From owner-freebsd-net Thu Aug 29 3:44:59 2002 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 64D1637B400 for ; Thu, 29 Aug 2002 03:44:52 -0700 (PDT) Received: from mx1.elcomsoft.com (host.elcomsoft.com [217.106.235.210]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7955743E4A for ; Thu, 29 Aug 2002 03:44:49 -0700 (PDT) (envelope-from lexa@lexa.pp.ru) Received: from my.crackpassword.com [195.68.136.8] by mx1.elcomsoft.com with asmtp by ava%elcomsoft.com id 17k02b-000IqY-00 for freebsd-net@freebsd.org; Wed, 28 Aug 2002 14:27:16 +0400 Date: Wed, 28 Aug 2002 14:24:12 +0400 From: Alexei Alexandrov X-Mailer: The Bat! (v1.60q) Personal Reply-To: Alexei Alexandrov Organization: ElcomSoft Co. Ltd. X-Priority: 3 (Normal) Message-ID: <87865782879.20020828142412@elcomsoft.com> To: freebsd-net@freebsd.org Subject: [PLEASE HELP]: IPSec / racoon problems. MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello everyone, I`m trying to setup a secure tunnel between two offices (but there will be more in future). I have read lots of documentation, mailing lists archives, but still have no success. To setup a tunnel i use a simple shell script: OFFICE1_EXT="1.1.1.1" OFFICE1_INT="192.168.10.35" OFFICE1_NET="192.168.10.32/27" OFFICE2_EXT="2.2.2.2" OFFICE2_INT="192.168.10.65" OFFICE2_NET="192.168.10.64/27" NETMASK="255.255.255.224" HOSTNAME=`/bin/hostname` case $HOSTNAME in gw.office-1.company.net) /usr/sbin/gifconfig gif0 $OFFICE1_EXT $OFFICE2_EXT /sbin/ifconfig gif0 inet $OFFICE1_INT $OFFICE2_INT netmask $NETMASK /usr/sbin/setkey -FP /usr/sbin/setkey -F /usr/sbin/setkey -c << EOF spdadd $OFFICE1_NET $OFFICE2_NET any -P out ipsec esp/tunnel/${OFFICE1_EXT}-${OFFICE2_EXT}/require; spdadd $OFFICE2_NET $OFFICE1_NET any -P in ipsec esp/tunnel/${OFFICE2_EXT}-${OFFICE1_EXT}/require; spdadd ${OFFICE1_EXT}/32 ${OFFICE2_EXT}/32 any -P out ipsec esp/transport/${OFFICE1_EXT}-${OFFICE2_EXT}/require; spdadd ${OFFICE2_EXT}/32 ${OFFICE1_EXT}/32 any -P in ipsec esp/transport/${OFFICE2_EXT}-${OFFICE1_EXT}/require; EOF /sbin/route add -net $OFFICE2_NET $OFFICE1_INT ;; gw.office-2.company.net) /usr/sbin/gifconfig gif0 $OFFICE2_EXT $OFFICE1_EXT /sbin/ifconfig gif0 inet $OFFICE2_INT $OFFICE1_INT netmask $NETMASK /usr/sbin/setkey -FP /usr/sbin/setkey -F /usr/sbin/setkey -c << EOF spdadd $OFFICE2_NET $OFFICE1_NET any -P out ipsec esp/tunnel/${OFFICE2_EXT}-${OFFICE1_EXT}/require; spdadd $OFFICE1_NET $OFFICE2_NET any -P in ipsec esp/tunnel/${OFFICE1_INT}-${OFFICE2_EXT}/require; spdadd ${OFFICE2_EXT}/32 ${OFFICE1_EXT}/32 any -P out ipsec esp/transport/${OFFICE2_EXT}-${OFFICE1_EXT}/require; spdadd ${OFFICE1_EXT}/32 ${OFFICE2_EXT}/32 any -P in ipsec esp/transport/${OFFICE1_EXT}-${OFFICE2_EXT}/require; EOF /sbin/route add -net $OFFICE1_NET $OFFICE2_INT ;; esac After the script is executed i run racoon version 20020507a with this configuration file (it is the same on both gates): path pre_shared_key "/usr/local/etc/racoon.key"; log info; padding { maximum_length 20; # maximum padding length. randomize off; # enable randomize length. strict_check off; # enable strict check. exclusive_tail off; # extract last one octet. } listen { isakmp 1.1.1.1 [500]; } timer { counter 5; # maximum trying count to send. interval 20 sec; # maximum interval to resend. persend 1; # the number of packets per a send. phase1 30 sec; phase2 15 sec; } remote anonymous { exchange_mode aggressive,main; doi ipsec_doi; situation identity_only; my_identifier address "192.168.10.35"; nonce_size 16; lifetime time 2 hour; # sec,min,hour initial_contact on; support_mip6 on; proposal_check obey; # obey, strict or claim proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key ; dh_group 2 ; } } sainfo anonymous { pfs_group 2; lifetime time 2 hour; encryption_algorithm 3des,des,cast128,blowfish; authentication_algorithm hmac_sha1,hmac_md5; compression_algorithm deflate ; } The pre shared key file is the same on both gates. I run racoon in the foreground mode like this: /usr/local/sbin/racoon -F -v -d -f /usr/local/etc/racoon.conf Using tcpdump -s 512 -i int1 esp or port 500 i see the following: 14:30:32.521424 qw.office-1.company.net.isakmp > qw.office-2.company.net.isakmp: isakmp: phase 1 I agg: (sa: doi=ipsec situation=identity (p: #1 protoid=isakmp transform=1 (t: #1 id=ike (type=lifetype value=sec)(type=lifeduration value=1c20)(type=enc value=3des)(type=auth value=preshared)(type=hash value=sha1)(type=group desc value=modp1024)))) (ke: key len=128) (nonce: n len=16) (id: idtype=IPv4 protoid=udp port=500 len=4 192.168.10.35) 14:30:33.258796 qw.office-2.company.net.isakmp > qw.office-1.company.net.isakmp: isakmp: phase 1 R agg: (sa: doi=ipsec situation=identity (p: #1 protoid=isakmp transform=1 (t: #1 id=ike (type=lifetype value=sec)(type=lifeduration value=1c20)(type=enc value=3des)(type=auth value=preshared)(type=hash value=sha1)(type=group desc value=modp1024)))) (ke: key len=128) (nonce: n len=16) (id: idtype=IPv4 protoid=udp port=500 len=4 192.168.10.65) (hash: len=20) (vid: len=16) Racoon then prints the message: 2002-08-28 14:08:49: INFO: pfkey.c:1107:pk_recvupdate(): IPsec-SA established: ESP/Tunnel 2.2.2.2->1.1.1.1 spi=165577735(0x9de8407) 2002-08-28 14:08:49: DEBUG: pfkey.c:1145:pk_recvupdate(): === 2002-08-28 14:08:49: DEBUG: pfkey.c:192:pfkey_handler(): get pfkey ADD message 2002-08-28 14:08:49: INFO: pfkey.c:1319:pk_recvadd(): IPsec-SA established: ESP/Tunnel 1.1.1.1->2.2.2.2 spi=117026571(0x6f9af0b) But still no luck. I`m not able to ping intranet address space in both offices. Any help would be very usefull for me. Thanks in advance, Alexei Alexandrov. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message