From owner-freebsd-questions  Mon Apr 30  6: 7:51 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from mta02.mail.mel.aone.net.au (mta02.mail.au.uu.net [203.2.192.82])
	by hub.freebsd.org (Postfix) with ESMTP id 1509837B423
	for <freebsd-questions@freebsd.org>; Mon, 30 Apr 2001 06:07:47 -0700 (PDT)
	(envelope-from idiotchild@ozemail.com.au)
Received: from mr.dave ([210.84.119.238]) by mta02.mail.mel.aone.net.au
          with ESMTP
          id <20010430130745.ISGY346.mta02.mail.mel.aone.net.au@mr.dave>
          for <freebsd-questions@freebsd.org>;
          Mon, 30 Apr 2001 23:07:45 +1000
Received: by mr.dave (Postfix, from userid 1001)
	id EA4F34F9EF; Mon, 30 Apr 2001 23:07:43 +1000 (EST)
Date: Mon, 30 Apr 2001 23:07:43 +1000
From: David Turnbull <idiotchild@ozemail.com.au>
To: freebsd-questions@freebsd.org
Subject: IPSEC and FreeBSD 4.3
Message-ID: <20010430230743.A28837@mr.dave>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

i've been trying to configure an ipsec network with a friend,
who runs linux + frees/wan.

so far we've got most of it (i think) working except a routing
problem.

when it tries to get the ipsec-sa it times out and his logs say
"route-host command exited with status 7".

now, as soon as i enter my SPD configuration with setkey -c, we
can't ping each other like normal, and i think this is the issue.

here are some config info that might be relevant:


spdadd 216.126.136.108/32 210.84.119.238/32 any -P in ipsec
        esp/transport//require ;
spdadd 210.84.119.238/32 216.126.136.108/32 any -P out ipsec
        esp/transport//require ;


/usr/local/etc/racoon/racoon.conf:

path pre_shared_key "/usr/local/etc/racoon/psk.txt";
log debug4;
padding
{
        maximum_length 20;      # maximum padding length.
        randomize off;          # enable randomize length.
        strict_check off;       # enable strict check.
        exclusive_tail off;     # extract last one octet.
}
remote anonymous
{
        exchange_mode main,aggressive;
        lifetime time 28800 sec;        # sec,min,hour
        lifetime byte 100 MB;   # B,KB,GB
        initial_contact on;
#               my_identifier fqdn "right";
        proposal {
                encryption_algorithm 3des;
                hash_algorithm hmac_sha1;
                authentication_method pre_shared_key;
                dh_group 2 ;
        }
}
# phase 2 proposal (for IPsec SA).
sainfo anonymous
{
        lifetime time 12 hour;
        #lifetime time 3 minute;
        lifetime byte 50 MB;
        encryption_algorithm 3des, cast128, des;
        authentication_algorithm hmac_sha1, hmac_md5;
        compression_algorithm deflate;
}

am i right in thinking that my config is ok, and that the
frees/wan config is broken?

thanks,
dave

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message