From owner-freebsd-net@FreeBSD.ORG Tue Jun 22 18:26:43 2010 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F17C1106564A for ; Tue, 22 Jun 2010 18:26:42 +0000 (UTC) (envelope-from maciej@suszko.eu) Received: from mail.suszko.eu (suszko.eu [174.136.96.226]) by mx1.freebsd.org (Postfix) with ESMTP id D62938FC16 for ; Tue, 22 Jun 2010 18:26:42 +0000 (UTC) Received: from oxygen.suszko.eu (localhost [127.0.0.1]) by mail.suszko.eu (Postfix) with ESMTP id E6ADD3F47D; Tue, 22 Jun 2010 18:18:50 +0000 (UTC) X-Virus-Scanned: amavisd-new using ClamaAV Received: from gda-arsenic (unknown [62.61.57.118]) by mail.suszko.eu (Postfix) with ESMTPSA id 8825F3F474; Tue, 22 Jun 2010 18:18:49 +0000 (UTC) Date: Tue, 22 Jun 2010 20:26:36 +0200 From: Maciej Suszko To: freebsd-net@freebsd.org Message-ID: <20100622202636.714bced5@gda-arsenic> In-Reply-To: <7255fc10973166ff686d074fba3fc0f6@ewipo.pl> References: <87260c422232fa7409a4b374341dd106@ewipo.pl> <20100622171944.GQ2620@verio.net> <7255fc10973166ff686d074fba3fc0f6@ewipo.pl> X-Mailer: Claws Mail 3.7.6 (GTK+ 2.20.1; amd64-portbld-freebsd8.1) Mime-Version: 1.0 Content-Type: multipart/signed; micalg=PGP-SHA1; boundary="Sig_/e607x.rueu45EtWTdepL51a"; protocol="application/pgp-signature" Subject: Re: vpn trouble X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Jun 2010 18:26:43 -0000 --Sig_/e607x.rueu45EtWTdepL51a Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable wrote: >=20 > Hi, >=20 > I try to set VPN like I wrote earlier. > 78.x is server and this is not NAT. He dont forward anything. >=20 > >> I try to configure VPN over my server and my client > >>=20 > >> Sheme is like this > >> 78.x.x.x <--> 95.x.x.x <--> 10.10.1.90 > >=20 > > Are you trying to set up IPSEC tunneling of networks behind these > > gateways, or are you only trying to secure traffic between the peers > > themselves? >=20 > I try to set tunnel behing my server 78.x and gateway 95.x translating > packets to 10.x. I can only set 78.x side. >=20 > >=20 > > The fact that you don't receive any reply to your IKE packets would > > indicate something basic, like something is blocking traffic. >=20 > But how to check it? Telnet to port 500 wont work. But when I set SSH > to listen on port 500 I can login, port is not blocked Telnet host 500 uses proto tcp, isakmp - udp. > >> # setkey -DP > >> 10.10.1.90[any] 78.x.x.x[any] any > >> in ipsec > >> esp/tunnel/95.x.x.x-78.x.x.x/require > >> created: Jun 22 15:39:25 2010 lastused: Jun 22 15:39:25 > >> 2010 lifetime: 0(s) validtime: 0(s) > >> spid=3D16461 seq=3D1 pid=3D83142 > >> refcnt=3D1 > >> 78.x.x.x[any] 10.10.1.90[any] any > >> out ipsec > >> esp/tunnel/78.x.x.x-95.x.x.x/require > >> created: Jun 22 15:39:25 2010 lastused: Jun 22 15:40:50 > >> 2010 lifetime: 0(s) validtime: 0(s) > >> spid=3D16460 seq=3D0 pid=3D83142 > >> refcnt=3D1 > >=20 > > Your IPSEC policy specifies "esp/tunnel" mode, but if you are not > > actually encapsulating traffic originating from somewhere else, you > > might do better to just use "transport" mode to encrypt without > > encapsulation. >=20 > Hmmm, I don't understand it? I set policy only for there IP's and > connection for it is ESP encrypced >=20 > >=20 > >> And tcpdump > >> #tcpdump -i bce1 host 95.x.x.x=20 > >>=20 > >>=20 > >> 15:53:47.355130 IP 78.x.x.x.isakmp > 95.x.x.x.isakmp: isakmp: > >> phase 1 I ident > >> 15:54:07.003371 IP 78.x.x.x.isakmp > 95.x.x.x.isakmp: isakmp: > >> phase 1 I ident > >> 15:57:39.067765 IP 78.x.x.x.isakmp > 95.x.x.x.isakmp: isakmp: > >> phase 1 I ident > >=20 > > My first thought was that your IPSEC policy attempts to encrypt all > > traffic between you and your peers, but the IKE traffic is also > > traffic between you and your peers, so doesn't it lead to a policy > > loop of some sort? Will the IPSEC layer attempt to capture and > > encrypt the IKE packets? >=20 > Can you explain how can I check it? I new on it and I don't understand > some things. I've got such tunnels up and working - tunnel mode, encryption between peers, without using any internal networks - strange, but working :) - policy looks like that: spdadd 195.x.x.x 213.x.x.x any -P out ipsec esp/tunnel/195.x.x.x-213.x.x.x/= require; spdadd 213.x.x.x 195.x.x.x any -P in ipsec esp/tunnel/213.x.x.x-195.x.x.x/= require; --=20 regards, Maciej Suszko. --Sig_/e607x.rueu45EtWTdepL51a Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (FreeBSD) iEYEARECAAYFAkwhAF8ACgkQCikUk0l7iGoc1wCfSz2Al4p8uuQxR5ZG7lAKSarR J04AnR2GJkCAaSPevcxjYn4YoSwwojaQ =CVB6 -----END PGP SIGNATURE----- --Sig_/e607x.rueu45EtWTdepL51a--