[prev in list] [next in list] [prev in thread] [next in thread]
List: ipsec-tools-devel
Subject: Re: [Ipsec-tools-devel] setting IPSEC tunnel with ipsec-tools
From: VANHULLEBUS Yvan <vanhu () free ! fr>
Date: 2010-06-14 15:44:59
Message-ID: 20100614154459.GC17086 () zeninc ! net
[Download RAW message or body]
On Sat, Jun 05, 2010 at 04:55:21AM -0700, Mohsen wrote:
> Hi,
Hi.
> it seems no body exists in ipsec-tools-users group.
> i' very curious to know if the developers of ipsec-tools could solve this problem?
You have to use spdadd with traffic endpoint (which is the "usual" way
for setting IPsec tunnels) OR use Gif interface and set up a different
configuration (set up Gif endpoints as traffic endpoints, as you'll do
an extra IP-IP encapsulation).
Yvan.
>
> --- On Fri, 4/6/10, bored to death <bored_to_death85@yahoo.com> wrote:
>
> From: bored to death <bored_to_death85@yahoo.com>
> Subject: Re: [Ipsec-tools-users] setting IPSEC tunnel with ipsec-tools
> To: "bored to death" <bored_to_death85@yahoo.com>, \
> ipsec-tools-users@lists.sourceforge.net
> Date: Friday, 4 June, 2010, 3:40 PM
>
> so no one has any ideas about this?
>
>
> i thought it might help if i show you my racoon.conf:
>
>
> Code:
> path pre_shared_key "/usr/local/etc/racoon/psk.txt";
> log debug;
>
> padding
> {
> maximum_length 20;
> randomize off;
> strict_check off;
> exclusive_tail off;
> }
>
> timer
> {
> counter 5000;
> interval 20 sec;
> persend 1;
> # natt_keepalive 15 sec;
> phase1 30 sec;
> phase2 15 sec;
> }
>
>
> listen
> {
> isakmp 192.168.10.1 [500];
> }
>
> remote 192.168.10.2 [500]
> {
> exchange_mode main,aggressive;
> doi ipsec_doi;
> situation identity_only;
> my_identifier address 192.168.10.1;
> peers_identifier address 192.168.10.2;
> lifetime
> time 8 hour;
> passive off;
> proposal_check obey;
> # nat_traversal off;
> generate_policy off;
> weak_phase1_check on;
> proposal {
> encryption_algorithm des;
> hash_algorithm md5;
> authentication_method pre_shared_key;
> lifetime time 30 sec;
> dh_group 1;
> }
> }
>
> sainfo (address 10.10.20.0/24 any address 10.10.10.0/24 any)
> {
> pfs_group 1;
> lifetime time 36000 sec;
> encryption_algorithm 3des,des;
> authentication_algorithm hmac_md5;
> compression_algorithm deflate;
> }
> and my setkey.conf is:
>
>
> Code:
> flush;
> spdflush;
> spdadd 10.10.20.0/24 10.10.10.0/24 any -P out ipsec \
> esp/tunnel/192.168.10.1-192.168.10.2/use; spdadd 10.10.10.0/24 10.10.20.0/24 any -P \
> in ipsec esp/tunnel/192.168.10.2-192.168.10.1/use; and this is my ifconfig:
>
>
> Code:
> eth1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
> options=1bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4>
> ether 00:22:64:98:d6:38
> inet 192.168.10.1 netmask 0xffffff00 broadcast 192.168.10.255
> media: Ethernet autoselect (none)
> status: no carrier
> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
> options=3<RXCSUM,TXCSUM>
> inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
> inet6 ::1 prefixlen 128
> inet 127.0.0.1 netmask 0xff000000
> inet 10.10.20.1 netmask 0xffffff00
> gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1280
> tunnel inet 192.168.10.1 --> 192.168.10.2
> inet 10.10.20.1 --> 10.10.10.1 netmask 0xffffff00
> options=1<ACCEPT_REV_ETHIP_VER>
> the other host has the exact same config, but of course just the ip addresses are \
> reversed.
> did i set any parameters wrong?
>
> From: bored to death <bored_to_death85@yahoo.com>
> To: ipsec-tools-users@lists.sourceforge.net
> Sent: Thu, June 3, 2010 2:41:25 PM
> Subject: [Ipsec-tools-users] setting IPSEC tunnel with ipsec-tools
>
>
> hi guys,
>
> i asked this question on freebsd forum, but no one has answered and i'm really \
> stucked with this problem.
>
>
> i'm trying to set up ipsec tunnel on 2 freebsd hosts and i'm having a
> problem. i installed ipsec-tools-0.7.3 on freebsd-8.0. i defined gif0
> and loopback addresses on localhosts of on each one and set up all
> required routes and racoon configs etc...
>
>
>
> my problem is: when i start racoon on my hosts at the same time, my
> ipsec tunnel sets up and works perfectly. but if i run racoon on one
> host and after 1 or 2 minutes i start racoon on the other one, nothing
> happens and no packet from isakmp ports of any of them is being sent.
>
>
>
> i started racoons in foreground mode, but no failure is being reported. the \
> initiator racoon would say:
>
>
>
> Code:
> ....
> 2010-06-02 15:08:14: DEBUG: policy.c:187:cmpspidxstrict(): sub:0xbfbfe2dc: \
> 10.10.20.0/24[0] 10.10.10.0/24[0] proto=any dir=out 2010-06-02 15:08:14: DEBUG: \
> policy.c:188:cmpspidxstrict(): db :0x28547148: 10.10.10.0/24[0] 10.10.20.0/24[0] \
> proto=any dir=in 2010-06-02 15:08:17: DEBUG: grabmyaddr.c:676:update_myaddrs(): msg \
> 1 not interesting 2010-06-02 15:08:17: DEBUG: grabmyaddr.c:676:update_myaddrs(): \
> msg 1 not interesting and when i start other racoon after a minute, nothing else is \
> being reported. there sure has to be a configuration parameter of racoon to set \
> this, but i tested everything and searched everywhere and nothing worked.
>
>
>
> can anyone help me? any hints would be appreciated.
>
> thank you.
>
>
>
>
>
>
>
>
>
> -----Inline Attachment Follows-----
>
> ------------------------------------------------------------------------------
> ThinkGeek and WIRED's GeekDad team up for the Ultimate
> GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the
> lucky parental unit. See the prize list and enter to win:
> http://p.sf.net/sfu/thinkgeek-promo
> -----Inline Attachment Follows-----
>
> _______________________________________________
> Ipsec-tools-users mailing list
> Ipsec-tools-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/ipsec-tools-users
>
>
> ------------------------------------------------------------------------------
> ThinkGeek and WIRED's GeekDad team up for the Ultimate
> GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the
> lucky parental unit. See the prize list and enter to win:
> http://p.sf.net/sfu/thinkgeek-promo
> _______________________________________________
> Ipsec-tools-devel mailing list
> Ipsec-tools-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel
------------------------------------------------------------------------------
ThinkGeek and WIRED's GeekDad team up for the Ultimate
GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the
lucky parental unit. See the prize list and enter to win:
http://p.sf.net/sfu/thinkgeek-promo
_______________________________________________
Ipsec-tools-devel mailing list
Ipsec-tools-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic