From: Yang H. <yan...@gm...> - 2013-01-10 18:33:06
|
I noticed that racoon.conf supports IP address range in the "sainfo" statement (even though it is undocumented). For example, if the local policy IP address range is 10.10.1.1 - 10.10.1.2, and the remote policy IP address range is 192.168.10.99 - 192.168.10.101, I can use the sainfo statement in racoon.conf as below: sainfo address 10.10.1.1-10.10.1.2 any address 192.168.10.99-192.168.10.101 any { other stuffs ... } I wonder that does setkey support the similar IP range syntax in setkey.conf? Otherwise, I need to use the following lengthy approach. flush; spdflush; spdadd 192.168.10.99/32 10.10.1.1/32 any -P in ipsec esp/tunnel/172.24.1.170-172.24.1.166/require; spdadd 10.10.1.1/32 192.168.10.99/32 any -P out ipsec esp/tunnel/172.24.1.166-172.24.1.170/require; spdadd 192.168.10.99/32 10.10.1.2/32 any -P in ipsec esp/tunnel/172.24.1.170-172.24.1.166/require; spdadd 10.10.1.2/32 192.168.10.99/32 any -P out ipsec esp/tunnel/172.24.1.166-172.24.1.170/require; spdadd 192.168.10.100/31 10.10.1.1/32 any -P in ipsec esp/tunnel/172.24.1.170-172.24.1.166/require; spdadd 10.10.1.1/32 192.168.10.100/31 any -P out ipsec esp/tunnel/172.24.1.166-172.24.1.170/require; spdadd 192.168.10.100/31 10.10.1.2/32 any -P in ipsec esp/tunnel/172.24.1.170-172.24.1.166/require; spdadd 10.10.1.2/32 192.168.10.100/31 any -P out ipsec esp/tunnel/172.24.1.166-172.24.1.170/require; spdadd 172.24.1.170/32 172.24.1.166/32 any -P in ipsec esp/tunnel/172.24.1.170-172.24.1.166/require; spdadd 172.24.1.166/32 172.24.1.170/32 any -P out ipsec esp/tunnel/172.24.1.166-172.24.1.170/require; Another question: How do I initiate the VPN Phase 2 connection for the IP range case? I have no problem to establish the Phase 1 SA using the following command: racoonctl es isakmp inet 172.24.1.166 172.24.1.170 If I tried to "ping -I eth1 -c 1 192.168.10.100" to establish the Phase 2 connection, it failed to get sainfo with following log. 2013-01-10 10:24:24: DEBUG: suitable outbound SP found: 10.10.1.1/32[0] 192.168.10.100/31[0] proto=any dir=out. 2013-01-10 10:24:24: INFO: $$$$$$$$$ getsp 1 2013-01-10 10:24:24: DEBUG: sub:0xbfe8a770: 192.168.10.100/31[0] 10.10.1.1/32[0] proto=any dir=in 2013-01-10 10:24:24: DEBUG: db :0x87deb60: 172.24.1.166/32[0] 172.24.1.170/32[0] proto=any dir=out 2013-01-10 10:24:24: DEBUG: sub:0xbfe8a770: 192.168.10.100/31[0] 10.10.1.1/32[0] proto=any dir=in 2013-01-10 10:24:24: DEBUG: db :0x87dede8: 172.24.1.170/32[0] 172.24.1.166/32[0] proto=any dir=fwd 2013-01-10 10:24:24: DEBUG: sub:0xbfe8a770: 192.168.10.100/31[0] 10.10.1.1/32[0] proto=any dir=in 2013-01-10 10:24:24: DEBUG: db :0x87df070: 172.24.1.170/32[0] 172.24.1.166/32[0] proto=any dir=in 2013-01-10 10:24:24: DEBUG: sub:0xbfe8a770: 192.168.10.100/31[0] 10.10.1.1/32[0] proto=any dir=in 2013-01-10 10:24:24: DEBUG: db :0x87df2f8: 10.10.1.2/32[0] 192.168.10.100/31[0] proto=any dir=out 2013-01-10 10:24:24: DEBUG: sub:0xbfe8a770: 192.168.10.100/31[0] 10.10.1.1/32[0] proto=any dir=in 2013-01-10 10:24:24: DEBUG: db :0x87df580: 192.168.10.100/31[0] 10.10.1.2/32[0] proto=any dir=fwd 2013-01-10 10:24:24: DEBUG: sub:0xbfe8a770: 192.168.10.100/31[0] 10.10.1.1/32[0] proto=any dir=in 2013-01-10 10:24:24: DEBUG: db :0x87df808: 192.168.10.100/31[0] 10.10.1.2/32[0] proto=any dir=in 2013-01-10 10:24:24: DEBUG: sub:0xbfe8a770: 192.168.10.100/31[0] 10.10.1.1/32[0] proto=any dir=in 2013-01-10 10:24:24: DEBUG: db :0x87dfa90: 10.10.1.1/32[0] 192.168.10.100/31[0] proto=any dir=out 2013-01-10 10:24:24: DEBUG: sub:0xbfe8a770: 192.168.10.100/31[0] 10.10.1.1/32[0] proto=any dir=in 2013-01-10 10:24:24: DEBUG: db :0x87dfd18: 192.168.10.100/31[0] 10.10.1.1/32[0] proto=any dir=fwd 2013-01-10 10:24:24: DEBUG: sub:0xbfe8a770: 192.168.10.100/31[0] 10.10.1.1/32[0] proto=any dir=in 2013-01-10 10:24:24: DEBUG: db :0x87dffa0: 192.168.10.100/31[0] 10.10.1.1/32[0] proto=any dir=in 2013-01-10 10:24:24: DEBUG: suitable inbound SP found: 192.168.10.100/31[0] 10.10.1.1/32[0] proto=any dir=in. 2013-01-10 10:24:24: DEBUG: new acquire 10.10.1.1/32[0] 192.168.10.100/31[0]proto=any dir=out 2013-01-10 10:24:24: [172.24.1.170] DEBUG2: Checking remote conf "s2s" 172.24.1.170[500]. 2013-01-10 10:24:24: DEBUG2: enumrmconf: "s2s" matches. 2013-01-10 10:24:24: [172.24.1.170] DEBUG: configuration "s2s" selected. 2013-01-10 10:24:24: DEBUG: getsainfo params: loc='10.10.1.1' rmt=' 192.168.10.100/31' peer='NULL' client='NULL' id=2 2013-01-10 10:24:24: DEBUG: evaluating sainfo: loc='10.10.1.1-10.10.1.2', rmt='192.168.10.99-192.168.10.101', peer='ANY', id=2 2013-01-10 10:24:24: DEBUG: check and compare ids : id type mismatch IPv4_address_range != IPv4_address 2013-01-10 10:24:24: ERROR: failed to get sainfo. My local VPN gateway is Fedora 10 running ipsec-tools-0.8.0. The remote VPN gateway is DLINK DSR-500N. Thank a lot for any helps. |