vpn trouble

ralf at dzie-ciuch.pl ralf at dzie-ciuch.pl
Tue Jun 22 17:33:55 UTC 2010 

Hi,

I try to set VPN like I wrote earlier.
78.x is server and this is not NAT. He dont forward anything.

>> I try to configure VPN over my server and my client
>> 
>> Sheme is like this
>> 78.x.x.x <--> 95.x.x.x <--> 10.10.1.90
> 
> Are you trying to set up IPSEC tunneling of networks behind these
> gateways, or are you only trying to secure traffic between the peers
> themselves?

I try to set tunnel behing my server 78.x and gateway 95.x translating
packets to 10.x. I can only set 78.x side.

> 
> The fact that you don't receive any reply to your IKE packets would
> indicate something basic, like something is blocking traffic.

But how to check it? Telnet to port 500 wont work. But when I set SSH to
listen on port 500 I can login, port is not blocked

> 
>> # setkey -DP
>> 10.10.1.90[any] 78.x.x.x[any] any
>> 	in ipsec
>> 	esp/tunnel/95.x.x.x-78.x.x.x/require
>> 	created: Jun 22 15:39:25 2010  lastused: Jun 22 15:39:25 2010
>> 	lifetime: 0(s) validtime: 0(s)
>> 	spid=16461 seq=1 pid=83142
>> 	refcnt=1
>> 78.x.x.x[any] 10.10.1.90[any] any
>> 	out ipsec
>> 	esp/tunnel/78.x.x.x-95.x.x.x/require
>> 	created: Jun 22 15:39:25 2010  lastused: Jun 22 15:40:50 2010
>> 	lifetime: 0(s) validtime: 0(s)
>> 	spid=16460 seq=0 pid=83142
>> 	refcnt=1
> 
> Your IPSEC policy specifies "esp/tunnel" mode, but if you are not
> actually encapsulating traffic originating from somewhere else, you
> might do better to just use "transport" mode to encrypt without
> encapsulation.

Hmmm, I don't understand it? I set policy only for there IP's and
connection for it is ESP encrypced

> 
>> And tcpdump
>> #tcpdump -i bce1 host 95.x.x.x 
>> 
>> 
>> 15:53:47.355130 IP 78.x.x.x.isakmp > 95.x.x.x.isakmp: isakmp: phase 1 I
>> ident
>> 15:54:07.003371 IP 78.x.x.x.isakmp > 95.x.x.x.isakmp: isakmp: phase 1 I
>> ident
>> 15:57:39.067765 IP 78.x.x.x.isakmp > 95.x.x.x.isakmp: isakmp: phase 1 I
>> ident
> 
> My first thought was that your IPSEC policy attempts to encrypt all
> traffic between you and your peers, but the IKE traffic is also traffic
> between you and your peers, so doesn't it lead to a policy loop of some
> sort?  Will the IPSEC layer attempt to capture and encrypt the IKE
> packets?

Can you explain how can I check it? I new on it and I don't understand
some things.

Regards
Ralf

More information about the freebsd-net mailing list