEC. --=20 regards, Maciej Suszko. --Sig_/3A.lGlBAur05zO14p_5oVjJ Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (FreeBSD) iEYEARECAAYFAkwg/NUACgkQCikUk0l7iGrP3wCeIhASZ9EtJw6upxnXEosEuONM 2HYAnicpFDl8hMR1xAjNvt+uFsMqjEA4 =MiZT -----END PGP SIGNATURE----- --Sig_/3A.lGlBAur05zO14p_5oVjJ--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100622201130.5824d585>