IPSEC, isakmpd, tunnel/transport encapsulation...
chris scott
chris.scott at uk.tiscali.com
Sat Nov 4 23:44:07 UTC 2006
I tried to setup something exactly like you did. I could do it fine with
freebsd boxes as I would do it via username not ip. Never really got the
problem sorted for windows though. I ended up using openVPN instead. I
would seriously recommend you try this solution as its far easier to
setup. Being as it runs over udp or tcp it running into no issues with
NAT like you do with IPSEC. If you run the server on tcp port 443 you
can also get it to run through corp firewalls that require you to use a
web proxy.
Chris
peter at alastria.net wrote:
> Good Evening,
>
> I apologise for what may end up being a stupid question, I'm getting
> towards my wits end. I've got a FreeBSD 6.2-PRERELEASE (cvsup of about
> 1300 GMT today) gateway which I'm attempting to run IPSEC/L2TP for
> wireless security.
>
> My client computers are Windows XP and Mac OS X, and the issue happens
> with both. No client has a fixed IP, so I want to permit any IP to
> establish a IPSEC session providing they know the preshared key.
>
> I'm using isakmpd for setup of the IPSEC side of things and hopefully
> SL2TPS for the L2TP side, although I'm not there yet.
>
> My issue is that none of my client can establish a L2TP session for what
> looks to be a mismatch of encapsulation types. For example, the first
> packet bellow is from my laptop to the gateway, the second is the reply.
>
> 18:18:56.540995 (authentic,confidential): SPI 0x1b79c065: IP
> 10.10.3.254.1701 > 10.10.2.1.1701: l2tp:[TLS](0/0)Ns=0,Nr=0
> *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(S) *BEARER_CAP()
> FIRM_VER(1280) |...
>
> 18:18:56.541039 (authentic,confidential): SPI 0x136223d4: IP 10.10.2.1 >
> 10.10.3.254: IP 10.10.2.1.1701 > 10.10.3.254.1701: l2tp:[TLS](20/0)
> Ns=1,Nr=1 ZLB (ipip-proto-4)
>
> This seems to be causing issues as the remote host isn't expecting the
> IPIP encapsulation there. I don't believe it has anything to do with
> SL2TPS because if I try and ICMP Ping 10.10.3.254 from 10.10.2.1, the ICMP
> request is IPSEC'd with the IPIP encapsulation.
>
> Has anyone seen this before? I'm using a fairly simplistic isakmpd.conf
> (which may be my issue)...
>
> [General]
> Listen-on = 10.10.2.1
>
> [Phase 1]
> Default = local-peers
>
> [Phase 2]
> Passive-connections = authenticated-peers
>
> [local-peers]
> Phase = 1
> Local-address = 10.10.2.1
> Authentication = mypresharedkey
> Configuration = isakmp-main-mode
>
> [authenticated-peers]
> Phase = 2
> ISAKMP-peer = local-peers
> Local-ID = local-network
> Remote-ID = remote-network
> #Configuration = ipsec-quick-mode
>
> [local-network]
> ID-type = IPV4_ADDR_SUBNET
> Network = 0.0.0.0
> Netmask = 0.0.0.0
>
> [remote-network]
> ID-type = IPV4_ADDR_SUBNET
> Network = 10.10.2.0
> Netmask = 255.255.254.0
>
> [isakmp-main-mode]
> EXCHANGE_TYPE = ID_PROT
> Transforms= 3DES-SHA
>
> [ipsec-quick-mode]
> EXCHANGE_TYPE = QUICK_MODE
>
> I have a isakmpd.policy of...
>
> KeyNote-Version: 2
> Authorizer: "POLICY"
> Conditions: app_domain == "IPsec policy" &&
> esp_present == "yes" -> "true";
>
> I have tried specifying Tranforms/Suites on ipsec-quick-mode that should
> use transport encapsulation, I've even tried tunnel encapsulation to see
> if it'll solve it. I've added esp_encapsulation == "transport" to the
> policy file, and that hasn't helped either.
>
> Does anyone have a clue what I'm doing wrong? I sadly know very little
> about IPSEC, although I've learnt a lot today. If anyone had any sample
> configs of doing this kind of thing, that would be great. Google is some
> what lacking in info on this one.
>
> Many thanks for any help or suggestions!
>
> Cheers,
>
> Peter.
>
>
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>
>
More information about the freebsd-net
mailing list