From owner-freebsd-net@FreeBSD.ORG Tue Jun 22 14:18:00 2010 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AF637106564A for ; Tue, 22 Jun 2010 14:18:00 +0000 (UTC) (envelope-from ralf@dzie-ciuch.pl) Received: from mail.ewipo.pl (mail.ewipo.pl [94.23.240.128]) by mx1.freebsd.org (Postfix) with ESMTP id 1C2FC8FC1C for ; Tue, 22 Jun 2010 14:18:00 +0000 (UTC) Received: from mail.ewipo.pl (localhost [127.0.0.1]) by mail.ewipo.pl (Postfix) with ESMTP id B09C922887 for ; Tue, 22 Jun 2010 15:59:52 +0200 (CEST) X-Virus-Scanned: amavisd-new at wrealizacji.pl Received: from mail.ewipo.pl ([127.0.0.1]) by mail.ewipo.pl (mail.ewipo.pl [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1ovvZKr1ocYt for ; Tue, 22 Jun 2010 15:59:50 +0200 (CEST) Received: by mail.ewipo.pl (Postfix, from userid 80) id 8D7EF22910; Tue, 22 Jun 2010 15:59:50 +0200 (CEST) To: X-PHP-Script: poczta.wrealizacji.pl/index.php for 89.171.191.50 MIME-Version: 1.0 Date: Tue, 22 Jun 2010 15:59:50 +0200 From: Message-ID: <87260c422232fa7409a4b374341dd106@ewipo.pl> X-Sender: ralf@dzie-ciuch.pl User-Agent: EWIPO Webmail/0.3.1 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=UTF-8 Subject: vpn trouble X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Jun 2010 14:18:00 -0000 Hi, I try to configure VPN over my server and my client Sheme is like this 78.x.x.x <--> 95.x.x.x <--> 10.10.1.90 When I try to ping 10.10.1.90, all packets are lost. What can I change to run it? Thanks This is my setting: # setkey -DP 10.10.1.90[any] 78.x.x.x[any] any in ipsec esp/tunnel/95.x.x.x-78.x.x.x/require created: Jun 22 15:39:25 2010 lastused: Jun 22 15:39:25 2010 lifetime: 0(s) validtime: 0(s) spid=16461 seq=1 pid=83142 refcnt=1 78.x.x.x[any] 10.10.1.90[any] any out ipsec esp/tunnel/78.x.x.x-95.x.x.x/require created: Jun 22 15:39:25 2010 lastused: Jun 22 15:40:50 2010 lifetime: 0(s) validtime: 0(s) spid=16460 seq=0 pid=83142 refcnt=1 #cat racoon.conf path include "/usr/local/etc/racoon"; path pre_shared_key "/usr/local/etc/racoon/psk.txt" ; log debug; padding { maximum_length 20; # maximum padding length. randomize off; # enable randomize length. strict_check off; # enable strict check. exclusive_tail off; # extract last one octet. } listen { isakmp 78.x.x.x [500]; } timer { counter 5; # maximum trying count to send. interval 20 sec; # maximum interval to resend. persend 1; # the number of packets per a send. phase1 30 sec; phase2 15 sec; } remote 95.x.x.x { exchange_mode main, aggressive; # For Firewall-1 Aggressive mode lifetime time 8 hour; # sec,min,hour proposal { encryption_algorithm 3des; hash_algorithm md5; authentication_method pre_shared_key; dh_group 2 ; lifetime time 28800 sec; } } sainfo anonymous { pfs_group 2; lifetime time 3600 sec; encryption_algorithm 3des; authentication_algorithm hmac_md5; compression_algorithm deflate ; } Racoon log: Foreground mode. 2010-06-22 15:52:50: INFO: @(#)ipsec-tools 0.7.3 (http://ipsec-tools.sourceforge.net) 2010-06-22 15:52:50: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/) 2010-06-22 15:52:50: INFO: Reading configuration from "/usr/local/etc/racoon/racoon.conf" 2010-06-22 15:52:50: DEBUG: hmac(modp1024) 2010-06-22 15:52:50: DEBUG: compression algorithm can not be checked because sadb message doesn't support it. 2010-06-22 15:52:50: DEBUG: getsainfo params: loc='ANONYMOUS', rmt='ANONYMOUS', peer='NULL', id=0 2010-06-22 15:52:50: DEBUG: getsainfo pass #2 2010-06-22 15:52:50: INFO: 78.x.x.x[500] used as isakmp port (fd=4) 2010-06-22 15:52:50: DEBUG: pk_recv: retry[0] recv() 2010-06-22 15:52:50: DEBUG: get pfkey X_SPDDUMP message 2010-06-22 