From owner-freebsd-net@FreeBSD.ORG Tue Jun 22 18:30:47 2010 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B0D73106566B for ; Tue, 22 Jun 2010 18:30:47 +0000 (UTC) (envelope-from ralf@dzie-ciuch.pl) Received: from mail.ewipo.pl (mail.ewipo.pl [94.23.240.128]) by mx1.freebsd.org (Postfix) with ESMTP id 4830C8FC1D for ; Tue, 22 Jun 2010 18:30:47 +0000 (UTC) Received: from mail.ewipo.pl (localhost [127.0.0.1]) by mail.ewipo.pl (Postfix) with ESMTP id 0AF372291A; Tue, 22 Jun 2010 20:30:40 +0200 (CEST) X-Virus-Scanned: amavisd-new at wrealizacji.pl Received: from mail.ewipo.pl ([127.0.0.1]) by mail.ewipo.pl (mail.ewipo.pl [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Sr-J85SA2itD; Tue, 22 Jun 2010 20:30:38 +0200 (CEST) Received: by mail.ewipo.pl (Postfix, from userid 80) id 2E57A228F9; Tue, 22 Jun 2010 20:30:38 +0200 (CEST) To: Maciej Suszko X-PHP-Script: poczta.wrealizacji.pl/index.php for 89.250.193.50 MIME-Version: 1.0 Date: Tue, 22 Jun 2010 20:30:38 +0200 From: In-Reply-To: <20100622202636.714bced5@gda-arsenic> References: <87260c422232fa7409a4b374341dd106@ewipo.pl> <20100622171944.GQ2620@verio.net> <7255fc10973166ff686d074fba3fc0f6@ewipo.pl> <20100622202636.714bced5@gda-arsenic> Message-ID: <7fcefb2d592f4b443c09af6904eecfee@ewipo.pl> X-Sender: ralf@dzie-ciuch.pl User-Agent: EWIPO Webmail/0.3.1 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=UTF-8 Cc: freebsd-net@freebsd.org Subject: Re: vpn trouble X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Jun 2010 18:30:47 -0000 Thanks guys, I try it tomorrow and I send you is it works or not. Regards Ralf On Tue, 22 Jun 2010 20:26:36 +0200, Maciej Suszko wrote: > wrote: >> >> Hi, >> >> I try to set VPN like I wrote earlier. >> 78.x is server and this is not NAT. He dont forward anything. >> >> >> I try to configure VPN over my server and my client >> >> >> >> Sheme is like this >> >> 78.x.x.x <--> 95.x.x.x <--> 10.10.1.90 >> > >> > Are you trying to set up IPSEC tunneling of networks behind these >> > gateways, or are you only trying to secure traffic between the peers >> > themselves? >> >> I try to set tunnel behing my server 78.x and gateway 95.x translating >> packets to 10.x. I can only set 78.x side. >> >> > >> > The fact that you don't receive any reply to your IKE packets would >> > indicate something basic, like something is blocking traffic. >> >> But how to check it? Telnet to port 500 wont work. But when I set SSH >> to listen on port 500 I can login, port is not blocked > > Telnet host 500 uses proto tcp, isakmp - udp. > >> >> # setkey -DP >> >> 10.10.1.90[any] 78.x.x.x[any] any >> >> in ipsec >> >> esp/tunnel/95.x.x.x-78.x.x.x/require >> >> created: Jun 22 15:39:25 2010 lastused: Jun 22 15:39:25 >> >> 2010 lifetime: 0(s) validtime: 0(s) >> >> spid=16461 seq=1 pid=83142 >> >> refcnt=1 >> >> 78.x.x.x[any] 10.10.1.90[any] any >> >> out ipsec >> >> esp/tunnel/78.x.x.x-95.x.x.x/require >> >> created: Jun 22 15:39:25 2010 lastused: Jun 22 15:40:50 >> >> 2010 lifetime: 0(s) validtime: 0(s) >> >> spid=16460 seq=0 pid=83142 >> >> refcnt=1 >> > >> > Your IPSEC policy specifies "esp/tunnel" mode, but if you are not >> > actually encapsulating traffic originating from somewhere else, you >> > might do better to just use "transport" mode to encrypt without >> > encapsulation. >> >> Hmmm, I don't understand it? I set policy only for there IP's and >> connection for it is ESP encrypced >> >> > >> >> And tcpdump >> >> #tcpdump -i bce1 host 95.x.x.x >> >> >> >> >> >> 15:53:47.355130 IP 78.x.x.x.isakmp > 95.x.x.x.isakmp: isakmp: >> >> phase 1 I ident >> >> 15:54:07.003371 IP 78.x.x.x.isakmp > 95.x.x.x.isakmp: isakmp: >> >> phase 1 I ident >> >> 15:57:39.067765 IP 78.x.x.x.isakmp > 95.x.x.x.isakmp: isakmp: >> >> phase 1 I ident >> > >> > My first thought was that your IPSEC policy attempts to encrypt all >> > traffic between you and your peers, but the IKE traffic is also >> > traffic between you and your peers, so doesn't it lead to a policy >> > loop of some sort? Will the IPSEC layer attempt to capture and >> > encrypt the IKE packets? >> >> Can you explain how can I check it? I new on it and I don't understand >> some things. > > I've got such tunnels up and working - tunnel mode, encryption between > peers, without using any internal networks - strange, but working :) - > policy looks like that: > spdadd 195.x.x.x 213.x.x.x any -P out ipsec > esp/tunnel/195.x.x.x-213.x.x.x/require; > spdadd 213.x.x.x 195.x.x.x any -P in ipsec > esp/tunnel/213.x.x.x-195.x.x.x/require;