From owner-freebsd-questions@FreeBSD.ORG Wed Jul 7 22:56:09 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 76551106564A for ; Wed, 7 Jul 2010 22:56:09 +0000 (UTC) (envelope-from matheuswcon@gmail.com) Received: from mail-gw0-f54.google.com (mail-gw0-f54.google.com [74.125.83.54]) by mx1.freebsd.org (Postfix) with ESMTP id 2921B8FC0C for ; Wed, 7 Jul 2010 22:56:08 +0000 (UTC) Received: by gwj19 with SMTP id 19so128251gwj.13 for ; Wed, 07 Jul 2010 15:56:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:date:message-id :subject:from:to:content-type:content-transfer-encoding; bh=8lvaXm2rRShhLS8UIxbqWRbxHpcKwxbendFk2n58Wns=; b=utPrmwWOGws+24T2ZFj/baBu9sJRNYGhtYVeqiHT53a/4752RJxZV52ObnSvks6mUE KVRiuTPRvxMNfEhsA3Invrbfi5EDlYEdxu6mxBZvHq17GXLNsWqqeIF703XRZ254wMw0 fJnECtic8N16TEHK59W3UulPXIzs4izTsoi7I= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type :content-transfer-encoding; b=GnH9QH4DkSejlxom0Okg7uDXLPsVzwj4ebyd94PiLPxl2rlFAPG7o8qsT6OHbChzJY nBZRU+xGEREnzz9+1AiehqulNmAyouwjVW32NCRIsV+mFej/mUig4FwiA0ezsbzv9YHo apo4Gq+c3NtrWSV2AdBGC1WAAjHVfSYzJO3e8= MIME-Version: 1.0 Received: by 10.90.68.16 with SMTP id q16mr6708951aga.0.1278541717399; Wed, 07 Jul 2010 15:28:37 -0700 (PDT) Received: by 10.90.120.10 with HTTP; Wed, 7 Jul 2010 15:28:37 -0700 (PDT) Date: Wed, 7 Jul 2010 19:28:37 -0300 Message-ID: From: =?ISO-8859-1?Q?Matheus_Weber_da_Concei=E7=E3o?= To: freebsd-questions@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: VPN IPsec Help X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Jul 2010 22:56:09 -0000 Hello guys; I'm using a FreeBSD 7.0 in my firewall/gateway, and I have to connect via VPN to a Cisco box. The scene here is: * Peer A (Cisco): 200.xxx.xxx.xxx IPs that Peer B need to access: - 192.168.10.24 - 192.168.201.196 - 10.115.90.236 * Peer B (FreeBSD 7.0): 187.yyy.yyy.yyy (me) How can I configure this scene without using gif0 interface? I have no idea how to route the network traffic from my IP (187.yyy.yyy.yyy) to the 3 -Peer A- non-routing IPs. I started /usr/local/etc/rc.d/racoon and /etc/rc,d/ipsec. When I try do access SSH in 192.168.10.24, racoon writes a lot of things in the log file (as far as I can see there is no error), but the SSH give me a timeout error. After that, I look in the " setkey -D" command, and I get that: =3D=3D=3D=3D=3D=3D=3D=3D setkey -D =3D=3D=3D=3D=3D=3D=3D=3D 187.yyy.yyy.yyy 200.xxx.xxx.xxx esp mode=3Dtunnel spi=3D3246074620(0xc17b2afc) reqid=3D16385(0x0000= 4001) E: 3des-cbc 466cb043 de788f18 88545f35 d89be53e 4a0e85e9 3d026286 A: hmac-sha1 832a11aa ea68bc5a ec6f919b 23e28d91 7ecd7c6b seq=3D0x00000007 replay=3D4 flags=3D0x00000000 state=3Dmature created: Jul 7 19:17:35 2010 current: Jul 7 19:25:45 2010 diff: 490(s) hard: 28800(s) soft: 28800(s) last: Jul 7 19:18:09 2010 hard: 0(s) soft: 0(s) current: 728(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 7 hard: 0 soft: 0 sadb_seq=3D1 pid=3D21919 refcnt=3D2 200.xxx.xxx.xxx 187.yyy.yyy.yyy esp mode=3Dtunnel spi=3D220854578(0x0d29f932) reqid=3D16386(0x00004= 002) E: 3des-cbc b1cd13a6 d0696e70 778fe5b3 4bfde61c 6cb81d8f 2a8e9f62 A: hmac-sha1 4ad86b36 ff7d5c14 6cb744e5 85d97017 2b0f196c seq=3D0x00000000 replay=3D4 flags=3D0x00000000 state=3Dmature created: Jul 7 19:17:35 2010 current: Jul 7 19:25:45 2010 diff: 490(s) hard: 28800(s) soft: 28800(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=3D0 pid=3D21919 refcnt=3D1 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D means that my ipsec tunnel is up, right? Any idea? Configuration files: =3D=3D=3D=3D Here is my /etc/ipsec.conf =3D=3D=3D=3D flush; spdflush; spdadd 0.0.0.0/0 10.115.90.0/24 any -P out ipsec esp/tunnel/187.yyy.yyy.yyy-200.xxx.xxx.xxx/require; spdadd 10.115.90.0/24 0.0.0.0/0 any -P in ipsec esp/tunnel/200.xxx.xxx.xxx-187.yyy.yyy.yyy/require; spdadd 0.0.0.0/0 192.168.10.0/24 any -P out ipsec esp/tunnel/187.yyy.yyy.yyy-200.xxx.xxx.xxx/require; spdadd 192.168.10.0/24 0.0.0.0/24 any -P in ipsec esp/tunnel/200.xxx.xxx.xxx-187.yyy.yyy.yyy/require; spdadd 0.0.0.0/0 192.168.201.0/24 any -P out ipsec esp/tunnel/187.yyy.yyy.yyy-200.xxx.xxx.xxx/require; spdadd 192.168.201.0/24 0.0.0.0/0 any -P in ipsec esp/tunnel/200.xxx.xxx.xxx-187.yyy.yyy.yyy/require; =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D Here is my /usr/local/etc/racoon/racoon.conf =3D=3D=3D=3D path pre_shared_key "/usr/local/etc/racoon/psk.txt"; log debug2; remote anonymous { exchange_mode main; my_identifier address 187.4.201.197; peers_identifier address 200.186.89.186; lifetime time 28800 sec; # sec,min,hour generate_policy off; # phase 1 proposal (for ISAKMP SA) proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 2; } } # phase 2 proposal (for IPsec SA). # actual phase 2 proposal will obey the following items: # - kernel IPsec policy configuration (like "esp/transport//use) # - permutation of the crypto/hash/compression algorithms presented below sainfo address anonymous { lifetime time 28800 sec; encryption_algorithm 3des; authentication_algorithm hmac_sha1; compression_algorithm deflate; } =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D --=20 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D Matheus Weber da Concei=E7=E3o