vpn trouble

ralf at dzie-ciuch.pl ralf at dzie-ciuch.pl
Tue Jun 22 17:42:12 UTC 2010 


>> Hmmm, aggressive mode wasn't help :(
>> Still I got only negotiation, so I try to send packets but I don't
>> receive it at all.
>> 
>> On my server 78.x.x.x I got ipfw allow all from any to any.
>> On the other side 95.x.x.x they tell me that they do it everything
>> right - only I can't connect :(
>> 
>> Maybe I don't set route correctly?
>> 
>> Is this mean that I don't receive password from other side?
>> ERROR: phase1 negotiation failed due to time up.
>> 5d300bcf894a18f5:0000000000000000
> 
> All the addresses you write about (despite of those x) and especially
> this 10.10.1.90 sound familiar (anyway it might be conicidence). I've
> got more than dozen working tunnels of this kind. You can try this way:
> 
> Set up a gif tunnel in rc.conf:
> 
> cloned_interfaces="gif0"
> ifconfig_gif0="tunnel 78.x.x.x 95.x.x.x"
> ifconfig_gif0_alias0="10.20.0.1 netmask 255.255.255.255 10.10.1.90"
> 
> 10.20.0.1 is your internal end of the tunnel, so use any address from
> beyond the net 10.10.1.90 is in.
> 
> 
> in racoon.conf something like this:
> 
> remote 95.x.x.x [500]
> {
>     exchange_mode       main,aggressive;
>     doi                 ipsec_doi;
>     situation           identity_only;
>     my_identifier       address 78.x.x.x;
>     peers_identifier    address 95.x.x.x;
>     lifetime            time 8 hour;
>     passive             off;
>     proposal_check      obey;
>     generate_policy     off;
>     proposal {
>         encryption_algorithm    3des;
>         hash_algorithm          md5;
>         authentication_method   pre_shared_key;
>         dh_group                2;
>     }
> }
> 
> sainfo (address 10.20.0.1/32 any address 10.10.1.90/32 any)
> {
>     pfs_group                   2;
>     lifetime                    time 3600 sec;
>     encryption_algorithm        3des;
>     authentication_algorithm    hmac_md5;
>     compression_algorithm       deflate;
> }
> 
> The other side needs to know you have 10.20.0.1 on your side of the
> tunnel - this way you should have working IPSEC bettween both 10. ends.

So as you write they should set: ??
10.20.0.1 (my ip on gif device) <-> 78.x <-> 95.x <-> 10.10.1.90 (other
side)

And additionaly I thing I should correct set spd policy to:

spdadd 10.20.0.1 10.10.1.90 any -P out ipsec
esp/tunnel/78.x.x.x-95.x.x.x/require;
spdadd 10.10.1.90 10.20.0.1 any -P in ipsec
esp/tunnel/95.x.x.x-78.x.x.x/require;

Am I wrong?

Regards
Ralf

More information about the freebsd-net mailing list