IPSec tunnel setup problems

Barry Irwin bvi at itouchlabs.com
Tue Apr 15 22:51:45 PDT 2003


Hi

Can I suggest you try using TCPdump to see whats going on as well.

Other things to check:
 - Phase 1 settings are the same - dh_group etc.
- phase 2 settings are the same ( sainfo stuff) pfs, times etc
- the psk files are chmod 600 ( been cought by this one before)
- The psk files contain either both hosts with the appropriate key, or just
the remote host
- try upping the debug level on racoon and see if it moans.

In my experiance, have almost no trouble getting bsd-bsd IPSEC links
talking, biggest pain has been to checkpoint boxes

--
Barry Irwin         bvi at itouchlabs.com                    Tel:
+27214875178
Systems Administrator: Networks And Security
iTouch Technology
iTouch TAS      http://www.itouchlabs.com         Mobile: +27824457210


----- Original Message -----
From: "Damian Gerow" <damian at sentex.net>
To: "Ruslan Ermilov" <ru at freebsd.org>
Cc: <net at freebsd.org>
Sent: Wednesday, April 16, 2003 12:37 AM
Subject: Re: IPSec tunnel setup problems


> Thus spake Ruslan Ermilov (ru at freebsd.org) [15/04/03 18:04]:
> > > The two psk.txt's are exactly the same, the two /etc/ipsec.conf's are
> > > exact mirrors, and the two racoon.conf's are mirrors (with
configuration
> > > names changed to match directions).  It /feels/ like the remote
(10.0.2.1)
> > > isn't finding the 'remote 10.0.1.1' configuration section that exists
in
> > > there.  I yanked the 'remote anonymous' and 'sainfo anonymous'
> > > configurations to help narrow this down.
> > >
> > > Does anyone have any pointers?  Please reply personally, as I'm not
> > > subscribed.
> > >
> > Hmm, on my machines with IPSec tunnels the /etc/ipsec.conf's are
> > NOT the exact mirrors; they are mirrors except for the in/out
> > keywords.
>
> Yes, sorry, mine are the same way.  Two tunnels, two subnets.  Each has
the
> appropriate 'out' rule and the appropriate 'in' rule.
>
>   - Damian
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>
>
>




More information about the freebsd-net mailing list