Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 29 Jan 2003 11:47:55 -0500
From:      Steve Bertrand <iaccounts@northnetworks.ca>
To:        Peter Haight <peterh@sapros.com>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: FreeBSD IPSEC tunnel stoped working.
Message-ID:  <3E3805BB.3020708@northnetworks.ca>
References:  <200301291326.h0TDQsLG007646@wartch.sapros.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
Peter Haight wrote:

>>Looks like the 'spi' are out of sync on the 2 machines. This is after a 
>>quick glance, but I know on my IPSec setup, (with manual keys), the 
>>spi's have to be such:
>>
>>Stable in spi == Release out spi
>>Release in spi == Stable out spi
>>
>>Are you using racoon? If not, post your ipsec script.
>>    
>>
>
>Here you go:
>

>
>local_ip="XX.XX.XX.XX"
>local_net_ip="10.10.1.1"
>local_net_prefixlen="24"
>remote_ip="YY.YY.YY.YY"
>remote_net_ip="192.168.1.1"
>remote_net_prefixlen="12"
>remote_net_netmask="255.255.0.0"
>
>ifconfig gif0 create
>ifconfig gif0 tunnel ${local_ip} ${remote_ip}
>ifconfig gif0 inet ${local_net_ip} ${remote_net_ip} netmask ${remote_net_netmask}
>setkey -c << EOF
>flush;
>spdflush;
>add XX.XX.XX.XX YY.YY.YY.YY esp 9991 -E blowfish-cbc "foobar";
>add YY.YY.YY.YY XX.XX.XX.XX esp 9992 -E blowfish-cbc "foobar";
>spdadd ${local_net_ip}/${local_net_prefixlen} ${remote_net_ip}/${remote_net_prefixlen} any -P out ipsec
>esp/tunnel/${local_ip}-${remote_ip}/require; spdadd ${remote_net_ip}/${remote_net_prefixlen}
>${local_net_ip}/${local_net_prefixlen} any -P in ipsec esp/tunnel/${remote_ip}-${local_ip}/require;
>EOF
>
>
>To Unsubscribe: send mail to majordomo@FreeBSD.org
>with "unsubscribe freebsd-questions" in the body of the message
>
>
>  
>
This is ok on one machine. Copy the script to the other machine, and 
swap out all of the 'local' variables with the values of the 'remote' 
variables and vise versa. This will allow the keys to be configured 
correctly. If this still does not work, let me know. I wrote a perl 
program that will automatically configure a vpn tunnel for you, and it 
produces 2 scripts. One for localhost and the other for remote host. It 
works for me every time.

Steve


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3E3805BB.3020708>