[prev in list] [next in list] [prev in thread] [next in thread]
List: ipsec-tools-devel
Subject: Re: [Ipsec-tools-devel] Query on racoon behaviour in a
From: Stephen Clark <sclark46 () earthlink ! net>
Date: 2012-06-29 18:23:16
Message-ID: 4FEDF294.1060806 () earthlink ! net
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
On 06/28/2012 05:29 AM, Sumit Kaur wrote:
>
> Hi,
>
> We have below setup :-
>
> There are 2 tunnels created between end points A (of Node1)and B(of
> Node2).
>
> A(Node1) has got 2 ip-addresses say, x and y
>
> B(Node2) has got only 1 ip-address say, z
>
> The tunnels are between A and B but tunnel1 's endponts are x and z.
> And tunnel2's endpoints are y and z.
> At Node1, racoon.conf gets only one remote entry i.e. for z
>
> remote z
>
> {
>
> }
>
> , whereas the expected behaviour is to have two remote z {} sections
> because there are two different set of IKE phase1 parameters for the
> same remote.
>
> Because of this racoon fails to establish proper proposals, and
> traffic fails.
>
> We tried manually editing racoon.conf to have multiple remote z {}
> sections, each for the separate set of tunnels, but even there there
> are problems seen.
> So, wanted to check if racoon really supports this kind of setup where
> we need to configure different IKE phase 1 parameters for same remote
> end point, i.e. having multilple remote z{} sections in racoon.conf?
> Thanks
>
> Sumit
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>
>
> _______________________________________________
> Ipsec-tools-devel mailing list
> Ipsec-tools-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel
>
This is doable - we do it all the time.
We just assign alias internal addresses to make proposal be unique.
remote 216.xxx.xxx.xxx
{
exchange_mode main,aggressive;
doi ipsec_doi;
situation identity_only;
my_identifier address;
peers_identifier address;
nonce_size 16;
lifetime time 6000 sec;
initial_contact on;
support_proxy on;
proposal_check obey;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo address 10.255.10.15 any address 10.255.100.40 any
{
pfs_group 1;
lifetime time 3600 sec;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
sainfo address 10.255.100.40 any address 10.255.10.15 any
{
pfs_group 1;
lifetime time 3600 sec;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
remote 63.xxx.xxx.xxx
{
exchange_mode main,aggressive;
doi ipsec_doi;
situation identity_only;
my_identifier address;
peers_identifier address;
nonce_size 16;
lifetime time 6000 sec;
initial_contact on;
support_proxy on;
proposal_check obey;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo address 10.255.4.10 any address 10.255.253.0/24 any
{
lifetime time 3600 sec;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
sainfo address 10.255.253.0/24 any address 10.255.4.10 any
{
lifetime time 3600 sec;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
(
--
"They that give up essential liberty to obtain temporary safety,
deserve neither liberty nor safety." (Ben Franklin)
"The course of history shows that as a government grows, liberty
decreases." (Thomas Jefferson)
[Attachment #5 (text/html)]
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
On 06/28/2012 05:29 AM, Sumit Kaur wrote:
<blockquote
cite="mid:CAFpH1TUyvTAvdGhtTYbrH68XEwfkvSb4hRZtMeuxDHOm=i7FcA@mail.gmail.com"
type="cite"><font>
<p>Hi,</p>
<p>We have below setup :-</p>
<p>There are 2 tunnels created between end points A (of Node1)and
B(of Node2).</p>
<p>A(Node1) has got 2 ip-addresses say, x and y</p>
<p>B(Node2) has got only 1 ip-address say, z</p>
<div>The tunnels are between A and B but tunnel1 's endponts are x
and z. And tunnel2's endpoints are y and z.</div>
<div> </div>
<div>At Node1, racoon.conf gets only one remote entry i.e. for z</div>
