From owner-freebsd-questions@FreeBSD.ORG  Tue Feb 24 14:14:56 2004
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 0859816A4CE
	for <freebsd-questions@freebsd.org>;
	Tue, 24 Feb 2004 14:14:56 -0800 (PST)
Received: from uk-server1.anon-dns.net (uk-server1.anon-dns.net
	[193.111.226.20])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 7C61543D31
	for <freebsd-questions@freebsd.org>;
	Tue, 24 Feb 2004 14:14:55 -0800 (PST)
	(envelope-from steve@softgreen.co.uk)
Received: from host81-129-35-30.in-addr.btopenworld.com ([81.129.35.30]
	helo=SOFTGREEN)	by uk-server1.anon-dns.net with smtp (Exim 4.30)
	id 1AvkpK-00030H-Ez
	for freebsd-questions@freebsd.org; Tue, 24 Feb 2004 22:14:54 +0000
Message-ID: <003201c3fb23$b3fc4f30$c832a8c0@SOFTGREEN>
From: "Steve Greenshaw" <steve@softgreen.co.uk>
To: "freebsd-questions" <freebsd-questions@freebsd.org>
Date: Tue, 24 Feb 2004 22:15:25 -0000
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Subject: Racoon / Draytek Setup
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Feb 2004 22:14:56 -0000

Hi,

I'm having trouble attempting to set up a lan to lan VPN between FreeBSD 4.9
and a Draytek 'Vigor2900 router'. I'm trying to use IPSec tunnelling.

My aim is to connect 192.168.32.0/24 (FreeBSD) to 192.168.1.0/24 (Draytek)

On the FreeBSD box I've gone ahead and created a tunnel (gif)
AAA.AAA.AAA.AAA => BBB.BBB.BBB.BBB
This tunnel joins 192.168.32.1 and 192.168.1.1
There's a route to 192.168.1.0/24 via 192.168.1.1 added and present in the
routing table.

I've completd the VPN setup on the Draytek Vigor2900.

I've removed all firewall or filtering rules so these are not an issue.

Running racoon in verbose mode, when I try to start the connection from the
Draytek I see:

2004-02-24 21:46:36: INFO: isakmp.c:892:isakmp_ph1begin_r(): respond new
phase 1 negotiation: AAA.AAA.AAA.AAA[500]<=>BBB.BBB.BBB.BBB[500]
2004-02-24 21:46:36: INFO: isakmp.c:897:isakmp_ph1begin_r(): begin
Aggressive mode.
2004-02-24 21:46:36: NOTIFY: oakley.c:2084:oakley_skeyid(): couldn't find
the proper pskey, try to get one by the peer's address.
2004-02-24 21:46:38: INFO: isakmp.c:2410:log_ph1established(): ISAKMP-SA
established AAA.AAA.AAA.AAA[500]-BBB.BBB.BBB.BBB[500]
spi:361b8dc6e371b85c:30034bf29701e1a1
2004-02-24 21:46:38: INFO: isakmp.c:1047:isakmp_ph2begin_r(): respond new
phase 2 negotiation: AAA.AAA.AAA.AAA[0]<=>BBB.BBB.BBB.BBB[0]
2004-02-24 21:46:38: INFO: pfkey.c:1197:pk_recvupdate(): IPsec-SA
established: ESP/Tunnel BBB.BBB.BBB.BBB->AAA.AAA.AAA.AAA
spi=227581104(0xd909cb0)
2004-02-24 21:46:38: INFO: pfkey.c:1420:pk_recvadd(): IPsec-SA established:
ESP/Tunnel AAA.AAA.AAA.AAA->BBB.BBB.BBB.BBB spi=4193511423(0xf9f3e7ff)

The Draytek also tells me that I have a VPN up and running and that data is
encrypted.

The problem is that this is as far as it gets. I can't ping either of my
private networks from the other etc., etc. I get 100% packet loss. This is
really bugging me as the tunnel *has* to be there for the keys to be set,
doesn't it? If that's the case then there must be a route? I use exactly
this method FreeBSD - FreeBSD all the time ...

Anyway. I'm really stuck now and was hoping that maybe somebody might be
able to shed some light on this for me? Has anybody ever set up a
FreeBSD/Draytek lan to lan VPN using IPSec? Does anybody know if it's
possible?

Below is the security policy that I use for setkey and also my racoon.conf,
just in case that is useful ...

################
spdadd 192.168.32.0/24 192.168.1.0/24 ipencap -P out ipsec
esp/tunnel/AAA.AAA.AAA.AAA-BBB.BBB.BBB.BBB/require;
spdadd 192.168.1.0/24 192.168.32.0/24 ipencap -P in ipsec
esp/tunnel/BBB.BBB.BBB.BBB-AAA.AAA.AAA.AAA/require;
################

################
path include "/usr/local/etc/racoon" ;
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
listen
{
        isakmp AAA.AAA.AAA.AAA [500];
}

padding
{
        maximum_length 20;
        randomize off;
        strict_check off;
        exclusive_tail off;
}

timer
{
        counter 5;
        interval 20 sec;
        persend 1;

        phase1 2800 sec;
        phase2 3600 sec;
}

remote anonymous
{
        exchange_mode aggressive,main;
        situation identity_only;

        nonce_size 16;
        lifetime time 24 hour;
        initial_contact on;
        support_proxy on;
        proposal_check obey;

        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method pre_shared_key ;
                dh_group 2 ;
                }
}

sainfo anonymous
{
        pfs_group 2;
        lifetime time 12 hour ;
        encryption_algorithm 3des, blowfish, des, rijndael ;
        authentication_algorithm hmac_md5, hmac_sha1;
        compression_algorithm deflate ;
 }
################

Regards,

Steve