From owner-freebsd-net@FreeBSD.ORG Wed Sep 5 13:12:55 2007 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1601116A469 for ; Wed, 5 Sep 2007 13:12:55 +0000 (UTC) (envelope-from riga.bsd@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.187]) by mx1.freebsd.org (Postfix) with ESMTP id 8CC9D13C469 for ; Wed, 5 Sep 2007 13:12:54 +0000 (UTC) (envelope-from riga.bsd@gmail.com) Received: by nf-out-0910.google.com with SMTP id k4so1694909nfd for ; Wed, 05 Sep 2007 06:12:47 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=PQS0vZo2KVMGwi596EB/DzFYWbd6fW0feVockUvhdiegrJy2JusQ5M2EwsvWCEZ6AWxyhr2uyv9/MpDs2y8lrS8SKDoLD9cgrTtuY67Nn0Rt2yw9IZspqpGf2vvIUKGOeF6aoTQxqJAZzFLkbfJPryxjahoy/3ZDp/Cw6baHc0c= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=mBieGk4Z5wgPU4ThDVSNSngWM3i6QQkA2Q2S+7LQx4qhA7qsyQu8PBqfI5rfzFEIX40QgCadA4pywQbtCLa4/WF8YBxkMK3cXucM/2MGoIx7wYZ7j/jfcwqcuR32Rbxg53/+WV79OQiZJ4xU5514kOq0It1N8ZUFHl0HFs5FNeA= Received: by 10.86.98.18 with SMTP id v18mr5140795fgb.1188997967367; Wed, 05 Sep 2007 06:12:47 -0700 (PDT) Received: by 10.86.74.11 with HTTP; Wed, 5 Sep 2007 06:12:47 -0700 (PDT) Message-ID: Date: Wed, 5 Sep 2007 16:12:47 +0300 From: "lost janis" To: freebsd-net@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: IPsec gif problems X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Sep 2007 13:12:55 -0000 Hello! I'm apologise about my English I'm using FreeBSD 6.2 with kernel compiled options options IPSEC #IP security options IPSEC_ESP #IP security (crypto; define w/ IPSEC) options IPSEC_DEBUG #debug for IP security Ipesec-tools installed portversion 0.7 I'm using PF firewall. I'm feeling already self dumb and fr..out one week spending on this problem and cannot find solution. There is my problem, First GRE tunnel end-point IP address (must be public IPv4) My host A.A.A.A and host B.B.B.B Second Gre tunnel end-point C.C.C.C D.D.D.D (must be public IPv4) IPsec device IP (must be public IPv4) E.E.E.E-F.F.F.F SA - authentication - preshared secret SA cypher 3des-cbc SA encription/authentication ESP SA hash f - md5 1) I tray out making gif device like writ en in to the http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html and nothing - it's does not workout. 2) I put the IP A.A.A.A B.B.B.B e.c.t on real interfaces #my /usr/local/etc/racoon/psk.txt B.B.B.B preshared secret #my /etc/ipsec.conf spdadd A.A.A.A/32 B.B.B.B/32 any -P out ipsec esp/tunnel/A.A.A.A-B.B.B.B/require; spdadd B.B.B.B/32 A.A.A.A/32 any -P in ipsec esp/tunnel/B.B.B.B-A.A.A.A/require; #My /usr/local/etc/racoon/racoon.conf path include "/usr/local/etc/racoon" ; path pre_shared_key "/usr/local/etc/racoon/psk.txt" ; log debug2; # # "padding" defines some parameter of padding. You should not touch these. padding { maximum_length 20; # maximum padding length. randomize off; # enable randomize length. strict_check off; # enable strict check. exclusive_tail off; # extract last one octet. } listen { isakmp A.A.A.A [500]; } timer { counter 2; # maximum trying count to send. interval 20 sec; # maximum interval to resend. persend 1; # the number of packets per send. phase1 30 sec; phase2 20 sec; } remote anonymous { exchange_mode main,base; my_identifier address A.A.A.A; lifetime time 1 hour ; # sec,min,hour proposal { encryption_algorithm 3des; hash_algorithm md5; authentication_method pre_shared_key ; dh_group 2 ; } proposal_check strict; } sainfo anonymous { pfs_group 2; lifetime time 12 hour ; encryption_algorithm 3des; authentication_algorithm hmac_md5 ; compression_algorithm deflate ; } And I can not get clear how to tunnel CCCC and EEEE to AAAA-BBBB tunnel to DDDD-FFFF I try to ping #ping -S C.C.C.C D.D.D.D and got reply tcpdump esp C.C.C.C > D.D.D.D ESP(spi=0x199fecdf,seq=0x7), length 116 C.C.C.C > D.D.D.D ESP(spi=0x199fecdf,seq=0x7), length 116 C.C.C.C > D.D.D.D ESP(spi=0x199fecdf,seq=0x7), length 116 C.C.C.C > D.D.D.D ESP(spi=0x199fecdf,seq=0x7), length 116 And when I try just simple ping host D.D.D.D there is no ESP.