Date: Wed, 12 Feb 2003 14:15:52 +0100 From: Przemyslaw Ciesielski <p@missTCP.net> To: freebsd-questions@freebsd.org Subject: racoon. Message-ID: <3E4A4908.1040801@missTCP.net>
index | next in thread | raw e-mail
Hello,
I've got a problem configuring IPSEC tunnel with racoon and setkey.
a.b.c.1 - LAN - a.b.c.254 <- IPSEC -> w.x.y.254 - LAN - w.x.y.1
w.x.y.254 - CISCO.
a.b.c.254 - FreeBSD 5.0
a.b.c.1 - Windows
w.x.y.1 - Windows
a.b.c.253 - gateway to internet
/usr/local/etc/racoon/racoon.conf:
path include "/usr/local/etc/racoon" ;
#include "remote.conf" ;
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
log debug;
padding
{
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
}
listen
{
isakmp a.b.c.254 [500];
#admin [7002]; # administrative's port by kmpstat.
#strict_address; # required all addresses must be bound.
}
timer
{
counter 5; # maximum trying count to send.
interval 60 sec; # maximum interval to resend.
persend 1; # the number of packets per a send.
# timer for waiting to complete each phase.
phase1 60 sec;
phase2 35 sec;
}
remote anonymous
{
exchange_mode aggressive,main;
doi ipsec_doi;
situation identity_only;
nonce_size 16;
lifetime time 86400 sec;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key ;
dh_group 2 ;
}
}
sainfo anonymous
{
pfs_group 2;
lifetime time 3600 sec;
encryption_algorithm 3des ;
authentication_algorithm hmac_sha1;
compression_algorithm deflate ;
}
freebsd# cat /root/ipsec-conf.sh
#!/bin/sh
ifn=`ifconfig gif create`
ifconfig ${ifn} tunnel a.b.c.254 w.x.y.254
ifconfig ${ifn} inet a.b.c.1 w.x.y.1
setkey -FP
setkey -F
setkey -c << EOF
spdadd a.b.c.1/32 w.x.y.1/32 any -P out ipsec
esp/tunnel/a.b.c.254-w.x.y.254/require;
spdadd w.x.y.1/32 a.b.c.1/32 any -P in ipsec
esp/tunnel/w.x.y.254-a.b.c.254/require;
EOF
After running racoon and ipsec-conf.sh script i've got:
freebsd# ifconfig -a
ed1: a.b.c.254 netmask 255.255.255.0
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
tunnel inet a.b.c.254 --> w.x.y.254
inet a.b.c.1 --> w.x.y.1 netmask 0xffffff00
Why such netmask? I want to have tunnel beetwen a.b.c.1 and w.x.y.1 only...
freebsd# netstat -rn
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
default a.b.c.253 UGSc 0 5 ed1
127.0.0.1 127.0.0.1 UH 0 0 lo0
w.x.y.1 a.b.c.1 UH 0 0 gif0
^^^^^^^ why such gateway?
then from a.b.c.1 i try to ping w.x.y.1. a.b.c.254 and w.x.y.254
establish IPSEC tunnel but no packets go through IPSEC connection,
making tcpdump -i gif0 shows nothing.
Of course on a.b.c.1 i've set up routing for w.x.y.1 through a.b.c.254...
--
p.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3E4A4908.1040801>