From owner-freebsd-net@FreeBSD.ORG Sat Nov 4 23:44:06 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D301116A407 for ; Sat, 4 Nov 2006 23:44:06 +0000 (UTC) (envelope-from chris.scott@uk.tiscali.com) Received: from mk-ironport-1-in.mail.uk.tiscali.com (mk-ironport-1-in.mail.uk.tiscali.com [212.74.96.52]) by mx1.FreeBSD.org (Postfix) with ESMTP id 44A5C43D4C for ; Sat, 4 Nov 2006 23:44:05 +0000 (GMT) (envelope-from chris.scott@uk.tiscali.com) Received: from internal.mail.uk.tiscali.com ([212.74.96.51]) by mk-ironport-1-in.mail.uk.tiscali.com with ESMTP; 04 Nov 2006 23:44:04 +0000 X-BrightmailFiltered: true X-IronPort-AV: i="4.09,388,1157324400"; d="scan'208"; a="51664702:sNHT24384020" Received: from [10.44.30.67] (port=36334 helo=[10.44.30.67]) by internal.mail.uk.tiscali.com with esmtp (Exim 4.43 #1 (FreeBSD)) id 1GgVBE-0007gS-8g; Sat, 04 Nov 2006 23:44:04 +0000 Message-ID: <454D25C4.2000503@uk.tiscali.com> Date: Sat, 04 Nov 2006 23:44:04 +0000 From: chris scott User-Agent: Thunderbird 1.5.0.7 (X11/20060922) MIME-Version: 1.0 To: peter@alastria.net References: <2864.10.10.4.10.1162579931.squirrel@neon.alastria.lan> In-Reply-To: <2864.10.10.4.10.1162579931.squirrel@neon.alastria.lan> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org Subject: Re: IPSEC, isakmpd, tunnel/transport encapsulation... X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Nov 2006 23:44:07 -0000 I tried to setup something exactly like you did. I could do it fine with freebsd boxes as I would do it via username not ip. Never really got the problem sorted for windows though. I ended up using openVPN instead. I would seriously recommend you try this solution as its far easier to setup. Being as it runs over udp or tcp it running into no issues with NAT like you do with IPSEC. If you run the server on tcp port 443 you can also get it to run through corp firewalls that require you to use a web proxy. Chris peter@alastria.net wrote: > Good Evening, > > I apologise for what may end up being a stupid question, I'm getting > towards my wits end. I've got a FreeBSD 6.2-PRERELEASE (cvsup of about > 1300 GMT today) gateway which I'm attempting to run IPSEC/L2TP for > wireless security. > > My client computers are Windows XP and Mac OS X, and the issue happens > with both. No client has a fixed IP, so I want to permit any IP to > establish a IPSEC session providing they know the preshared key. > > I'm using isakmpd for setup of the IPSEC side of things and hopefully > SL2TPS for the L2TP side, although I'm not there yet. > > My issue is that none of my client can establish a L2TP session for what > looks to be a mismatch of encapsulation types. For example, the first > packet bellow is from my laptop to the gateway, the second is the reply. > > 18:18:56.540995 (authentic,confidential): SPI 0x1b79c065: IP > 10.10.3.254.1701 > 10.10.2.1.1701: l2tp:[TLS](0/0)Ns=0,Nr=0 > *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(S) *BEARER_CAP() > FIRM_VER(1280) |... > > 18:18:56.541039 (authentic,confidential): SPI 0x136223d4: IP 10.10.2.1 > > 10.10.3.254: IP 10.10.2.1.1701 > 10.10.3.254.1701: l2tp:[TLS](20/0) > Ns=1,Nr=1 ZLB (ipip-proto-4) > > This seems to be causing issues as the remote host isn't expecting the > IPIP encapsulation there. I don't believe it has anything to do with > SL2TPS because if I try and ICMP Ping 10.10.3.254 from 10.10.2.1, the ICMP > request is IPSEC'd with the IPIP encapsulation. > > Has anyone seen this before? I'm using a fairly simplistic isakmpd.conf > (which may be my issue)... > > [General] > Listen-on = 10.10.2.1 > > [Phase 1] > Default = local-peers > > [Phase 2] > Passive-connections = authenticated-peers > > [local-peers] > Phase = 1 > Local-address = 10.10.2.1 > Authentication = mypresharedkey > Configuration = isakmp-main-mode > > [authenticated-peers] > Phase = 2 > ISAKMP-peer = local-peers > Local-ID = local-network > Remote-ID = remote-network > #Configuration = ipsec-quick-mode > > [local-network] > ID-type = IPV4_ADDR_SUBNET > Network = 0.0.0.0 > Netmask = 0.0.0.0 > > [remote-network] > ID-type = IPV4_ADDR_SUBNET > Network = 10.10.2.0 > Netmask = 255.255.254.0 > > [isakmp-main-mode] > EXCHANGE_TYPE = ID_PROT > Transforms= 3DES-SHA > > [ipsec-quick-mode] > EXCHANGE_TYPE = QUICK_MODE > > I have a isakmpd.policy of... > > KeyNote-Version: 2 > Authorizer: "POLICY" > Conditions: app_domain == "IPsec policy" && > esp_present == "yes" -> "true"; > > I have tried specifying Tranforms/Suites on ipsec-quick-mode that should > use transport encapsulation, I've even tried tunnel encapsulation to see > if it'll solve it. I've added esp_encapsulation == "transport" to the > policy file, and that hasn't helped either. > > Does anyone have a clue what I'm doing wrong? I sadly know very little > about IPSEC, although I've learnt a lot today. If anyone had any sample > configs of doing this kind of thing, that would be great. Google is some > what lacking in info on this one. > > Many thanks for any help or suggestions! > > Cheers, > > Peter. > > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > >