Date: Mon, 29 Jul 2002 17:37:02 -0600 From: "Duncan Patton a Campbell is Dhu" <campbell@neotext.ca> To: Trish Lynch <trish@egobsd.org>, <freebsd-security@FreeBSD.ORG> Subject: Re: racoon and weirdness.... Message-ID: <20020729233702.M411@babayaga.neotext.ca> In-Reply-To: <20020729103029.R484-100000@trish.dyn.magenet.com> References: <20020729103029.R484-100000@trish.dyn.magenet.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I was never able to get racoon to actually re-establish:
that is if one of my machines went down, all the racoon
daemons needed to be restarted. As a first-order observation
of what others have been saying, racoon has or exposes
problems if all the communicant boxes are not the same.
So for now I'm running a manual ipsec config.
Dhu
Duncan Patton a Campbell is Duibh ;-)
---------- Original Message -----------
From: Trish Lynch <trish@egobsd.org>
To: <freebsd-security@FreeBSD.ORG>
Sent: Mon, 29 Jul 2002 10:46:30 -0400 (EDT)
Subject: racoon and weirdness....
> I'm working on setting up IPSEC tunnels between a
> KAME/racoon/FreeBSD-STABLE box and a Ravlin unit at a client's
>
> WHat is happening with the one tunnel is this:
>
> after a couple days, it times out, and neither side
> can reestablish traffic between, the log in
> /var/log/daemon for racoon tells me the tunnel *is*
> established, but I can;t ping through it. If I restart
> racoon, it all starts working fine again.
>
> The second issue is a second machine, with a
> cut/pasted config into racoon.conf, with simply the
> endpoints changed, does not work at all.
>
> I can ping the external interface of the Ravlin, but
> it doesn;t even *begin* phase 1.
>
> Here is the racoon.conf:
>
> remote ravlin-ext-ip [500]
> {
> exchange_mode main,aggressive;
> my_identifier address my-ext-ip;
> peers_identifier address ravlin-ext-ip;
> generate_policy on;
> nonce_size 16;
> lifetime time 3 hour; # sec,min,hour
>
> proposal {
> encryption_algorithm 3des;
> hash_algorithm md5;
> authentication_method pre_shared_key ;
> dh_group 1 ;
> }
> }
>
> remote ravlin-int-ip [500]
> {
> exchange_mode main,aggressive;
> my_identifier address my-int-ip;
> peers_identifier address ravlin-int-ip;
> generate_policy on;
> nonce_size 16;
> lifetime time 3 hour; # sec,min,hour
>
> proposal {
> encryption_algorithm 3des;
> hash_algorithm sha1;
> authentication_method pre_shared_key ;
> dh_group 2 ;
> }
> }
>
> sainfo address my-ext-ip/32[0] any address ravlin-ext-
> ip/32[0] any {
> # pfs_group 2;
> lifetime time 10800 sec;
> encryption_algorithm 3des ;
> authentication_algorithm hmac_md5,hmac_sha1;
> compression_algorithm deflate ;
> }
>
> sainfo address my-int-net/23[0] any address ravlin-int-
> net/24[0] any { # pfs_group 2; lifetime
> time 10800 sec; encryption_algorithm 3des ;
> authentication_algorithm hmac_md5,hmac_sha1;
> compression_algorithm deflate ; }
>
> the gif interface is set up as such:
>
> BSD2 == my machine BSD5 == Ravlin
>
> $IFCONFIG $GIF3 plumb
> $IFCONFIG $GIF3 mtu 1500
> $IFCONFIG $GIF3 inet $BSD2_IP $BSD5_IP
> netmask $NETMASK /usr/sbin/setkey -FP
> /usr/sbin/setkey -F /usr/sbin/setkey
> -c << EOF spdadd $BSD2_PUB_NET
> $BSD5_PUB_NET any -P out ipsec
> esp/tunnel/${BSD2_PUB_IP}-${BSD5_PUB_IP}/require;
> spdadd $BSD5_PUB_NET $BSD2_PUB_NET any -P in ipsec
> esp/tunnel/${BSD5_PUB_IP}-${BSD2_PUB_IP}/require;
> EOF
>
> Anyone wanna hit me with a cluebat?
>
> -Trish
>
> --
> Trish Lynch trish@egobsd.org
> Ecartis Core Team
> Key fingerprint = B04E 67CA 3A12 9930 E91C 7730 4606
> 3618 B74A 2493
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the
> message
------- End of Original Message -------
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020729233702.M411>