From owner-freebsd-questions@FreeBSD.ORG Sat Aug 28 04:22:41 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9E0F316A4CE for ; Sat, 28 Aug 2004 04:22:41 +0000 (GMT) Received: from viper4.dataraq.net (viper4.dataraq.net [209.218.168.27]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1927943D54 for ; Sat, 28 Aug 2004 04:22:41 +0000 (GMT) (envelope-from aj@siegel-tech.net) Received: (qmail 63069 invoked from network); 28 Aug 2004 04:23:27 -0000 Received: from pcp09609084pcs.brodwy01.nm.comcast.net (HELO ?192.168.245.12?) (69.241.168.76) by viper4.dataraq.net with SMTP; 28 Aug 2004 04:23:27 -0000 From: Aaron Siegel To: freebsd-questions@freebsd.org Date: Fri, 27 Aug 2004 22:22:31 -0600 User-Agent: KMail/1.6.2 References: <200408271819.49729.aj@siegel-tech.net> In-Reply-To: <200408271819.49729.aj@siegel-tech.net> MIME-Version: 1.0 Content-Disposition: inline Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <200408272222.31981.aj@siegel-tech.net> Subject: Re: IPSEC Problems X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Aug 2004 04:22:41 -0000 I figured my problem. I kept receiving error "HASH mismatched". I reduced my racoon.conf down to the basics and it worked. racoon.conf path pre_shared_key "/usr/local/etc/racoon/psk.txt" ; remote anonymous { exchange_mode aggressive ; lifetime time 24 hour ; proposal { encryption_algorithm 3des ; hash_algorithm sha1; authentication_method pre_shared_key ; dh_group 2; } } sainfo anonymous { pfs_group 2; lifetime time 12 hour ; encryption_algorithm 3des, blowfish, des, rijndael ; authentication_algorithm hmac_sha1, hmac_md5 ; compression_algorithm deflate ; } psk.txt 192.168.245.12 Shared Key Sorry for the premature post. Aaron On Friday 27 August 2004 06:19 pm, Aaron Siegel wrote: > Hello > > I am stumped I am try to get a very simple IPSEC tunnel between my laptops > and gateway. I can not seem to get the IKE to authenticate. I have had > this working in with my other server which has been moved to a new > location. I have a FreeBSD 4.10 Stable server and an 5.2.1 Release. I am > aware of the problems with 5.2.1. I am not sure what I am missing. Is there > a problem with 4.10 Stable? Both, my Window XP machine and FreeBSD 5.2.1 > are able to create a link with my new server, both of these computers were > working with my old server. > > I have been able to setup a link between this computer and with my other > server. I have listed my configuration bellow > > Thank you, > Aaron > > > Laptop config > > /etc/ipsec.conf > spdadd 192.168.245.12/32 0.0.0.0/0 tcp -P out ipsec > esp/tunnel/192.168.245.12-192.168.245.1/require; > spdadd 0.0.0.0/0 192.168.245.12/32 tcp -P in ipsec > esp/tunnel/192.168.245.1-192.168.245.12/require; > > > I have copied the racoon.conf.dist file to > /usr/local/etc/racoon/racoon.conf I have change the "life time" parameter > to "1 hour" > > /usr/local/etc/racoon/psk.txt > 192.168.245.1 Secret Key > > Kernel > options IPSEC > options IPSEC_ESP > options IPSEC_DEBUG > > Server > > /etc/ipsec.conf > spdadd 192.168.245.12/32 0.0.0.0/0 tcp -P in ipsec > esp/tunnel/192.168.245.12-192.168.245.1/require; > spdadd 0.0.0.0/0 192.168.245.12/32 tcp -P out ipsec > esp/tunnel/192.168.245.1-192.168.245.12/require; > > spdadd 192.168.245.15/32 0.0.0.0/0 any -P in ipsec > esp/tunnel/192.168.245.15-192.168.245.1/require; > spdadd 0.0.0.0/0 192.168.245.15/32 any -P in ipsec > esp/tunnel/192.168.245.1-192.168.245.15/require; > > I have copied the racoon.conf.dist file to > /usr/local/etc/racoon/racoon.conf I have change the "life time" parameter > to "1 hour" > > /usr/local/etc/racoon/psk.txt > 192.168.245.12 Secret Key > 192.168.245.15 Secret Key > > Kernel > options FAST_IPSEC > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org"