From owner-freebsd-questions Wed Feb 12 5:15:50 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0811137B401 for ; Wed, 12 Feb 2003 05:15:47 -0800 (PST) Received: from wind.blue.pl (wind.blue.pl [217.153.14.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1A94443F3F for ; Wed, 12 Feb 2003 05:15:46 -0800 (PST) (envelope-from p@missTCP.net) Message-ID: <3E4A4908.1040801@missTCP.net> Date: Wed, 12 Feb 2003 14:15:52 +0100 From: Przemyslaw Ciesielski User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; pl-PL; rv:1.3a) Gecko/20030130 X-Accept-Language: pl, en-us, en MIME-Version: 1.0 To: freebsd-questions@freebsd.org Subject: racoon. Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hello, I've got a problem configuring IPSEC tunnel with racoon and setkey. a.b.c.1 - LAN - a.b.c.254 <- IPSEC -> w.x.y.254 - LAN - w.x.y.1 w.x.y.254 - CISCO. a.b.c.254 - FreeBSD 5.0 a.b.c.1 - Windows w.x.y.1 - Windows a.b.c.253 - gateway to internet /usr/local/etc/racoon/racoon.conf: path include "/usr/local/etc/racoon" ; #include "remote.conf" ; path pre_shared_key "/usr/local/etc/racoon/psk.txt" ; log debug; padding { maximum_length 20; # maximum padding length. randomize off; # enable randomize length. strict_check off; # enable strict check. exclusive_tail off; # extract last one octet. } listen { isakmp a.b.c.254 [500]; #admin [7002]; # administrative's port by kmpstat. #strict_address; # required all addresses must be bound. } timer { counter 5; # maximum trying count to send. interval 60 sec; # maximum interval to resend. persend 1; # the number of packets per a send. # timer for waiting to complete each phase. phase1 60 sec; phase2 35 sec; } remote anonymous { exchange_mode aggressive,main; doi ipsec_doi; situation identity_only; nonce_size 16; lifetime time 86400 sec; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key ; dh_group 2 ; } } sainfo anonymous { pfs_group 2; lifetime time 3600 sec; encryption_algorithm 3des ; authentication_algorithm hmac_sha1; compression_algorithm deflate ; } freebsd# cat /root/ipsec-conf.sh #!/bin/sh ifn=`ifconfig gif create` ifconfig ${ifn} tunnel a.b.c.254 w.x.y.254 ifconfig ${ifn} inet a.b.c.1 w.x.y.1 setkey -FP setkey -F setkey -c << EOF spdadd a.b.c.1/32 w.x.y.1/32 any -P out ipsec esp/tunnel/a.b.c.254-w.x.y.254/require; spdadd w.x.y.1/32 a.b.c.1/32 any -P in ipsec esp/tunnel/w.x.y.254-a.b.c.254/require; EOF After running racoon and ipsec-conf.sh script i've got: freebsd# ifconfig -a ed1: a.b.c.254 netmask 255.255.255.0 gif0: flags=8051 mtu 1280 tunnel inet a.b.c.254 --> w.x.y.254 inet a.b.c.1 --> w.x.y.1 netmask 0xffffff00 Why such netmask? I want to have tunnel beetwen a.b.c.1 and w.x.y.1 only... freebsd# netstat -rn Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default a.b.c.253 UGSc 0 5 ed1 127.0.0.1 127.0.0.1 UH 0 0 lo0 w.x.y.1 a.b.c.1 UH 0 0 gif0 ^^^^^^^ why such gateway? then from a.b.c.1 i try to ping w.x.y.1. a.b.c.254 and w.x.y.254 establish IPSEC tunnel but no packets go through IPSEC connection, making tcpdump -i gif0 shows nothing. Of course on a.b.c.1 i've set up routing for w.x.y.1 through a.b.c.254... -- p. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message