From: Reshma B. <res...@gm...> - 2012-06-27 11:11:23
|
Hi, Could some one please help me in understanding how should be the racoon.conf and psk.txt configuration for following tunnel scenario. Scenario: I have couple of tunnels between 2 peers each tunnel having their own peer1 end point but same peer2 end. Peer1 Peer2 A1 (1.1.1.1)(PSK:Secret1)<------------> B1(1.1.1.3) (Tunnel 1) (PSK:Secret1) -------------> both these tunnels have their own secrets. Secret1 and Secret2. A2 (1.1.1.2)(PSK:Secret2)<------------->B1(1.1.1.3) (Tunnel 2) (PSK:Secret2) Does this kind of scenario supported by racoon, what happens if we initiate traffics from traffic selectors of both tunnels? Will negotiations succeed? Please provide if some example configurations exists for these kind of scenarios. Thanks & Regards, Reshma |
From: Pattan, R. (N. - IN/Bangalore) <res...@ns...> - 2012-06-27 10:57:25
|
Hi, Could some one please help in understanding how should be the racoon.conf and psk.txt configuration for following tunnel scenario. Scenario: I have couple of tunnels between 2 peers each tunnel having their own peer1 end point but same peer2 end. Peer1 Peer2 A1 (1.1.1.1)(PSK:Secret1)<------------> B1(1.1.1.3) (Tunnel 1) (PSK:Secret1) -------------> both these tunnels have their own secrets. Secret1 and Secret2. A2 (1.1.1.2)(PSK:Secret2)<------------->B1(1.1.1.3) (Tunnel 2) (PSK:Secret2) Does this kind of scenario supported by racoon, what happens if we initiate traffics from traffic selectors of both tunnels? Will negotiations succeed? Please provide me if some example configurations exists for these kind of scenarios and it will be helpful. Thanks & Regards, Reshma |
From: Rainer W. <rwe...@mo...> - 2012-06-27 11:44:34
|
Reshma Begam <res...@gm...> writes: > Could some one please help me in understanding how should be the > racoon.conf and psk.txt configuration for following tunnel scenario. > > Scenario: I have couple of tunnels between 2 peers each tunnel having > their own peer1 end point but same peer2 end. > > Peer1 Peer2 > A1 (1.1.1.1)(PSK:Secret1)<------------> B1(1.1.1.3) (Tunnel 1) > (PSK:Secret1) -------------> both these tunnels have their own > secrets. Secret1 and Secret2. > A2 (1.1.1.2)(PSK:Secret2)<------------->B1(1.1.1.3) (Tunnel 2) > (PSK:Secret2) > > Does this kind of scenario supported by racoon, what happens if we > initiate traffics from traffic selectors of both tunnels? Will negotiations > succeed? > Please provide if some example configurations exists for these kind of > scenarios. On the 'Peer1' machines, you would have a psk.txt with 1.1.1.3 Secret1 and 1.1.1.3 Secret2 On Peer2, this would be 1.1.1.1 Secret1 1.1.1.2 Secret2 |
From: Reshma B. <res...@gm...> - 2012-06-28 07:39:45
|
Hi, How should racoon.conf looks? Does racoon supports having multiple remote sections inside racoon.conf for the same remote with different proposals? How racoon will identify which is the correct remote section from racoon.conf. for a particular tunnel ? Following is the racoon.conf on peer1 for racoon.conf with psk.txt same as mentioned by you. With this configuration i am not able to achieve intended behavior i.e not able to establish both the tunnels with peer as initiator. Is this configuration correct ? Could you please clarify what is the correct configuration # cat racoon.conf #!/usr/local/6bin/racoon # FlexiPlatform Racoon configuration file # This file is automatically created, DO NOT EDIT THIS! path pre_shared_key "/root/secret.psk"; path certificate "/etc/ipsec/certs/ipsec.d/"; remote 44.0.0.2 { exchange_mode main; my_identifier address 44.0.0.1; nat_traversal off ; script "/etc/ipsec/scripts/phase1-up.sh" phase1_up; script "/etc/ipsec/scripts/phase1-down.sh" phase1_down; lifetime time 1200 secs; # phase 1 proposal (for ISAKMP SA) proposal { encryption_algorithm aes; hash_algorithm md5; authentication_method pre_shared_key; dh_group 2; } } sainfo subnet 33.0.0.0/24 1 subnet 33.0.0.0/24 1 { lifetime time 600 secs; encryption_algorithm aes; authentication_algorithm hmac_md5; compression_algorithm deflate; encapdscp on; } remote 44.0.0.2 { exchange_mode main; my_identifier address 44.0.0.3; nat_traversal off ; script "/etc/ipsec/scripts/phase1-up.sh" phase1_up; script "/etc/ipsec/scripts/phase1-down.sh" phase1_down; lifetime time 2400 secs; # phase 1 proposal (for ISAKMP SA) proposal { encryption_algorithm 3des; hash_algorithm md5; authentication_method pre_shared_key; dh_group 2; } } sainfo subnet 55.0.0.0/24 1 subnet 55.0.0.0/24 1 { lifetime time 1200 secs; encryption_algorithm 3des; authentication_algorithm hmac_md5; compression_algorithm deflate; encapdscp on; } listen { adminsock "/etc/ipsec/0/ike1/.racoon_admin"; isakmp 44.0.0.1 [500]; isakmp 44.0.0.3 [500]; } Thanks, Reshma On Wed, Jun 27, 2012 at 5:14 PM, Rainer Weikusat < rwe...