<p>remote z </p>
<p>{</p>
<p>}</p>
<p>, whereas the expected behaviour is to have two remote z {}
sections because there are two different set of IKE phase1 parameters
for the same remote. </p>
<p>Because of this racoon fails to establish proper proposals, and
traffic fails.</p>
<div>We tried manually editing racoon.conf to have multiple remote z
{} sections, each for the separate set of tunnels, but even there there
are problems seen.</div>
<div> </div>
<div>So, wanted to check if racoon really supports this kind of setup
where we need to configure different IKE phase 1 parameters for same
remote end point, i.e. having multilple remote z{} sections in
racoon.conf?</div>
<div> </div>
<div> </div>
<div>Thanks</div>
<p>Sumit</p>
</font>
<pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. <a class="moz-txt-link-freetext" \
href="http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/">http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/</a></pre>
<pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
Ipsec-tools-devel mailing list
<a class="moz-txt-link-abbreviated" \
href="mailto:Ipsec-tools-devel@lists.sourceforge.net">Ipsec-tools-devel@lists.sourceforge.net</a>
<a class="moz-txt-link-freetext" \
href="https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel">https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel</a>
</pre>
</blockquote>
This is doable - we do it all the time.<br>
We just assign alias internal addresses to make proposal be unique.<br>
<br>
remote 216.xxx.xxx.xxx<br>
{<br>
exchange_mode main,aggressive;<br>
doi ipsec_doi;<br>
situation identity_only;<br>
my_identifier address;<br>
peers_identifier address;<br>
nonce_size 16;<br>
lifetime time 6000 sec;<br>
initial_contact on;<br>
support_proxy on;<br>
proposal_check obey;<br>
proposal {<br>
\
encryption_algorithm 3des;<br> \
\
hash_algorithm sha1;<br> \
\
authentication_method pre_shared_key;<br> \
\
dh_group 2;<br> }<br>
}<br>
<br>
sainfo address 10.255.10.15 any address 10.255.100.40 any<br>
{<br>
pfs_group 1;<br>
lifetime time 3600 sec;<br>
encryption_algorithm 3des;<br>
authentication_algorithm hmac_sha1;<br>
compression_algorithm deflate;<br>
}<br>
<br>
sainfo address 10.255.100.40 any address 10.255.10.15 any<br>
{<br>
pfs_group 1;<br>
lifetime time 3600 sec;<br>
encryption_algorithm 3des;<br>
authentication_algorithm hmac_sha1;<br>
compression_algorithm deflate;<br>
}<br>
<br>
remote 63.xxx.xxx.xxx<br>
{<br>
exchange_mode main,aggressive;<br>
doi ipsec_doi;<br>
situation identity_only;<br>
my_identifier address;<br>
peers_identifier address;<br>
nonce_size 16;<br>
lifetime time 6000 sec;<br>
initial_contact on;<br>
support_proxy on;<br>
proposal_check obey;<br>
proposal {<br>
\
encryption_algorithm 3des;<br> \
\
hash_algorithm sha1;<br> \
\
authentication_method pre_shared_key;<br> \
\
dh_group 2;<br> }<br>
}<br>
<br>
sainfo address 10.255.4.10 any address 10.255.253.0/24 any<br>
{<br>
lifetime time 3600 sec;<br>
encryption_algorithm 3des;<br>
authentication_algorithm hmac_sha1;<br>
compression_algorithm deflate;<br>
}<br>
<br>
sainfo address 10.255.253.0/24 any address 10.255.4.10 any<br>
{<br>
lifetime time 3600 sec;<br>
encryption_algorithm 3des;<br>
authentication_algorithm hmac_sha1;<br>
compression_algorithm deflate;<br>
}<br>
(<br>
<br>
<br>
<br>
<pre class="moz-signature" cols="80">--
"They that give up essential liberty to obtain temporary safety,
deserve neither liberty nor safety." (Ben Franklin)
"The course of history shows that as a government grows, liberty
decreases." (Thomas Jefferson)
</pre>
</body>
</html>
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Ipsec-tools-devel mailing list
Ipsec-tools-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic