Date: Tue, 18 May 2004 18:46:36 +0200 From: Radek Kozlowski <radek@raadradd.com> To: freebsd-questions@freebsd.org Subject: A tunnel between two 5.2-CURRENT laptops with IPsec + racoon Message-ID: <40AA3DEC.6060107@raadradd.com>
next in thread | raw e-mail | index | archive | help
Hello,
I'm trying to set up a tunnel between two laptops running 5.2-CURRENT,
connected with crossed cable, that have 192.168.1.1 and 192.168.1.2
addresses respectively.
Here's how I configured the boxes:
[kernel on both]:
options IPSEC
options IPSEC_ESP
options IPSEC_DEBUG
[rc.conf on both]:
ipsec_enable="YES"
[/etc/ipsec.conf on 192.168.1.1]:
flush;
spdflush;
spdadd 192.168.1.2/32 0.0.0.0/0 any -P in ipsec
esp/tunnel/192.168.1.2-192.168.1.1/require;
spdadd 0.0.0.0/0 192.168.1.2/32 any -P out ipsec
esp/tunnel/192.168.1.1-192.168.1.2/require;
[/etc/ipsec.conf on 192.168.1.2]:
flush;
spdflush;
spdadd 192.168.1.1/32 0.0.0.0/0 any -P in ipsec
esp/tunnel/192.168.1.1-192.168.1.2/require;
spdadd 0.0.0.0/0 192.168.1.1/32 any -P out ipsec
esp/tunnel/192.168.1.2-192.168.1.1/require;
I also installed the latest version of racoon from ports. Here's how the
configuration files look like:
[psk.txt on 192.168.1.1]:
192.168.1.2 mypassword
[psk.txt on 192.168.1.2]:
192.168.1.1 mypassword
[racoon.conf on both]:
path include "/usr/local/etc/racoon" ;
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
path certificate "/usr/local/etc/cert" ;
#log debug;
padding
{
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
}
listen
{
isakmp 192.168.1.1 [500]; # 192.168.1.2 on the second box
}
timer
{
counter 5; # maximum trying count to send.
interval 20 sec; # maximum interval to resend.
persend 1; # the number of packets per a send.
phase1 30 sec;
phase2 15 sec;
}
remote anonymous
{
exchange_mode aggressive,main;
doi ipsec_doi;
situation identity_only;
my_identifier address 192.168.1.1; # 192.168.1.2 on 2nd box
peers_identifier address 192.168.1.2; # 192.168.1.1 on 2nd box
nonce_size 16;
lifetime time 24 hour; # sec,min,hour
initial_contact on;
support_mip6 on;
proposal_check obey; # obey, strict or claim
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key ;
dh_group 2 ;
}
}
sainfo anonymous
{
pfs_group 1;
lifetime time 12 hour;
encryption_algorithm 3des ;
authentication_algorithm hmac_sha1;
compression_algorithm deflate ;
}
I run setkey -f /etc/ipsec.conf and start racoon -F -v on each box, and
try to ping one box from another. And that's where I'm stuck:
on 192.168.1.1:
# racoon -F -v
Foreground mode.
2004-05-18 18:36:43: INFO: main.c:172:main(): @(#)package version
freebsd-20040408a
2004-05-18 18:36:43: INFO: main.c:174:main(): @(#)internal version
20001216 sakane@kame.net
2004-05-18 18:36:43: INFO: main.c:175:main(): @(#)This product linked
OpenSSL 0.9.7d 17 Mar 2004 (http://www.openssl.org/)
2004-05-18 18:36:43: WARNING: cftoken.l:514:yywarn():
/usr/local/etc/racoon/racoon.conf:67: "support_mip6" it is obsoleted.
use "support_proxy".
2004-05-18 18:36:43: INFO: isakmp.c:1368:isakmp_open(): 192.168.1.1[500]
used as isakmp port (fd=5)
2004-05-18 18:36:53: INFO: isakmp.c:904:isakmp_ph1begin_r(): respond new
phase 1 negotiation: 192.168.1.1[500]<=>192.168.1.2[500]
2004-05-18 18:36:53: INFO: isakmp.c:909:isakmp_ph1begin_r(): begin
Aggressive mode.
2004-05-18 18:36:53: NOTIFY: oakley.c:2084:oakley_skeyid(): couldn't
find the proper pskey, try to get one by the peer's address.
2004-05-18 18:36:53: INFO: isakmp.c:2459:log_ph1established(): ISAKMP-SA
established 192.168.1.1[500]-192.168.1.2[500]
spi:c112917078329613:62ce70ffe54cfcda
2004-05-18 18:36:53: INFO: isakmp.c:1059:isakmp_ph2begin_r(): respond
new phase 2 negotiation: 192.168.1.1[0]<=>192.168.1.2[0]
2004-05-18 18:36:53: ERROR: isakmp_quick.c:2030:get_proposal_r(): no
policy found: 0.0.0.0/0[0] 192.168.1.1/32[0] proto=any dir=in
2004-05-18 18:36:53: ERROR: isakmp_quick.c:1071:quick_r1recv(): failed
to get proposal for responder.
2004-05-18 18:36:53: ERROR: isakmp.c:1073:isakmp_ph2begin_r(): failed to
pre-process packet.
I'd appreciate any pointers. Thanks in advance.
-Radek
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?40AA3DEC.6060107>