@mo...> wrote: > Reshma Begam <res...@gm...> writes: > > Could some one please help me in understanding how should be the > > racoon.conf and psk.txt configuration for following tunnel scenario. > > > > Scenario: I have couple of tunnels between 2 peers each tunnel having > > their own peer1 end point but same peer2 end. > > > > Peer1 Peer2 > > A1 (1.1.1.1)(PSK:Secret1)<------------> B1(1.1.1.3) (Tunnel 1) > > (PSK:Secret1) -------------> both these tunnels have their > own > > secrets. Secret1 and Secret2. > > A2 (1.1.1.2)(PSK:Secret2)<------------->B1(1.1.1.3) (Tunnel 2) > > (PSK:Secret2) > > > > Does this kind of scenario supported by racoon, what happens if we > > initiate traffics from traffic selectors of both tunnels? Will > negotiations > > succeed? > > Please provide if some example configurations exists for these kind of > > scenarios. > > On the 'Peer1' machines, you would have a psk.txt with > > 1.1.1.3 Secret1 > > and > > 1.1.1.3 Secret2 > > On Peer2, this would be > > 1.1.1.1 Secret1 > 1.1.1.2 Secret2 > > -- Regards, Reshma -- Regards, Reshma |
From: Reshma B. <res...@gm...> - 2012-06-28 10:44:12
|
Hi, Could some one please reply as we are completely blocked with below issue , your help will be appreciated in this regard. Thanks, Reshma On Thu, Jun 28, 2012 at 1:09 PM, Reshma Begam <res...@gm...>wrote: > Hi, > > How should racoon.conf looks? Does racoon supports having multiple remote > sections inside racoon.conf for the same remote with different proposals? > > How racoon will identify which is the correct remote section from > racoon.conf. for a particular tunnel ? > > Following is the racoon.conf on peer1 for racoon.conf with psk.txt same > as mentioned by you. > With this configuration i am not able to achieve intended behavior i.e not > able to establish both the tunnels with peer as initiator. > > Is this configuration correct ? Could you please clarify what is the > correct configuration > > # cat racoon.conf > #!/usr/local/6bin/racoon > # FlexiPlatform Racoon configuration file > > # This file is automatically created, DO NOT EDIT THIS! > path pre_shared_key "/root/secret.psk"; > path certificate "/etc/ipsec/certs/ipsec.d/"; > remote 44.0.0.2 > { > exchange_mode main; > my_identifier address 44.0.0.1; > nat_traversal off ; > script "/etc/ipsec/scripts/phase1-up.sh" phase1_up; > script "/etc/ipsec/scripts/phase1-down.sh" phase1_down; > lifetime time 1200 secs; > # phase 1 proposal (for ISAKMP SA) > proposal { > encryption_algorithm aes; > hash_algorithm md5; > authentication_method pre_shared_key; > dh_group 2; > } > } > > sainfo subnet 33.0.0.0/24 1 subnet 33.0.0.0/24 1 > { > lifetime time 600 secs; > encryption_algorithm aes; > authentication_algorithm hmac_md5; > compression_algorithm deflate; > encapdscp on; > } > > remote 44.0.0.2 > { > exchange_mode main; > my_identifier address 44.0.0.3; > nat_traversal off ; > script "/etc/ipsec/scripts/phase1-up.sh" phase1_up; > script "/etc/ipsec/scripts/phase1-down.sh" phase1_down; > lifetime time 2400 secs; > # phase 1 proposal (for ISAKMP SA) > proposal { > encryption_algorithm 3des; > hash_algorithm md5; > authentication_method pre_shared_key; > dh_group 2; > } > } > > sainfo subnet 55.0.0.0/24 1 subnet 55.0.0.0/24 1 > { > lifetime time 1200 secs; > encryption_algorithm 3des; > authentication_algorithm hmac_md5; > compression_algorithm deflate; > encapdscp on; > } > > listen { > adminsock "/etc/ipsec/0/ike1/.racoon_admin"; > isakmp 44.0.0.1 [500]; > isakmp 44.0.0.3 [500]; > } > > > > > Thanks, > Reshma > > > On Wed, Jun 27, 2012 at 5:14 PM, Rainer Weikusat < > rwe...@mo...> wrote: > >> Reshma Begam <res...@gm...> writes: >> > Could some one please help me in understanding how should be the >> > racoon.conf and psk.txt configuration for following tunnel scenario. >> > >> > Scenario: I have couple of tunnels between 2 peers each tunnel having >> > their own peer1 end point but same peer2 end. >> > >> > Peer1 Peer2 >> > A1 (1.1.1.1)(PSK:Secret1)<------------> B1(1.1.1.3) (Tunnel 1) >> > (PSK:Secret1) -------------> both these tunnels have their >> own >> > secrets. Secret1 and Secret2. >> > A2 (1.1.1.2)(PSK:Secret2)<------------->B1(1.1.1.3) (Tunnel 2) >> > (PSK:Secret2) >> > >> > Does this kind of scenario supported by racoon, what happens if we >> > initiate traffics from traffic selectors of both tunnels? Will >> negotiations >> > succeed? >> > Please provide if some example configurations exists for these kind of >> > scenarios. >> >> On the 'Peer1' machines, you would have a psk.txt with >> >> 1.1.1.3 Secret1 >> >> and >> >> 1.1.1.3 Secret2 >> >> On Peer2, this would be >> >> 1.1.1.1 Secret1 >> 1.1.1.2 Secret2 >> >> > > > -- > > Regards, > Reshma > > > > > -- > > Regards, > Reshma > > -- Regards, Reshma |