Date: Fri, 17 Feb 2006 11:49:29 -0500 From: Mike Tancsa <mike@sentex.net> To: =?iso-8859-1?Q?K=F6vesd=E1n?= =?iso-8859-1?Q?_G=E1bor?= <gabor.kovesdan@t-hosting.hu> Cc: freebsd-questions@freebsd.org Subject: Re: Setting up VPN+IPSec+Racoon Message-ID: <6.2.3.4.0.20060217113503.087c1580@64.7.153.2> In-Reply-To: <43F5F91E.5020005@t-hosting.hu> References: <43F4B5D2.6020303@t-hosting.hu> <r08av1dk6pikmg7ac9po76ho5k98jviol5@4ax.com> <43F5F91E.5020005@t-hosting.hu>
next in thread | previous in thread | raw e-mail | index | archive | help
At 11:26 AM 17/02/2006, Kövesdán Gábor wrote: >Mike Tancsa wrote: > >>As for tutorials, google around and read through various posts. There >>is lots of good info out there. Perhaps if you describe what you want >>to do, people can make specific suggestions. >> >> ---Mike >> >> >Unfortunately, I haven't found a good howto. The situation is the following: freebsd ipsec tutorial in google comes up with a number of starting points including http://www.onlamp.com/pub/a/bsd/2002/12/26/FreeBSD_Basics.html >This project will be some kind of SMS service. >The serv will connect to the SMS server and get >the received SMSes, but the connection to the >SMS server is only allowed via VPN. Here are two >IP addresses, one of them is the VPN peers >address. I have to set up a VPN connection to >this host with 3DES SHA IPsec and a DH >pre-shared key. The other IP address is the SMS >servers adress but that is only accessible via VPN. First, you need to show what your policy is. typical setup described is internalNet_A----externalIP_A-------internet-----externalIP_B----internalNet_B Where internalNet_A needs to talk to internalNet_B in a safe and secure way. So, identify what those parts of the policy are. Put it in a shell script like Bsubnet=172.24.0.17/29 BexternalIP=80.244.96.229 Asubnet=192.168.2.186/32 AexternalIP=80.98.231.227 setkey -F setkey -FP /usr/sbin/setkey -c <<EOF1 spdadd $Asubnet $Bsubnet any -P out ipsec esp/tunnel/$AexternalIP-$Bsubnet/unique; spdadd $Bsubnet $Asubnet any -P in ipsec esp/tunnel/$Bsubnet-$AexternalIP/unique; EOF1 This sets up the policy. Type setkey -DP It will show you the installed policies. Once you try and send some traffic across with PhaseI and PhaseII negotiated, you will see the associations with setkey -D >I've installed ipsec-tools, and tried to >configure it, but I can't start racoon and I get >a configuration file parse error. I couldn't >found out which line is wrong. I just got this: >racoon: failed to parse configuration file. IPSEC Tools is fussy about where the config is. Its saying it cant find the config. Try racoon -d -f /usr/local/etc/racoon/racoon.conf Also, make sure for your sainfo config, it must match your policies, otherwise it will hit the anonymous config. For your initial setup, try it with an anonymous config for now and then work on getting only a specific config. e.g. sainfo address 172.24.0.17/29 any address 192.168.2.186/24 any >Here is the racoon.conf: > ># $KAME: racoon.conf.in,v 1.18 2001/08/16 06:33:40 itojun Exp $ > >path include "@sysconfdir_x@/racoon"; >#include "remote.conf"; ---Mike
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6.2.3.4.0.20060217113503.087c1580>