From: Fernando D. <fr...@gm...> - 2006-08-14 19:15:32
|
I=B4d like to introduce mysef, my name is Fernando and I am new in this lis= t, of course i=B4ve subscribed because i need a little help, i hope i=B4ll be = able to not just ask questions but help others too... thanks. Well my problem is that i can=B4t generete the security policies in racoon, using the syntax widely known, I put the generate_policy on; passive on; remote anonymous and sainfo anonymous in my racoon.conf on the server side, but I always get the same error. 2006-08-14 16:12:20: INFO: begin Aggressive mode. 2006-08-14 16:12:20: INFO: received Vendor ID: DPD 2006-08-14 16:12:20: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address. 2006-08-14 16:12:20: INFO: ISAKMP-SA established 123.123.123.123[500]- 222.222.222.222[500] spi:b9ee1b7fde2dd49d:e6866b9d09d49cfb 2006-08-14 16:12:20: INFO: respond new phase 2 negotiation: 123.123.123.123 [500]<=3D>222.222.222.222[500] 2006-08-14 16:12:20: INFO: Update the generated policy : 192.168.1.0/24[0] 192.168.0.0/24[0] proto=3Dany dir=3Din 2006-08-14 16:12:21: INFO: IPsec-SA established: ESP/Tunnel 222.222.222.222 [0]->123.123.123.123[0] spi=3D188221412(0xb3807e4) 2006-08-14 16:12:21: INFO: IPsec-SA established: ESP/Tunnel 123.123.123.123 [0]->222.222.222.222[0] spi=3D18652776(0x11c9e68) 2006-08-14 16:12:21: ERROR: such policy does not already exist: " 192.168.1.0/24[0] 192.168.0.0/24[0] proto=3Dany dir=3Din" 2006-08-14 16:12:21: ERROR: such policy does not already exist: " 192.168.1.0/24[0] 192.168.0.0/24[0] proto=3Dany dir=3Dfwd" 2006-08-14 16:12:21: ERROR: such policy does not already exist: " 192.168.0.0/24[0] 192.168.1.0/24[0] proto=3Dany dir=3Dout" My configuration files are: Server Side path pre_shared_key "/etc/racoon/psk.txt"; log debug; remote anonymous { exchange_mode aggressive; generate_policy on; passive on; proposal_check obey; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group modp1024; lifetime time 28800 second; } } sainfo anonymous { pfs_group modp768; encryption_algorithm 3des; authentication_algorithm hmac_md5; compression_algorithm deflate; lifetime time 3600 second; } Client Side: path pre_shared_key "/etc/racoon/psk.txt"; remote 123.123.123.123 { exchange_mode aggressive; initial_contact on; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group modp1024; lifetime time 28800 second; } } sainfo address 192.168.1.0/24 any address 192.168.0.0/24 any { pfs_group modp768; encryption_algorithm 3des; authentication_algorithm hmac_md5; compression_algorithm deflate; lifetime time 3600 second; } And both psk.txt with the keys, with those files, commenting out the generate_policy on statement and running the following script on the server the VPN works perfectly. #!/usr/sbin/setkey -f # Corrente:201.17.146.176 flush; spdflush; spdadd 192.168.1.0/24 192.168.0.0/24 any -P in ipsec esp/tunnel/222.222.222.222-123.123.123.123/require; spdadd 192.168.0.0/24 192.168.1.0/24 any -P out ipsec esp/tunnel/123.123.123.123-222.222.222.222/require; BUT this script is only for testing because the 222.222.222.222 side is dynamic and of course I have other script in the client "inverted", the client side is not a problem because i can easy get the IP address from the Interface. Am i missing some configuration? Any suggestions? thanks a lot! By the way, I=B4m running 0.6.5 version of ipsec-tools in both sides. |