'Re: [Ipsec-tools-devel] setting IPSEC tunnel with ipsec-tools'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipsec-tools-devel
Subject:    Re: [Ipsec-tools-devel] setting IPSEC tunnel with ipsec-tools
From:       VANHULLEBUS Yvan <vanhu () free ! fr>
Date:       2010-06-14 15:44:59
Message-ID: 20100614154459.GC17086 () zeninc ! net
[Download RAW message or body]

On Sat, Jun 05, 2010 at 04:55:21AM -0700, Mohsen wrote:
> Hi,

Hi.


> it seems no body exists in ipsec-tools-users group.
> i' very curious to know if the developers of ipsec-tools could solve this problem?

You have to use spdadd with traffic endpoint (which is the "usual" way
for setting IPsec tunnels) OR use Gif interface and set up a different
configuration (set up Gif endpoints as traffic endpoints, as you'll do
an extra IP-IP encapsulation).


Yvan.

> 
> --- On Fri, 4/6/10, bored to death <bored_to_death85@yahoo.com> wrote:
> 
> From: bored to death <bored_to_death85@yahoo.com>
> Subject: Re: [Ipsec-tools-users] setting IPSEC tunnel with ipsec-tools
> To: "bored to death" <bored_to_death85@yahoo.com>, \
>                 ipsec-tools-users@lists.sourceforge.net
> Date: Friday, 4 June, 2010, 3:40 PM
> 
> so no one has any ideas about this?
> 
> 
> i thought it might help if i show you my racoon.conf:
> 
> 
> 	Code:
> 	path    pre_shared_key  "/usr/local/etc/racoon/psk.txt"; 
> log     debug;
> 
> padding
> {
> maximum_length  20;
> randomize       off;
> strict_check    off;
> exclusive_tail  off;
> }
> 	
> timer
> {
> counter         5000;
> interval        20 sec;
> persend         1;
> #       natt_keepalive  15 sec;
> phase1          30 sec;
> phase2          15 sec;
> }
> 
> 		
> listen
> {
> isakmp          192.168.10.1 [500];
> }
> 
> remote  192.168.10.2 [500]
> {
> exchange_mode   main,aggressive;
> doi             ipsec_doi;
> situation       identity_only;
> my_identifier   address 192.168.10.1;
> peers_identifier        address 192.168.10.2;
> lifetime  
> time 8 hour;
> passive         off;
> proposal_check  obey;
> #       nat_traversal   off;
> generate_policy off;
> 		weak_phase1_check on;
> proposal {
> encryption_algorithm   des;
> hash_algorithm          md5;
> authentication_method   pre_shared_key;
> lifetime time           30 sec;
> dh_group                1;
> }
> }
> 
> sainfo  (address 10.10.20.0/24 any address 10.10.10.0/24 any)
> {
> pfs_group       1;
> lifetime        time    36000 sec;
> encryption_algorithm    3des,des;
> authentication_algorithm        hmac_md5;
> compression_algorithm   deflate;
> }
> and my setkey.conf is:
> 
> 
> 	Code:
> 	flush;
> spdflush;
> spdadd 10.10.20.0/24 10.10.10.0/24 any -P out ipsec \
> esp/tunnel/192.168.10.1-192.168.10.2/use; spdadd 10.10.10.0/24 10.10.20.0/24 any -P \
> in ipsec esp/tunnel/192.168.10.2-192.168.10.1/use; and this is my ifconfig:
> 
> 
> 	Code:
> 	eth1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
> 	options=1bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4>
> 	ether 00:22:64:98:d6:38
> 	inet 192.168.10.1 netmask 0xffffff00 broadcast 192.168.10.255
> 	media: Ethernet autoselect (none)
> 	status: no carrier
> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
> 	options=3<RXCSUM,TXCSUM>
> 	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 
> 	inet6 ::1 prefixlen 128 
> 	inet 127.0.0.1 netmask 0xff000000 
> 	inet 10.10.20.1 netmask 0xffffff00 
> gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1280
> 	tunnel inet 192.168.10.1 --> 192.168.10.2
> 	inet 10.10.20.1 --> 10.10.10.1 netmask 0xffffff00 
> 	options=1<ACCEPT_REV_ETHIP_VER>
> the other host has the exact same config, but of course just the ip addresses are \
> reversed. 
> did i set any parameters wrong?
> 
> From: bored to death <bored_to_death85@yahoo.com>
> To: ipsec-tools-users@lists.sourceforge.net
> Sent: Thu, June 3, 2010 2:41:25 PM
> Subject: [Ipsec-tools-users] setting IPSEC tunnel with ipsec-tools
> 
> 
> hi guys,
> 
> i asked this question on freebsd forum, but no one has answered and i'm really \
> stucked with this problem. 
> 
> 
> i'm trying to set up ipsec tunnel on 2 freebsd hosts and i'm having a
> problem. i installed ipsec-tools-0.7.3 on freebsd-8.0. i defined gif0
> and loopback addresses on localhosts of on each one and set up all
> required routes and racoon configs etc...
> 
> 
> 
> my problem is: when i start racoon on my hosts at the same time, my
> ipsec tunnel sets up and works perfectly. but if i run racoon on one
> host and after 1 or 2 minutes i start racoon on the other one, nothing
> happens and no packet from isakmp ports of any of them is being sent.
> 
> 
> 
> i started racoons in foreground mode, but no failure is being reported. the \
> initiator racoon would say: 
> 
> 
> 
> 	Code:
> 	....
> 2010-06-02 15:08:14: DEBUG: policy.c:187:cmpspidxstrict(): sub:0xbfbfe2dc: \
> 10.10.20.0/24[0] 10.10.10.0/24[0] proto=any dir=out 2010-06-02 15:08:14: DEBUG: \
> policy.c:188:cmpspidxstrict(): db :0x28547148: 10.10.10.0/24[0] 10.10.20.0/24[0] \
> proto=any dir=in 2010-06-02 15:08:17: DEBUG: grabmyaddr.c:676:update_myaddrs(): msg \
> 1 not interesting 2010-06-02 15:08:17: DEBUG: grabmyaddr.c:676:update_myaddrs(): \
> msg 1 not interesting and when i start other racoon after a minute, nothing else is \
> being reported. there sure has to be a configuration parameter of racoon to set \
> this, but i tested everything and searched everywhere and nothing worked.
> 
> 
> 
> can anyone help me? any hints would be appreciated.
> 
> thank you.
> 		
> 
> 
> 
> 
> 
> 
> 
> 
> -----Inline Attachment Follows-----
> 
> ------------------------------------------------------------------------------
> ThinkGeek and WIRED's GeekDad team up for the Ultimate 
> GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the 
> lucky parental unit.  See the prize list and enter to win: 
> http://p.sf.net/sfu/thinkgeek-promo
> -----Inline Attachment Follows-----
> 
> _______________________________________________
> Ipsec-tools-users mailing list
> Ipsec-tools-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/ipsec-tools-users
> 
> 

> ------------------------------------------------------------------------------
> ThinkGeek and WIRED's GeekDad team up for the Ultimate 
> GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the 
> lucky parental unit.  See the prize list and enter to win: 
> http://p.sf.net/sfu/thinkgeek-promo
> _______________________________________________
> Ipsec-tools-devel mailing list
> Ipsec-tools-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel


------------------------------------------------------------------------------
ThinkGeek and WIRED's GeekDad team up for the Ultimate 
GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the 
lucky parental unit.  See the prize list and enter to win: 
http://p.sf.net/sfu/thinkgeek-promo
_______________________________________________
Ipsec-tools-devel mailing list
Ipsec-tools-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic