Date: Thu, 11 Feb 2010 14:24:50 +0300 From: Denis Antrushin <DAntrushin@mail.ru> To: freebsd-net@freebsd.org Subject: IPSec connection troubles Message-ID: <4B73E902.6050301@mail.ru>
next in thread | raw e-mail | index | archive | help
Hello,
I'm trying to establish IPSec connection between FreeBSD and
Solaris boxes. I use FreeBSD 8-STABLE (don't recall exact checkout
date, but it contains recent IPComp fixes for sure).
Since I'm behind NAT, I compiled 0.8alpha snapshot of ipsec-tools
from their site.
racoon config looks like this:
------------------------------------------------------------
remote A.B.C.D {
exchange_mode main;
doi ipsec_doi;
situation identity_only;
certificate_type x509 "mycert.pem" "mykey.pem";
my_identifier asn1dn ;
peers_identifier asn1dn ;
peers_certfile x509 "server.crt";
send_cert off;
verify_identifier off;
lifetime time 7200 seconds;
initial_contact on;
passive off;
proposal_check obey;
generate_policy off;
nonce_size 16;
nat_traversal on;
proposal {
encryption_algorithm aes;
hash_algorithm sha1;
authentication_method rsasig;
dh_group modp1536;
}
}
sainfo address 192.168.1.33/32 tcp address A.B.C.D[2112] tcp {
pfs_group modp1536;
lifetime time 7200 seconds;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
sainfo address 192.168.1.33/32 udp address A.B.C.D[2112] udp {
pfs_group modp1536;
lifetime time 7200 seconds;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
sainfo address 192.168.1.33/32 icmp address A.B.C.D[any] icmp {
pfs_group modp1536;
lifetime time 7200 seconds;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
listen {
isakmp 192.168.1.33 [500];
isakmp_natt 192.168.1.33 [4500];
}
-------------------------------------------------------------------
security policy is as follows:
spdadd 192.168.1.33/32 A.B.C.D/32[2112] tcp -P out
ipsec esp/transport//unique;
spdadd A.B.C.D/32[2112] 192.168.1.33/32 tcp -P in
ipsec esp/transport//unique;
spdadd 192.168.1.33/32 A.B.C.D/32[2112] udp -P out
ipsec esp/transport//unique;
spdadd A.B.C.D/32[2112] 192.168.1.33/32 udp -P in
ipsec esp/transport//unique;
spdadd 192.168.1.33/32 A.B.C.D/32 icmp -P out
ipsec esp/transport//require;
spdadd A.B.C.D/32 192.168.1.33/32 icmp -P in
ipsec esp/transport//require;
When I try to connect to TCP port 2112 of solaris box,
racoon successfully negotiates with remote peer, I see
SA installed in kernel, but then nothing happens.
I see encapsulated TCP SYN packets sent on enc0, but
nothing else. TCP connection is not established, nothing
in racoon logs (except KA), nothing on PF_KEY socket.
The very same setup works on Linux and Mac.
How can I further debug this problem?
Thanks,
Denis
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4B73E902.6050301>