From owner-freebsd-net Tue Nov 14 13:11:22 2000 Delivered-To: freebsd-net@freebsd.org Received: from smtp1.sentex.ca (smtp1.sentex.ca [199.212.134.4]) by hub.freebsd.org (Postfix) with ESMTP id 6B63037B479; Tue, 14 Nov 2000 13:11:10 -0800 (PST) Received: from simoeon.sentex.net (simeon.sentex.ca [209.112.4.47]) by smtp1.sentex.ca (8.11.0/8.11.0) with ESMTP id eAELAUM58899; Tue, 14 Nov 2000 16:10:30 -0500 (EST) Message-Id: <5.0.1.4.0.20001114153658.00a58df0@marble.sentex.ca> X-Sender: mdtpop@marble.sentex.ca X-Mailer: QUALCOMM Windows Eudora Version 5.0.1 Date: Tue, 14 Nov 2000 16:04:04 -0500 To: Mike From: Mike Tancsa Subject: Re: VPN over PPPoE (racoon at fault? - no pilot error) Cc: freebsd-net@freebsd.org, security@freebsd.org In-Reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org OK, thanks very much to Mike Cambria, (mcambria@avaya.com) for suggesting adjusting the lifetime settings. I am cc'ing to security@freebsd.org in case others run into this problem of using racoon over slower than ethernet links. Setup is a FreeBSD box running PPPoE over DSL across a few hops to another FreeBSD machine on the ethernet. The trick is to bump up the lifetime value in racoon.conf and to make sure you have a recent version of racoon. I used the one from November 11th. Here is a quick sample config for two machines PPPoE machine's _public_ address on tun0 : 169.1.134.1 PPPoE machine's _private_ address aliased on lo0 : 10.1.2.1 Office Server's _public_ address on fxp0 172.168.93.4 Office Server's _private_ address aliased on lo0 : 10.1.1.1 *Note, if your machine has 2 interfaces, you can of course use the RFC1918 space on it instead. This example assumes you just have the one NIC to play with. #!/bin/sh #PPPoE config ifconfig lo0 10.1.2.1 netmask 255.255.255.0 alias gifconfig gif0 169.1.134.1 172.168.93.4 ifconfig gif0 inet 10.1.2.1 10.1.1.1 netmask 255.255.255.0 setkey -FP setkey -F setkey -c < > On 9 Nov 2000 17:01:58 -0500, in sentex.lists.freebsd.net you wrote: > > > > >Hi all, > > > > > >Has anyone ever successfully configured VPN (using IPSec protocol) over > > >PPPoE connection? I have 1 VPN configured over 2 locations with T1 > > >connections without any problem (using the KAME IPSec on FreeBSD > > >4.1.1). However, when I tried the same configuration with the 3rd > > >location running DSL, it seems the IPSec packets can't reach out via tun0 > > >device. > > > > I can do it with manual keying, but not with racoon. Both transport and > > tunnel mode work for me, but neither works with racoon. NAT is a bit > > tricky, but then again with tunnel mode, it doesnt really matter. > > > > > > One end is > > 4.2-BETA FreeBSD 4.2-BETA #0: Mon Nov 13 13:52:46 EST 2000 > > other is > > 4.2-BETA FreeBSD 4.2-BETA #0: Sun Nov 5 18:25:14 EST 2000 > > > > This is via the same sort of DSL you are using i.e. Bell Nexxia type stuff > > through a Redback etc... > > > > I havent had time to send a note to the KAME folk, but when using racoon on > > DSL, I get these sorts of log entries that I dont normally get > > > > 2000-11-13 23:46:29: isakmp_agg.c:927:agg_r2recv(): > > real.addr.totally-diff-subnet.1 ignore the packet, received unexpecting > > payload type 1. > > 2000-11-13 23:46:10: isakmp_inf.c:177:isakmp_info_recv(): > > real.addr.totally-diff-subnet.1 ignore the packet, received unexpecting > > payload type 89. > > 2000-11-13 23:52:37: isakmp_inf.c:177:isakmp_info_recv(): > > real.addr.totally-diff-subnet.4 ignore the packet, received unexpecting > > payload type 187. > > > > ---Mike > > Mike Tancsa (mdtancsa@sentex.net) > > Sentex Communications Corp, > > Waterloo, Ontario, Canada > > "Given enough time, 100 monkeys on 100 routers > > could setup a national IP network." (KDW2) > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message