Date: Wed, 28 Aug 2002 14:24:12 +0400 From: Alexei Alexandrov <lexa@lexa.pp.ru> To: freebsd-net@freebsd.org Subject: [PLEASE HELP]: IPSec / racoon problems. Message-ID: <87865782879.20020828142412@elcomsoft.com>
next in thread | raw e-mail | index | archive | help
Hello everyone,
I`m trying to setup a secure tunnel between two offices (but there
will be more in future). I have read lots of documentation, mailing
lists archives, but still have no success. To setup a tunnel i use a
simple shell script:
OFFICE1_EXT="1.1.1.1"
OFFICE1_INT="192.168.10.35"
OFFICE1_NET="192.168.10.32/27"
OFFICE2_EXT="2.2.2.2"
OFFICE2_INT="192.168.10.65"
OFFICE2_NET="192.168.10.64/27"
NETMASK="255.255.255.224"
HOSTNAME=`/bin/hostname`
case $HOSTNAME in
gw.office-1.company.net)
/usr/sbin/gifconfig gif0 $OFFICE1_EXT $OFFICE2_EXT
/sbin/ifconfig gif0 inet $OFFICE1_INT $OFFICE2_INT netmask $NETMASK
/usr/sbin/setkey -FP
/usr/sbin/setkey -F
/usr/sbin/setkey -c << EOF
spdadd $OFFICE1_NET $OFFICE2_NET any -P out ipsec
esp/tunnel/${OFFICE1_EXT}-${OFFICE2_EXT}/require;
spdadd $OFFICE2_NET $OFFICE1_NET any -P in ipsec
esp/tunnel/${OFFICE2_EXT}-${OFFICE1_EXT}/require;
spdadd ${OFFICE1_EXT}/32 ${OFFICE2_EXT}/32 any -P out ipsec
esp/transport/${OFFICE1_EXT}-${OFFICE2_EXT}/require;
spdadd ${OFFICE2_EXT}/32 ${OFFICE1_EXT}/32 any -P in ipsec
esp/transport/${OFFICE2_EXT}-${OFFICE1_EXT}/require;
EOF
/sbin/route add -net $OFFICE2_NET $OFFICE1_INT
;;
gw.office-2.company.net)
/usr/sbin/gifconfig gif0 $OFFICE2_EXT $OFFICE1_EXT
/sbin/ifconfig gif0 inet $OFFICE2_INT $OFFICE1_INT netmask $NETMASK
/usr/sbin/setkey -FP
/usr/sbin/setkey -F
/usr/sbin/setkey -c << EOF
spdadd $OFFICE2_NET $OFFICE1_NET any -P out ipsec
esp/tunnel/${OFFICE2_EXT}-${OFFICE1_EXT}/require;
spdadd $OFFICE1_NET $OFFICE2_NET any -P in ipsec
esp/tunnel/${OFFICE1_INT}-${OFFICE2_EXT}/require;
spdadd ${OFFICE2_EXT}/32 ${OFFICE1_EXT}/32 any -P out ipsec
esp/transport/${OFFICE2_EXT}-${OFFICE1_EXT}/require;
spdadd ${OFFICE1_EXT}/32 ${OFFICE2_EXT}/32 any -P in ipsec
esp/transport/${OFFICE1_EXT}-${OFFICE2_EXT}/require;
EOF
/sbin/route add -net $OFFICE1_NET $OFFICE2_INT
;;
esac
After the script is executed i run racoon version 20020507a with this
configuration file (it is the same on both gates):
path pre_shared_key "/usr/local/etc/racoon.key";
log info;
padding
{
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
}
listen
{
isakmp 1.1.1.1 [500];
}
timer
{
counter 5; # maximum trying count to send.
interval 20 sec; # maximum interval to resend.
persend 1; # the number of packets per a send.
phase1 30 sec;
phase2 15 sec;
}
remote anonymous
{
exchange_mode aggressive,main;
doi ipsec_doi;
situation identity_only;
my_identifier address "192.168.10.35";
nonce_size 16;
lifetime time 2 hour; # sec,min,hour
initial_contact on;
support_mip6 on;
proposal_check obey; # obey, strict or claim
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key ;
dh_group 2 ;
}
}
sainfo anonymous
{
pfs_group 2;
lifetime time 2 hour;
encryption_algorithm 3des,des,cast128,blowfish;
authentication_algorithm hmac_sha1,hmac_md5;
compression_algorithm deflate ;
}
The pre shared key file is the same on both gates. I run racoon in the
foreground mode like this:
/usr/local/sbin/racoon -F -v -d -f /usr/local/etc/racoon.conf
Using tcpdump -s 512 -i int1 esp or port 500 i see the following:
14:30:32.521424 qw.office-1.company.net.isakmp > qw.office-2.company.net.isakmp: isakmp: phase 1 I agg:
(sa: doi=ipsec situation=identity
(p: #1 protoid=isakmp transform=1
(t: #1 id=ike (type=lifetype value=sec)(type=lifeduration value=1c20)(type=enc value=3des)(type=auth value=preshared)(type=hash value=sha1)(type=group desc value=modp1024))))
(ke: key len=128)
(nonce: n len=16)
(id: idtype=IPv4 protoid=udp port=500 len=4 192.168.10.35)
14:30:33.258796 qw.office-2.company.net.isakmp > qw.office-1.company.net.isakmp: isakmp: phase 1 R agg:
(sa: doi=ipsec situation=identity
(p: #1 protoid=isakmp transform=1
(t: #1 id=ike (type=lifetype value=sec)(type=lifeduration value=1c20)(type=enc value=3des)(type=auth value=preshared)(type=hash value=sha1)(type=group desc value=modp1024))))
(ke: key len=128)
(nonce: n len=16)
(id: idtype=IPv4 protoid=udp port=500 len=4 192.168.10.65)
(hash: len=20)
(vid: len=16)
Racoon then prints the message:
2002-08-28 14:08:49: INFO: pfkey.c:1107:pk_recvupdate(): IPsec-SA
established: ESP/Tunnel 2.2.2.2->1.1.1.1 spi=165577735(0x9de8407)
2002-08-28 14:08:49: DEBUG: pfkey.c:1145:pk_recvupdate(): ===
2002-08-28 14:08:49: DEBUG: pfkey.c:192:pfkey_handler(): get pfkey ADD message
2002-08-28 14:08:49: INFO: pfkey.c:1319:pk_recvadd(): IPsec-SA
established: ESP/Tunnel 1.1.1.1->2.2.2.2 spi=117026571(0x6f9af0b)
But still no luck. I`m not able to ping intranet address space in both
offices.
Any help would be very usefull for me.
Thanks in advance,
Alexei Alexandrov.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?87865782879.20020828142412>