Date: Mon, 29 Jul 2002 10:46:30 -0400 (EDT) From: Trish Lynch <trish@egobsd.org> To: <freebsd-security@freebsd.org> Subject: racoon and weirdness.... Message-ID: <20020729103029.R484-100000@trish.dyn.magenet.com>
next in thread | raw e-mail | index | archive | help
I'm working on setting up IPSEC tunnels between a
KAME/racoon/FreeBSD-STABLE box and a Ravlin unit at a client's
WHat is happening with the one tunnel is this:
after a couple days, it times out, and neither side can reestablish
traffic between, the log in /var/log/daemon for racoon tells me the tunnel
*is* established, but I can;t ping through it. If I restart racoon, it all
starts working fine again.
The second issue is a second machine, with a cut/pasted config into
racoon.conf, with simply the endpoints changed, does not work at all.
I can ping the external interface of the Ravlin, but it doesn;t even
*begin* phase 1.
Here is the racoon.conf:
remote ravlin-ext-ip [500]
{
exchange_mode main,aggressive;
my_identifier address my-ext-ip;
peers_identifier address ravlin-ext-ip;
generate_policy on;
nonce_size 16;
lifetime time 3 hour; # sec,min,hour
proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method pre_shared_key ;
dh_group 1 ;
}
}
remote ravlin-int-ip [500]
{
exchange_mode main,aggressive;
my_identifier address my-int-ip;
peers_identifier address ravlin-int-ip;
generate_policy on;
nonce_size 16;
lifetime time 3 hour; # sec,min,hour
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key ;
dh_group 2 ;
}
}
sainfo address my-ext-ip/32[0] any address ravlin-ext-ip/32[0] any
{
# pfs_group 2;
lifetime time 10800 sec;
encryption_algorithm 3des ;
authentication_algorithm hmac_md5,hmac_sha1;
compression_algorithm deflate ;
}
sainfo address my-int-net/23[0] any address ravlin-int-net/24[0] any
{
# pfs_group 2;
lifetime time 10800 sec;
encryption_algorithm 3des ;
authentication_algorithm hmac_md5,hmac_sha1;
compression_algorithm deflate ;
}
the gif interface is set up as such:
BSD2 == my machine BSD5 == Ravlin
$IFCONFIG $GIF3 plumb
$IFCONFIG $GIF3 mtu 1500
$IFCONFIG $GIF3 inet $BSD2_IP $BSD5_IP netmask $NETMASK
/usr/sbin/setkey -FP
/usr/sbin/setkey -F
/usr/sbin/setkey -c << EOF
spdadd $BSD2_PUB_NET $BSD5_PUB_NET any -P out ipsec
esp/tunnel/${BSD2_PUB_IP}-${BSD5_PUB_IP}/require;
spdadd $BSD5_PUB_NET $BSD2_PUB_NET any -P in ipsec
esp/tunnel/${BSD5_PUB_IP}-${BSD2_PUB_IP}/require;
EOF
Anyone wanna hit me with a cluebat?
-Trish
--
Trish Lynch trish@egobsd.org
Ecartis Core Team
Key fingerprint = B04E 67CA 3A12 9930 E91C 7730 4606 3618 B74A 2493
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020729103029.R484-100000>