15:52:50: DEBUG: pk_recv: retry[0] recv() 2010-06-22 15:52:50: DEBUG: get pfkey X_SPDDUMP message 2010-06-22 15:52:50: DEBUG: sub:0x7fffffffe480: 78.x.x.x/32[0] 10.10.1.90/32[0] proto=any dir=out 2010-06-22 15:52:50: DEBUG: db :0x5a8610: 10.10.1.90/32[0] 78.x.x.x/32[0] proto=any dir=in 2010-06-22 15:53:32: DEBUG: caught rtm:14, need update interface address list 2010-06-22 15:53:47: DEBUG: pk_recv: retry[0] recv() 2010-06-22 15:53:47: DEBUG: get pfkey ACQUIRE message 2010-06-22 15:53:47: DEBUG: suitable outbound SP found: 78.x.x.x/32[0] 10.10.1.90/32[0] proto=any dir=out. 2010-06-22 15:53:47: DEBUG: sub:0x7fffffffe430: 10.10.1.90/32[0] 78.x.x.x/32[0] proto=any dir=in 2010-06-22 15:53:47: DEBUG: db :0x5a8610: 10.10.1.90/32[0] 78.x.x.x/32[0] proto=any dir=in 2010-06-22 15:53:47: DEBUG: suitable inbound SP found: 10.10.1.90/32[0] 78.x.x.x/32[0] proto=any dir=in. 2010-06-22 15:53:47: DEBUG: new acquire 78.x.x.x/32[0] 10.10.1.90/32[0] proto=any dir=out 2010-06-22 15:53:47: DEBUG: configuration found for 95.x.x.x. 2010-06-22 15:53:47: DEBUG: getsainfo params: loc='78.x.x.x', rmt='10.10.1.90', peer='NULL', id=0 2010-06-22 15:53:47: DEBUG: getsainfo pass #2 2010-06-22 15:53:47: DEBUG: evaluating sainfo: loc='ANONYMOUS', rmt='ANONYMOUS', peer='ANY', id=0 2010-06-22 15:53:47: DEBUG: selected sainfo: loc='ANONYMOUS', rmt='ANONYMOUS', peer='ANY', id=0 2010-06-22 15:53:47: DEBUG: (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=0:0) 2010-06-22 15:53:47: DEBUG: (trns_id=3DES encklen=0 authtype=hmac-md5) 2010-06-22 15:53:47: DEBUG: in post_acquire 2010-06-22 15:53:47: DEBUG: configuration found for 95.x.x.x. 2010-06-22 15:53:47: INFO: IPsec-SA request for 95.x.x.x queued due to no phase1 found. 2010-06-22 15:53:47: DEBUG: === 2010-06-22 15:53:47: INFO: initiate new phase 1 negotiation: 78.x.x.x[500]<=>95.x.x.x[500] 2010-06-22 15:53:47: INFO: begin Identity Protection mode. 2010-06-22 15:53:47: DEBUG: new cookie: 6fa45a7481c1aec5 2010-06-22 15:53:47: DEBUG: add payload of len 48, next type 13 2010-06-22 15:53:47: DEBUG: add payload of len 16, next type 0 2010-06-22 15:53:47: DEBUG: 100 bytes from 78.x.x.x[500] to 95.x.x.x[500] 2010-06-22 15:53:47: DEBUG: sockname 78.x.x.x[500] 2010-06-22 15:53:47: DEBUG: send packet from 78.x.x.x[500] 2010-06-22 15:53:47: DEBUG: send packet to 95.x.x.x[500] 2010-06-22 15:53:47: DEBUG: 1 times of 100 bytes message will be sent to 95.x.x.x[500] 2010-06-22 15:53:47: DEBUG: 6fa45a74 81c1aec5 00000000 00000000 01100200 00000000 00000064 0d000034 00000001 00000001 00000028 01010001 00000020 01010000 800b0001 800c7080 80010005 80030001 80020001 80040002 00000014 afcad713 68a1f1c9 6b8696fc 77570100 2010-06-22 15:53:47: DEBUG: resend phase1 packet 6fa45a7481c1aec5:0000000000000000 2010-06-22 15:54:07: DEBUG: 100 bytes from 78.x.x.x[500] to 95.x.x.x[500] 2010-06-22 15:54:07: DEBUG: sockname 78.x.x.x[500] 2010-06-22 15:54:07: DEBUG: send packet from 78.x.x.x[500] 2010-06-22 15:54:07: DEBUG: send packet to 95.x.x.x[500] 2010-06-22 15:54:07: DEBUG: 1 times of 100 bytes message will be sent to 95.x.x.x[500] 2010-06-22 15:54:07: DEBUG: 6fa45a74 81c1aec5 00000000 00000000 01100200 00000000 00000064 0d000034 00000001 00000001 00000028 01010001 00000020 01010000 800b0001 800c7080 80010005 80030001 80020001 80040002 00000014 afcad713 68a1f1c9 6b8696fc 77570100 And tcpdump #tcpdump -i bce1 host 95.x.x.x 15:53:47.355130 IP 78.x.x.x.isakmp > 95.x.x.x.isakmp: isakmp: phase 1 I ident 15:54:07.003371 IP 78.x.x.x.isakmp > 95.x.x.x.isakmp: isakmp: phase 1 I ident 15:57:39.067765 IP 78.x.x.x.isakmp > 95.x.x.x.isakmp: isakmp: phase 1 I ident