vpn trouble

David DeSimone fox at verio.net
Tue Jun 22 17:19:49 UTC 2010 

ralf at dzie-ciuch.pl <ralf at dzie-ciuch.pl> wrote:
>
> I try to configure VPN over my server and my client
> 
> Sheme is like this
> 78.x.x.x <--> 95.x.x.x <--> 10.10.1.90

Are you trying to set up IPSEC tunneling of networks behind these
gateways, or are you only trying to secure traffic between the peers
themselves?

The fact that you don't receive any reply to your IKE packets would
indicate something basic, like something is blocking traffic.

> # setkey -DP
> 10.10.1.90[any] 78.x.x.x[any] any
> 	in ipsec
> 	esp/tunnel/95.x.x.x-78.x.x.x/require
> 	created: Jun 22 15:39:25 2010  lastused: Jun 22 15:39:25 2010
> 	lifetime: 0(s) validtime: 0(s)
> 	spid=16461 seq=1 pid=83142
> 	refcnt=1
> 78.x.x.x[any] 10.10.1.90[any] any
> 	out ipsec
> 	esp/tunnel/78.x.x.x-95.x.x.x/require
> 	created: Jun 22 15:39:25 2010  lastused: Jun 22 15:40:50 2010
> 	lifetime: 0(s) validtime: 0(s)
> 	spid=16460 seq=0 pid=83142
> 	refcnt=1

Your IPSEC policy specifies "esp/tunnel" mode, but if you are not
actually encapsulating traffic originating from somewhere else, you
might do better to just use "transport" mode to encrypt without
encapsulation.

> And tcpdump
> #tcpdump -i bce1 host 95.x.x.x 
> 
> 
> 15:53:47.355130 IP 78.x.x.x.isakmp > 95.x.x.x.isakmp: isakmp: phase 1 I
> ident
> 15:54:07.003371 IP 78.x.x.x.isakmp > 95.x.x.x.isakmp: isakmp: phase 1 I
> ident
> 15:57:39.067765 IP 78.x.x.x.isakmp > 95.x.x.x.isakmp: isakmp: phase 1 I
> ident

My first thought was that your IPSEC policy attempts to encrypt all
traffic between you and your peers, but the IKE traffic is also traffic
between you and your peers, so doesn't it lead to a policy loop of some
sort?  Will the IPSEC layer attempt to capture and encrypt the IKE
packets?

-- 
David DeSimone == Network Admin == fox at verio.net
  "I don't like spinach, and I'm glad I don't, because if I
   liked it I'd eat it, and I just hate it." -- Clarence Darrow


This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio, Inc. makes no warranty that this email is error or virus free.  Thank you.

More information about the freebsd-net mailing list