vpn trouble
Maciej Suszko
maciej at suszko.eu
Tue Jun 22 18:11:37 UTC 2010
<ralf at dzie-ciuch.pl> wrote:
>
>
> >> Hmmm, aggressive mode wasn't help :(
> >> Still I got only negotiation, so I try to send packets but I don't
> >> receive it at all.
> >>
> >> On my server 78.x.x.x I got ipfw allow all from any to any.
> >> On the other side 95.x.x.x they tell me that they do it everything
> >> right - only I can't connect :(
> >>
> >> Maybe I don't set route correctly?
> >>
> >> Is this mean that I don't receive password from other side?
> >> ERROR: phase1 negotiation failed due to time up.
> >> 5d300bcf894a18f5:0000000000000000
> >
> > All the addresses you write about (despite of those x) and
> > especially this 10.10.1.90 sound familiar (anyway it might be
> > conicidence). I've got more than dozen working tunnels of this
> > kind. You can try this way:
> >
> > Set up a gif tunnel in rc.conf:
> >
> > cloned_interfaces="gif0"
> > ifconfig_gif0="tunnel 78.x.x.x 95.x.x.x"
> > ifconfig_gif0_alias0="10.20.0.1 netmask 255.255.255.255 10.10.1.90"
> >
> > 10.20.0.1 is your internal end of the tunnel, so use any address
> > from beyond the net 10.10.1.90 is in.
> >
> >
> > in racoon.conf something like this:
> >
> > remote 95.x.x.x [500]
> > {
> > exchange_mode main,aggressive;
> > doi ipsec_doi;
> > situation identity_only;
> > my_identifier address 78.x.x.x;
> > peers_identifier address 95.x.x.x;
> > lifetime time 8 hour;
> > passive off;
> > proposal_check obey;
> > generate_policy off;
> > proposal {
> > encryption_algorithm 3des;
> > hash_algorithm md5;
> > authentication_method pre_shared_key;
> > dh_group 2;
> > }
> > }
> >
> > sainfo (address 10.20.0.1/32 any address 10.10.1.90/32 any)
> > {
> > pfs_group 2;
> > lifetime time 3600 sec;
> > encryption_algorithm 3des;
> > authentication_algorithm hmac_md5;
> > compression_algorithm deflate;
> > }
> >
> > The other side needs to know you have 10.20.0.1 on your side of the
> > tunnel - this way you should have working IPSEC bettween both 10.
> > ends.
>
> So as you write they should set: ??
> 10.20.0.1 (my ip on gif device) <-> 78.x <-> 95.x <-> 10.10.1.90
> (other side)
Yes, indeed.
> And additionaly I thing I should correct set spd policy to:
>
> spdadd 10.20.0.1 10.10.1.90 any -P out ipsec
> esp/tunnel/78.x.x.x-95.x.x.x/require;
> spdadd 10.10.1.90 10.20.0.1 any -P in ipsec
> esp/tunnel/95.x.x.x-78.x.x.x/require;
>
> Am I wrong?
No, you're right :)
You can set up the tunnel first - check whether both 10. are accessible
from both sides, then you "cover" communication between them with IPSEC.
--
regards, Maciej Suszko.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-net/attachments/20100622/320bfab3/signature.pgp
More information about the freebsd-net
mailing list