From: Mohsen <moh...@ya...> - 2010-06-05 11:56:27
|
Hi, it seems no body exists in ipsec-tools-users group. i' very curious to know if the developers of ipsec-tools could solve this problem? Regards, Mohsen --- On Fri, 4/6/10, bored to death <bor...@ya...> wrote: From: bored to death <bor...@ya...> Subject: Re: [Ipsec-tools-users] setting IPSEC tunnel with ipsec-tools To: "bored to death" <bor...@ya...>, ips...@li... Date: Friday, 4 June, 2010, 3:40 PM so no one has any ideas about this? i thought it might help if i show you my racoon.conf: Code: path pre_shared_key "/usr/local/etc/racoon/psk.txt"; log debug; padding { maximum_length 20; randomize off; strict_check off; exclusive_tail off; } timer { counter 5000; interval 20 sec; persend 1; # natt_keepalive 15 sec; phase1 30 sec; phase2 15 sec; } listen { isakmp 192.168.10.1 [500]; } remote 192.168.10.2 [500] { exchange_mode main,aggressive; doi ipsec_doi; situation identity_only; my_identifier address 192.168.10.1; peers_identifier address 192.168.10.2; lifetime time 8 hour; passive off; proposal_check obey; # nat_traversal off; generate_policy off; weak_phase1_check on; proposal { encryption_algorithm des; hash_algorithm md5; authentication_method pre_shared_key; lifetime time 30 sec; dh_group 1; } } sainfo (address 10.10.20.0/24 any address 10.10.10.0/24 any) { pfs_group 1; lifetime time 36000 sec; encryption_algorithm 3des,des; authentication_algorithm hmac_md5; compression_algorithm deflate; } and my setkey.conf is: Code: flush; spdflush; spdadd 10.10.20.0/24 10.10.10.0/24 any -P out ipsec esp/tunnel/192.168.10.1-192.168.10.2/use; spdadd 10.10.10.0/24 10.10.20.0/24 any -P in ipsec esp/tunnel/192.168.10.2-192.168.10.1/use; and this is my ifconfig: Code: eth1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=1bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4> ether 00:22:64:98:d6:38 inet 192.168.10.1 netmask 0xffffff00 broadcast 192.168.10.255 media: Ethernet autoselect (none) status: no carrier lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 options=3<RXCSUM,TXCSUM> inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 inet6 ::1 prefixlen 128 inet 127.0.0.1 netmask 0xff000000 inet 10.10.20.1 netmask 0xffffff00 gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1280 tunnel inet 192.168.10.1 --> 192.168.10.2 inet 10.10.20.1 --> 10.10.10.1 netmask 0xffffff00 options=1<ACCEPT_REV_ETHIP_VER> the other host has the exact same config, but of course just the ip addresses are reversed. did i set any parameters wrong? From: bored to death <bor...@ya...> To: ips...@li... Sent: Thu, June 3, 2010 2:41:25 PM Subject: [Ipsec-tools-users] setting IPSEC tunnel with ipsec-tools hi guys, i asked this question on freebsd forum, but no one has answered and i'm really stucked with this problem. i'm trying to set up ipsec tunnel on 2 freebsd hosts and i'm having a problem. i installed ipsec-tools-0.7.3 on freebsd-8.0. i defined gif0 and loopback addresses on localhosts of on each one and set up all required routes and racoon configs etc... my problem is: when i start racoon on my hosts at the same time, my ipsec tunnel sets up and works perfectly. but if i run racoon on one host and after 1 or 2 minutes i start racoon on the other one, nothing happens and no packet from isakmp ports of any of them is being sent. i started racoons in foreground mode, but no failure is being reported. the initiator racoon would say: Code: .... 2010-06-02 15:08:14: DEBUG: policy.c:187:cmpspidxstrict(): sub:0xbfbfe2dc: 10.10.20.0/24[0] 10.10.10.0/24[0] proto=any dir=out 2010-06-02 15:08:14: DEBUG: policy.c:188:cmpspidxstrict(): db :0x28547148: 10.10.10.0/24[0] 10.10.20.0/24[0] proto=any dir=in 2010-06-02 15:08:17: DEBUG: grabmyaddr.c:676:update_myaddrs(): msg 1 not interesting 2010-06-02 15:08:17: DEBUG: grabmyaddr.c:676:update_myaddrs(): msg 1 not interesting and when i start other racoon after a minute, nothing else is being reported. there sure has to be a configuration parameter of racoon to set this, but i tested everything and searched everywhere and nothing worked. can anyone help me? any hints would be appreciated. thank you. -----Inline Attachment Follows----- ------------------------------------------------------------------------------ ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo -----Inline Attachment Follows----- _______________________________________________ Ipsec-tools-users mailing list Ips...@li... https://lists.sourceforge.net/lists/listinfo/ipsec-tools-users |
From: VANHULLEBUS Y. <va...@fr...> - 2010-06-14 15:45:07
|
