Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 22 Nov 2000 12:13:40 -0800
From:      Boris <koester@x-itec.de>
To:        Josh Tiefenbach <josh@zipperup.org>
Cc:        freebsd-net@FreeBSD.ORG
Subject:   Re[2]: IPSEC Win2k
Message-ID:  <3144961691.20001122121340@x-itec.de>
In-Reply-To: <20001121223533.B43748@zipperup.org>
References:  <838997467.20001121113524@x-itec.de> <20001121124847.F37765@zipperup.org> <1563982125.20001122005041@x-itec.de> <20001121223533.B43748@zipperup.org>

next in thread | previous in thread | raw e-mail | index | archive | help
Hello Josh,

Tuesday, November 21, 2000, 7:35:33 PM, you wrote:



>>         spdadd 192.168.0.99/32 192.168.0.1 any -P out ipsec
JT>                                  ^^^^^^^^^^^
JT> This should probably be 192.168.0.1/32, but I dont think that has any effect
JT> on the prblem your seeing.

To avoid any problems, i have corrected this.

JT> However, I see a whole bunch of 'unacceptable proposal' messages in there. Are
JT> you sure that you've configured racoon to offer the same hash/encryption type
JT> as Win2k. It seems, i think, that your Win2k machine is requesting single-DES,
JT> while the FreeBSD machine only wants to do 3DES.

I really tried everything since a week or so and i have found no
solution. I canīt get it up running. It is very frustrating.

I will show you all my complete configuration now, i canīt find
anything wrong.

Here is my racoon.conf, a little bit modificated. Maybe is there
something wrong, but i do not think so:

----------------- [ racoon.conf ] -------------------------

#path include "/usr/local/etc/racoon" ;
#include "remote.conf" ;

# search this file for pre_shared_key with various ID key.
#bk
path pre_shared_key "/etc/psk.txt" ;

# racoon will look for certificate file in the directory,
# if the certificate/certificate request payload is received.
path certificate "/usr/local/etc/cert" ;

# "log" specifies logging level.  It is followed by either "info", "notify",
# "debug" or "debug2".
log debug4;

# "padding" defines some parameter of padding.  You should not touch these.
padding
{
 maximum_length 20;      # maximum padding length.
 randomize off;# enable randomize length.
 strict_check off;       # enable strict check.
 exclusive_tail off;     # extract last one octet.
}


listen
{
        #isakmp ::1 [7000];
        #isakmp 202.249.11.124 [500];
        #admin [7002];          # administrative's port by kmpstat.
        #strict_address;        # required all addresses must be bound.
}

# Specification of default various timer.
timer
{
        # These value can be changed per remote node.
        counter 5;              # maximum trying count to send.
        interval 20 sec;        # maximum interval to resend.
        persend 1;              # the number of packets per a send.

        # timer for waiting to complete each phase.
        phase1 30 sec;
        phase2 15 sec;
}


remote anonymous
{
        #exchange_mode main,aggressive;
        exchange_mode aggressive,main;
        doi ipsec_doi;
        situation identity_only;

        #my_identifier address;
        #my_identifier address "192.168.0.99";
        ##peers_identifier address "192.168.0.1";
        #certificate_type x509 "mycert" "mypriv";

        nonce_size 16;
        lifetime time 1 min;    # sec,min,hour
        lifetime byte 5 MB;     # B,KB,GB
        initial_contact on;
        support_mip6 on;
        proposal_check obey;    # obey, strict or claim


      proposal {
                encryption_algorithm 3des;
                hash_algorithm md5;
                authentication_method pre_shared_key ;
                dh_group 2 ;
        }
}


sainfo anonymous
{
        pfs_group 1;
        lifetime time 3600 sec;
        lifetime byte 5000 KB;
        encryption_algorithm 3des,des,cast128,blowfish ;
        authentication_algorithm hmac_sha1,hmac_md5;
        compression_algorithm deflate ;
}




-------------------- [kernel settings] -------------------

....

#bk
options         IPSEC                   #IP security
options         IPSEC_ESP               #IP security (crypto; define w/ IPSEC)
options         IPSEC_DEBUG             #debug for IP security

...

----------------------- [ initial bash script ] ---------------


#! /bin/sh
#
    setkey -FP # Note. This and the next line will delete all previous SPD
        setkey -F  # entries.
        setkey -c << EOF
        spdadd 192.168.0.99/32 192.168.0.1/32 any -P out ipsec
        esp/transport/192.168.0.99-192.168.0.1/require;
        spdadd 192.168.0.1/32 192.168.0.99/32 any -P in ipsec
        esp/transport/192.168.0.1-192.168.0.99/require;


------------------------------------------------

At this point i think we need 3des and md5. But even DES does not
work.

I have used a lot of combinations for the security settings on my
win2k box.

This is the current configuration. One rule for all traffic (i have
removed the other ones because they did not want work, too and i
wanted to try all combinations manually).

* Require Security

Security method:
unchecked: data and address integrity (AH)
checked: ESP with integrity: md5 and encryption: 3des

Session key settings: unchecked at this moment



I canīt figure out any solutions -(((((

JT> josh




-- 
Best regards,
 Boris                            mailto:koester@x-itec.de




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3144961691.20001122121340>