From owner-freebsd-security Wed Jan 9 1:26:39 2002 Delivered-To: freebsd-security@freebsd.org Received: from nic.crt.se (nic.crt.se [193.12.107.10]) by hub.freebsd.org (Postfix) with ESMTP id 23E8F37B419 for ; Wed, 9 Jan 2002 01:26:27 -0800 (PST) Received: from mail.crt.se (postiljon.crt.se [172.16.1.14]) by nic.crt.se (Postfix) with ESMTP id 5EA5A5291; Wed, 9 Jan 2002 10:26:25 +0100 (MET) Received: from bloodwine.crt.se (bloodwine.crt.se [172.16.1.170]) by mail.crt.se (Postfix) with ESMTP id 634C51DA4; Wed, 9 Jan 2002 10:26:23 +0100 (MET) Date: Wed, 9 Jan 2002 10:26:23 +0100 (CET) From: Hakan Olsson To: jack xiao Cc: tech@openbsd.org, Subject: Re: isakmpd configuration In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=iso-8859-1 Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org (Cc:ed to freebsd-security@FreeBSD.ORG? Ok, whatever...) On Tue, 8 Jan 2002, jack xiao wrote: =2E.. > I am going to set up two IPSec tunnels. One is 192.168.100.0/24 - > 10.10.11.0/24, the other is 192.168.100.0/24 - 172.30.1.0/24. The > diagram is like the following, 216.95.234.162 and 216.95.234.110 are > two VPN gateways. =2E.. > I set in the isakmpd.conf as something like the following, > > [Phase 1] > 216.95.234.110=3D VPN-11 > > [Phase 2] > Connections=3D VPN-12,VPN-22 Correct. > > [VPN-11] > Phase=3D 1 > Transport=3D udp > Local-address=3D 216.95.234.162 > Address=3D 216.95.234.110 > Configuration=3D Default-main-mode > Authentication=3D qqqqqqqq You need to define the [Default-main-mode] section as per the examples. > > [VPN-12] > Phase=3D 2 > ISAKMP-peer=3D VPN-11 > Configuration=3D Default-quick-mode > Local-ID=3D Net-local-01 > Remote-ID=3D Net-remote-01 Dito, [Default-quick-mode]. > > [Net-local-01] > ID-type=3D IPV4_ADDR_SUBNET > Network=3D 192.168.100.0 > Netmask=3D 255.255.255.0 > > [Net-remote-01] > ID-type=3D IPV4_ADDR_SUBNET > Network=3D 10.10.11.0 > Netmask=3D 255.255.255.0 > > [VPN-22] > Phase=3D 2 > ISAKMP-peer=3D VPN-11 > Configuration=3D Default-quick-mode > Local-ID=3D Net-local-02 > Remote-ID=3D Net-remote-02 You can simply re-use 'Net-local-01' for Local-ID here. Even though defining and using an identical ... > [Net-local-02] > ID-type=3D IPV4_ADDR_SUBNET > Network=3D 192.168.100.0 > Netmask=3D 255.255.255.0 =2E.. is perfectly ok, it's not really required. > > [Net-remote-02] > ID-type=3D IPV4_ADDR_SUBNET > Network=3D 172.30.1.0 > Netmask=3D 255.255.255.0 > > Is it correct? It seems not work fine. Any ideas will be appreciated. > The rest looks fine, AFAICT. I'm sorry to say, however, that as usual you don't specify HOW it "seems not to work fine". Am I supposed to guess? /H -- H=E5kan Olsson (+46) 708 437 337 Carlstedt Research Unix, Networking, Security (+46) 31 701 4264 & Technology AB To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message