From owner-freebsd-questions@FreeBSD.ORG  Fri Feb 17 16:49:38 2006
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 8FE5E16A420
	for <freebsd-questions@freebsd.org>;
	Fri, 17 Feb 2006 16:49:38 +0000 (GMT) (envelope-from mike@sentex.net)
Received: from smarthost2.sentex.ca (smarthost2.sentex.ca [205.211.164.50])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 5A92143D7E
	for <freebsd-questions@freebsd.org>;
	Fri, 17 Feb 2006 16:49:35 +0000 (GMT) (envelope-from mike@sentex.net)
Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18])
	by smarthost2.sentex.ca (8.13.4/8.13.4) with ESMTP id k1HGnXAA059911;
	Fri, 17 Feb 2006 11:49:33 -0500 (EST) (envelope-from mike@sentex.net)
Received: from simian.sentex.net (simeon.sentex.ca [192.168.43.27])
	by lava.sentex.ca (8.13.3/8.13.3) with ESMTP id k1HGnWqu021454
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Fri, 17 Feb 2006 11:49:32 -0500 (EST) (envelope-from mike@sentex.net)
Message-Id: <6.2.3.4.0.20060217113503.087c1580@64.7.153.2>
X-Mailer: QUALCOMM Windows Eudora Version 6.2.3.4
Date: Fri, 17 Feb 2006 11:49:29 -0500
To: =?iso-8859-1?Q?K=F6vesd=E1n?= =?iso-8859-1?Q?_G=E1bor?=
	<gabor.kovesdan@t-hosting.hu>
From: Mike Tancsa <mike@sentex.net>
In-Reply-To: <43F5F91E.5020005@t-hosting.hu>
References: <43F4B5D2.6020303@t-hosting.hu>
	<r08av1dk6pikmg7ac9po76ho5k98jviol5@4ax.com>
	<43F5F91E.5020005@t-hosting.hu>
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"; format=flowed
Content-Transfer-Encoding: quoted-printable
X-Virus-Scanned: by amavisd-new
X-Scanned-By: MIMEDefang 2.51 on 205.211.164.50
Cc: freebsd-questions@freebsd.org
Subject: Re: Setting up VPN+IPSec+Racoon
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Feb 2006 16:49:38 -0000

At 11:26 AM 17/02/2006, K=F6vesd=E1n G=E1bor wrote:
>Mike Tancsa wrote:
>
>>As for tutorials, google around and read through various posts.  There
>>is lots of good info out there.  Perhaps if you describe what you want
>>to do, people can make specific suggestions.
>>
>>         ---Mike
>>
>>
>Unfortunately, I haven't found a good howto. The situation is the=
 following:


freebsd ipsec tutorial

in google comes up with a number of starting points including

http://www.onlamp.com/pub/a/bsd/2002/12/26/FreeBSD_Basics.html




>This project will be some kind of SMS service.=20
>The serv will connect to the SMS server and get=20
>the received SMSes, but the connection to the=20
>SMS server is only allowed via VPN. Here are two=20
>IP addresses, one of them is the VPN peers=20
>address. I have to set up a VPN connection to=20
>this host with 3DES SHA IPsec and a DH=20
>pre-shared key. The other IP address is the SMS=20
>servers adress but that is only accessible via VPN.


First, you need to show what your policy is.

typical setup described is

internalNet_A----externalIP_A-------internet-----externalIP_B----internalNet=
_B

Where internalNet_A needs to talk to internalNet_B in a safe and secure way.


So, identify what those parts of the policy are.

Put it in a shell script like

Bsubnet=3D172.24.0.17/29
BexternalIP=3D80.244.96.229
Asubnet=3D192.168.2.186/32
AexternalIP=3D80.98.231.227
setkey -F
setkey -FP

/usr/sbin/setkey -c <<EOF1
spdadd $Asubnet $Bsubnet any -P out ipsec=20
esp/tunnel/$AexternalIP-$Bsubnet/unique;
spdadd $Bsubnet $Asubnet any -P in ipsec=20
esp/tunnel/$Bsubnet-$AexternalIP/unique;
EOF1

This sets up the policy.

Type
setkey -DP

It will show you the installed policies.  Once=20
you try and send some traffic across with PhaseI=20
and PhaseII negotiated, you will see the associations with
setkey -D




>I've installed ipsec-tools, and tried to=20
>configure it, but I can't start racoon and I get=20
>a configuration file parse error. I couldn't=20
>found out which line is wrong. I just got this:
>racoon: failed to parse configuration file.

IPSEC Tools is fussy about where the config=20
is.  Its saying it cant find the config.
Try racoon -d -f /usr/local/etc/racoon/racoon.conf


Also, make sure for your sainfo config, it must=20
match your policies, otherwise it will hit the=20
anonymous config. For your initial setup, try it=20
with an anonymous config for now and then work on=20
getting only a specific config.
e.g.
sainfo address 172.24.0.17/29 any address 192.168.2.186/24 any


>Here is the racoon.conf:
>
># $KAME: racoon.conf.in,v 1.18 2001/08/16 06:33:40 itojun Exp $
>
>path include "@sysconfdir_x@/racoon";
>#include "remote.conf";


         ---Mike=20