I build a test platform like this! without Firewalls
 
IPSec CA host ---> Route ---> IPsec SB ---> Server B

################################
racoon.conf on Server B:
################################
path pre_shared_key "/etc/psk.txt";
path certificate "/root";
path pidfile "/var/run/racoon.pid";
log notify;

listen {
  isakmp 192.168.10.253 [500];
  isakmp_natt 192.168.10.253 [4500];

  adminsock "/var/run/racoon.sock";
}
timer{
  natt_keepalive 20 second;
}
remote anonymous
{
  exchange_mode main,aggressive;
  doi ipsec_doi;
  situation identity_only;
  generate_policy unique;
  passive on;
  nat_traversal on;

  dpd_delay 10;
  dpd_retry 5;
  dpd_maxfail 5;

  initial_contact on;
  support_proxy on;
  proposal_check claim;
  nonce_size 16;
  ike_frag on;
  certificate_type x509 "server.pem" "server.key";
 
  verify_cert on;
  my_identifier asn1dn;
  peers_identifier asn1dn;
  proposal{
    encryption_algorithm 3des;
    hash_algorithm sha1;
    authentication_method rsasig;
    dh_group 1;
   
  }

}
sainfo address 192.168.30.0/24 any anonymous from asn1dn "xxx" {
 
  encryption_algorithm 3des;
  authentication_algorithm hmac_md5,hmac_sha1;
  compression_algorithm deflate;
 
}


#########################################
And racoon.conf on Ipsec CA client
##########################################
path pre_shared_key "/etc/psk.txt";
path certificate "/root";
path pidfile "/var/run/racoon.pid";
log notify;

listen {
  isakmp 192.168.31.10 [500];
  isakmp_natt 192.168.31.10 [4500];

  adminsock "/var/run/racoon.sock";
}
timer{
  natt_keepalive 20 second;
}
remote 192.168.10.253 [500]
{
  exchange_mode main,aggressive;
  doi ipsec_doi;
  situation identity_only;
  script "/root/ipsecc.up.sh" phase1_up;
  script "/root/ipsecc.dn.sh" phase1_down;
  generate_policy off;
  passive off;
  nat_traversal on;

  dpd_delay 10;
  dpd_retry 5;
  dpd_maxfail 5;

  initial_contact on;
  support_proxy on;
  proposal_check claim;
  nonce_size 16;
  ike_frag on;
  certificate_type x509 "client.pem" "client.key";
  peers_certfile x509 "server.pem";
  verify_cert on;
  my_identifier asn1dn;
  peers_identifier asn1dn;
  proposal{
    encryption_algorithm 3des;
    hash_algorithm sha1;
    authentication_method rsasig;
    dh_group 1;
   
  }

}
sainfo address 192.168.31.10/32 any address 192.168.30.0/24 any {
 
  encryption_algorithm 3des;
  authentication_algorithm hmac_md5,hmac_sha1;
  compression_algorithm deflate;
 
}


 


2008-10-21,"David J. Meier" <djmeier@slash32.com> :
Depending on your configuration you may have, or may have not, set it up in a way that allows ICMP -- or there is also the possibility of a transparent firewall between the clients and IPsec gateways that you are unaware of.  Without more information it it hard to tell -- but, all things considered, IPsec doesn't just "work that way", it will pass or drop what you tell it...

--Dave

2008/10/21 axinchan <axinchan@163.com>
Hi!,all

my network TOP:
client A ---> IPSec CA ---> INTERNET ---> IPsec SB ---> Server B

CA & SB is linux based gateway, with kernel 2.6.17 & Ipsec-tools 0.7

SB was running on anonymous mode(anonymous remote and anonymous sainfo), while CA in standard mode.

client A could Ping through Server B,that's normal.
but Server B couldn't Ping through client A.

I wonder, is there something wrong with my configuration, or just IPsec Anonymous works in this way: Server B is not allow to access client A in anonymous mode.

I have so many clients that anonymous is good choice for me.

any suggestions is prefered. thanks.


Axin Chan
China




-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Ipsec-tools-users mailing list
Ipsec-tools-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ipsec-tools-users




[广告] 金秋最关注楼盘-房不胜房