From: <jji...@co...> - 2007-09-18 21:40:12
|
Hello list, Please excuse me for subscribing to a devel list to ask for support, but i didn't find any other place to get help, if you can help me or point me to the right place i will really appreciate it! if you dont hate me at this moment and have some minutes to help a user, I have the next problem: I have to set up a VPN between a Debian etch server and a Nortel Contivity 1750, behind this router lives the server I need to reach. (I only control the debian server) Network topology MyServer(DEBIAN) public IP: A.A.A.A/28 ExternalRouter(NORTEL)public IP: B.B.B.125/32 ExternalServer public IP: B.B.B.118/32 I dont have a router, and im not using firewalls nor NAT to avoid complications. I found documentation for joining two private LANs, or to configure the gateways, but not about configuring a racoon in a server to connect to an existing VPN. I am using debian, so I install using "aptitude install racoon" and it install "ipsec-tools" for dependencies, and used racoon-tool. My /etc/racon/racon-tool.conf contains: _________ # How to control the syslog level global: log: notify peer(B.B.B.125): exchange_mode: main lifetime: time 60 min hash_algorithm[0]: md5 encryption_algorithm[0]: 3des authentication_method[0]: pre_shared_key dh_group[0]: 2 connection(me-they): src_ip: A.A.A.A dst_ip: B.B.B.125 src_range: A.A.A.128/28 dst_range: B.B.B.118/32 admin_status: enabled lifetime: time 1410 min authentication_algorithm: hmac_md5 encryption_algorithm: 3des ___________ When i tried to telnet or ping B.B.B.118 I get the next log from syslog: __________ Sep 18 16:03:50 myserver racoon: INFO: IPsec-SA request for B.B.B.125 queued due to no phase1 found. Sep 18 16:03:50 myserver racoon: INFO: initiate new phase 1 negotiation: A.A.A.A[500]<=>B.B.B.125[500] Sep 18 16:03:50 myserver racoon: INFO: begin Identity Protection mode. Sep 18 16:03:50 myserver racoon: INFO: received Vendor ID: DPD Sep 18 16:03:50 myserver racoon: WARNING: ignore INITIAL-CONTACT notification, because it is only accepted after phase1. Sep 18 16:03:50 myserver racoon: INFO: ISAKMP-SA established A.A.A.A[500]-B.B.B.125[500] spi:6d1a2cb39e6fc8cd:2c15622583be4b45 Sep 18 16:03:51 myserver racoon: INFO: purging ISAKMP-SA spi=6d1a2cb39e6fc8cd:2c15622583be4b45. Sep 18 16:03:51 myserver racoon: INFO: purged ISAKMP-SA spi=6d1a2cb39e6fc8cd:2c15622583be4b45. Sep 18 16:03:52 myserver racoon: INFO: ISAKMP-SA deleted 65.247.241.140[500]-200.1.124.125[500] spi:6d1a2cb39e6fc8cd:2c15622583be4b45 Sep 18 16:04:21 myserver racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP B.B.B.125[0]->A.A.A.A[0] Sep 18 16:04:21 myserver racoon: INFO: delete phase 2 handler. _____________________ If I am right the racoon is being called when I telnet or ping the server B.B.B.118, however i dont get response... I contacted the external router/server admin, and he says I complete phase1 but the packets his server receives, come from the internet, not from the tunnel and thats why the server doesn't answer me I tried using things like: ip route add B.B.B.118 via B.B.B.125 src A.A.A.A somewhere, i found that i had to use: ip route add OTHER_NETWORK via LOCAL_DEFAULT_GW src INTERNAL_IP but it didn't work too, the command "setkey -DP" gives me: B.B.B.118[any] A.A.A.128/28[any] any in ipsec esp/tunnel/B.B.B.125-A.A.A.A/unique#16385 created: Sep 18 16:03:37 2007 lastused: lifetime: 0(s) validtime: 0(s) spid=2352 seq=12 pid=9173 refcnt=1 A.A.A.128/28[any] B.B.B.118[any] any out ipsec esp/tunnel/A.A.A.A-B.B.B.125/unique#16384 created: Sep 18 16:03:37 2007 lastused: Sep 18 16:03:50 2007 lifetime: 0(s) validtime: 0(s) spid=2345 seq=11 pid=9173 refcnt=1 B.B.B.118[any] A.A.A.128/28[any] any fwd ipsec esp/tunnel/B.B.B.125-A.A.A.A/require created: Sep 18 16:03:37 2007 lastused: lifetime: 0(s) validtime: 0(s) spid=2362 seq=10 pid=9173 refcnt=1 I enabled forwarding on /etc/sysctl.conf and in /proc/sys/net/ipv4/ip_forward I DONT KNOW WHAT ELSE SHOULD I DO TO MAKE IT WORK, CAN SOMEBODY GIVE ME A HAND PLEASE? Thanks in advance for any help Jorge ------------------------------------- Saca tu propia cuenta de email gratis en Colombia entrando a http://mail.conexcol.com |