vpn trouble

Maciej Suszko maciej at suszko.eu
Tue Jun 22 18:26:43 UTC 2010 

<ralf at dzie-ciuch.pl> wrote:
> 
> Hi,
> 
> I try to set VPN like I wrote earlier.
> 78.x is server and this is not NAT. He dont forward anything.
> 
> >> I try to configure VPN over my server and my client
> >> 
> >> Sheme is like this
> >> 78.x.x.x <--> 95.x.x.x <--> 10.10.1.90
> > 
> > Are you trying to set up IPSEC tunneling of networks behind these
> > gateways, or are you only trying to secure traffic between the peers
> > themselves?
> 
> I try to set tunnel behing my server 78.x and gateway 95.x translating
> packets to 10.x. I can only set 78.x side.
> 
> > 
> > The fact that you don't receive any reply to your IKE packets would
> > indicate something basic, like something is blocking traffic.
> 
> But how to check it? Telnet to port 500 wont work. But when I set SSH
> to listen on port 500 I can login, port is not blocked

Telnet host 500 uses proto tcp, isakmp - udp.

> >> # setkey -DP
> >> 10.10.1.90[any] 78.x.x.x[any] any
> >> 	in ipsec
> >> 	esp/tunnel/95.x.x.x-78.x.x.x/require
> >> 	created: Jun 22 15:39:25 2010  lastused: Jun 22 15:39:25
> >> 2010 lifetime: 0(s) validtime: 0(s)
> >> 	spid=16461 seq=1 pid=83142
> >> 	refcnt=1
> >> 78.x.x.x[any] 10.10.1.90[any] any
> >> 	out ipsec
> >> 	esp/tunnel/78.x.x.x-95.x.x.x/require
> >> 	created: Jun 22 15:39:25 2010  lastused: Jun 22 15:40:50
> >> 2010 lifetime: 0(s) validtime: 0(s)
> >> 	spid=16460 seq=0 pid=83142
> >> 	refcnt=1
> > 
> > Your IPSEC policy specifies "esp/tunnel" mode, but if you are not
> > actually encapsulating traffic originating from somewhere else, you
> > might do better to just use "transport" mode to encrypt without
> > encapsulation.
> 
> Hmmm, I don't understand it? I set policy only for there IP's and
> connection for it is ESP encrypced
> 
> > 
> >> And tcpdump
> >> #tcpdump -i bce1 host 95.x.x.x 
> >> 
> >> 
> >> 15:53:47.355130 IP 78.x.x.x.isakmp > 95.x.x.x.isakmp: isakmp:
> >> phase 1 I ident
> >> 15:54:07.003371 IP 78.x.x.x.isakmp > 95.x.x.x.isakmp: isakmp:
> >> phase 1 I ident
> >> 15:57:39.067765 IP 78.x.x.x.isakmp > 95.x.x.x.isakmp: isakmp:
> >> phase 1 I ident
> > 
> > My first thought was that your IPSEC policy attempts to encrypt all
> > traffic between you and your peers, but the IKE traffic is also
> > traffic between you and your peers, so doesn't it lead to a policy
> > loop of some sort?  Will the IPSEC layer attempt to capture and
> > encrypt the IKE packets?
> 
> Can you explain how can I check it? I new on it and I don't understand
> some things.

I've got such tunnels up and working - tunnel mode, encryption between
peers, without using any internal networks - strange, but working :) -
policy looks like that:
spdadd 195.x.x.x 213.x.x.x any -P out ipsec esp/tunnel/195.x.x.x-213.x.x.x/require;
spdadd 213.x.x.x 195.x.x.x any -P in  ipsec esp/tunnel/213.x.x.x-195.x.x.x/require;
-- 
regards, Maciej Suszko.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-net/attachments/20100622/a3fcc36f/signature.pgp

More information about the freebsd-net mailing list