From: Yann D. <do...@fu...> - 2007-03-09 14:39:07
|
Hello, Yesterday I upgraded my VPN server from Kernel 2.6.14.3 to 2.6.20.1, everything is fine except Racoon which broke during the process. I've two configured tunnels and both start and negociate without any problem (I'm starting the tunnel with a ping to a private IP on the remote net). the last lines of negociations are Mar 9 14:27:55 darkstar racoon: DEBUG: pfkey UPDATE succeeded: ESP/Tunnel <IP 1 masked>[0]-><IP 2 masked>[0] spi=140195921(0x85b3851) Mar 9 14:27:55 darkstar racoon: INFO: IPsec-SA established: ESP/Tunnel <IP 1 masked>[0]-><IP 2 masked>[0] spi=140195921(0x85b3851) The other end is ok too. After setup the tunnel doesn't route anything, trafic doesn't go though. Rebooting to 2.6.14 immediatly fixes the problem. I'm running Racoon 0.6.6 Any idea ? Any trace that would help to diagnose ? -- Yann Doussot - FullSIX +33 6 12 71 70 03 |
From: Guillaume <sil...@fr...> - 2007-03-12 10:01:45
|
Yann Doussot a écrit : > Hello, > > Yesterday I upgraded my VPN server from Kernel 2.6.14.3 to 2.6.20.1, > everything is fine except Racoon which broke during the process. > > I've two configured tunnels and both start and negociate without any > problem (I'm starting the tunnel with a ping to a private IP on the > remote net). the last lines of negociations are > > Mar 9 14:27:55 darkstar racoon: DEBUG: pfkey UPDATE succeeded: > ESP/Tunnel <IP 1 masked>[0]-><IP 2 masked>[0] spi=140195921(0x85b3851) > Mar 9 14:27:55 darkstar racoon: INFO: IPsec-SA established: ESP/Tunnel > <IP 1 masked>[0]-><IP 2 masked>[0] spi=140195921(0x85b3851) > > The other end is ok too. After setup the tunnel doesn't route anything, > trafic doesn't go though. Rebooting to 2.6.14 immediatly fixes the problem. > > I'm running Racoon 0.6.6 > > Any idea ? Any trace that would help to diagnose ? > > -- > Yann Doussot - FullSIX > +33 6 12 71 70 03 Hi, I' don't know of it is related as I don't know how you setup your kernel. But I know a difference between 2.6.14 and 2.6.20 about IPsec, there is now 2 different modules for Tunnel mode and Transport mode. Previously, we don't have to worry about the type of transport. Are you sure, you don't make any mistake about that ? And also, about all Ipsec related options, they have moved from: "devices ->networking->options" to "Networking->Networking options". I hope this help. Regards Guillaume -- Guillaume E-mail: silencer_<at>_free-4ever_<dot>_net Blog: http://guillaume.free-4ever.net ---- Site: http://www.free-4ever.net |
From: Enliang X. <Enl...@de...> - 2007-03-13 01:51:20
Attachments:
network_structure.jpg
|
Hi all, I've met trouble when I attempt to create a VPN between my PC and my lan in my home. The structure of my network structure is illustrated in the attachment. First, I have no idea about how to configure the /etc/setkey.conf file. Because the two ports on the Internet are both with dynamic IP. How do I specify the "add" statements for sad and "spd" statements? I've try to add sad entry like this: add 192.168.0.250 anonymous ah 0x200 -A hmac-sha2-256 0x7d5555f0355edabbb2e6e9a9c2d0ece421adbfaf94e953fe807e34ab22501d7c; But I got "Name or service not known at [ah]" error message after I run the command "/sbin/setkey -f /etc/setkey.conf". I think maybe I can not using AH under this environment even I used the udp encapsulating. But for ESP, I still don't know how to set up the dynamic client IP address in "add" statements. I doubt if it is possible to create a VPN with such network structure. I've read many articles about ipsec-tools over NAT-T, but all these articles assume that the ip address of the NAT gateway is static or the client is static IP. I can not find any document that illustrate the situation that both the client and server side are dynamic IPs. Could anyone please help me for this? Thanks, Enliang. ************************************************************************** DemandTec Email Notice This email and any attachments may contain confidential and/or proprietary= information and is intended solely for the use of the addressee. If you= are not the intended recipient we request that you notify us via email or= telephone and delete all copies of the message from your systems.= Additionally, although DemandTec has taken reasonable precautions to= ensure the security of this email and any attachments, we encourage you to= take similar precautions and accept no liability for any loss or damage= resulting from its use. DemandTec, 1 Circle Star Way, Suite 200, San Carlos, CA 94070, 650-226-4600 |