On Sat, Jun 05, 2010 at 04:55:21AM -0700, Mohsen wrote: > Hi, Hi. > it seems no body exists in ipsec-tools-users group. > i' very curious to know if the developers of ipsec-tools could solve this problem? You have to use spdadd with traffic endpoint (which is the "usual" way for setting IPsec tunnels) OR use Gif interface and set up a different configuration (set up Gif endpoints as traffic endpoints, as you'll do an extra IP-IP encapsulation). Yvan. > > --- On Fri, 4/6/10, bored to death <bor...@ya...> wrote: > > From: bored to death <bor...@ya...> > Subject: Re: [Ipsec-tools-users] setting IPSEC tunnel with ipsec-tools > To: "bored to death" <bor...@ya...>, ips...@li... > Date: Friday, 4 June, 2010, 3:40 PM > > so no one has any ideas about this? > > > i thought it might help if i show you my racoon.conf: > > > Code: > path pre_shared_key "/usr/local/etc/racoon/psk.txt"; > log debug; > > padding > { > maximum_length 20; > randomize off; > strict_check off; > exclusive_tail off; > } > > timer > { > counter 5000; > interval 20 sec; > persend 1; > # natt_keepalive 15 sec; > phase1 30 sec; > phase2 15 sec; > } > > > listen > { > isakmp 192.168.10.1 [500]; > } > > remote 192.168.10.2 [500] > { > exchange_mode main,aggressive; > doi ipsec_doi; > situation identity_only; > my_identifier address 192.168.10.1; > peers_identifier address 192.168.10.2; > lifetime > time 8 hour; > passive off; > proposal_check obey; > # nat_traversal off; > generate_policy off; > weak_phase1_check on; > proposal { > encryption_algorithm des; > hash_algorithm md5; > authentication_method pre_shared_key; > lifetime time 30 sec; > dh_group 1; > } > } > > sainfo (address 10.10.20.0/24 any address 10.10.10.0/24 any) > { > pfs_group 1; > lifetime time 36000 sec; > encryption_algorithm 3des,des; > authentication_algorithm hmac_md5; > compression_algorithm deflate; > } > and my setkey.conf is: > > > Code: > flush; > spdflush; > spdadd 10.10.20.0/24 10.10.10.0/24 any -P out ipsec esp/tunnel/192.168.10.1-192.168.10.2/use; > spdadd 10.10.10.0/24 10.10.20.0/24 any -P in ipsec esp/tunnel/192.168.10.2-192.168.10.1/use; > and this is my ifconfig: > > > Code: > eth1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 > options=1bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4> > ether 00:22:64:98:d6:38 > inet 192.168.10.1 netmask 0xffffff00 broadcast 192.168.10.255 > media: Ethernet autoselect (none) > status: no carrier > lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 > options=3<RXCSUM,TXCSUM> > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 > inet6 ::1 prefixlen 128 > inet 127.0.0.1 netmask 0xff000000 > inet 10.10.20.1 netmask 0xffffff00 > gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1280 > tunnel inet 192.168.10.1 --> 192.168.10.2 > inet 10.10.20.1 --> 10.10.10.1 netmask 0xffffff00 > options=1<ACCEPT_REV_ETHIP_VER> > the other host has the exact same config, but of course just the ip addresses are reversed. > > did i set any parameters wrong? > > From: bored to death <bor...@ya...> > To: ips...@li... > Sent: Thu, June 3, 2010 2:41:25 PM > Subject: [Ipsec-tools-users] setting IPSEC tunnel with ipsec-tools > > > hi guys, > > i asked this question on freebsd forum, but no one has answered and i'm really stucked with this problem. > > > > i'm trying to set up ipsec tunnel on 2 freebsd hosts and i'm having a > problem. i installed ipsec-tools-0.7.3 on freebsd-8.0. i defined gif0 > and loopback addresses on localhosts of on each one and set up all > required routes and racoon configs etc... > > > > my problem is: when i start racoon on my hosts at the same time, my > ipsec tunnel sets up and works perfectly. but if i run racoon on one > host and after 1 or 2 minutes i start racoon on the other one, nothing > happens and no packet from isakmp ports of any of them is being sent. > > > > i started racoons in foreground mode, but no failure is being reported. the initiator racoon would say: > > > > > Code: > .... > 2010-06-02 15:08:14: DEBUG: policy.c:187:cmpspidxstrict(): sub:0xbfbfe2dc: 10.10.20.0/24[0] 10.10.10.0/24[0] proto=any dir=out > 2010-06-02 15:08:14: DEBUG: policy.c:188:cmpspidxstrict(): db :0x28547148: 10.10.10.0/24[0] 10.10.20.0/24[0] proto=any dir=in > 2010-06-02 15:08:17: DEBUG: grabmyaddr.c:676:update_myaddrs(): msg 1 not interesting > 2010-06-02 15:08:17: DEBUG: grabmyaddr.c:676:update_myaddrs(): msg 1 not interesting > and when i start other racoon after a minute, nothing else is being reported. > there sure has to be a configuration parameter of racoon to set this, > but i tested everything and searched everywhere and nothing worked. > > > > can anyone help me? any hints would be appreciated. > > thank you. > > > > > > > > > > -----Inline Attachment Follows----- > > ------------------------------------------------------------------------------ > ThinkGeek and WIRED's GeekDad team up for the Ultimate > GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the > lucky parental unit. See the prize list and enter to win: > http://p.sf.net/sfu/thinkgeek-promo > -----Inline Attachment Follows----- > > _______________________________________________ > Ipsec-tools-users mailing list > Ips...@li... > https://lists.sourceforge.net/lists/listinfo/ipsec-tools-users > > > ------------------------------------------------------------------------------ > ThinkGeek and WIRED's GeekDad team up for the Ultimate > GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the > lucky parental unit. See the prize list and enter to win: > http://p.sf.net/sfu/thinkgeek-promo > _______________________________________________ > Ipsec-tools-devel mailing list > Ips...@li... > https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel |