vpn trouble

[VANHULLEBUS Yvan]

Hi.

On Tue, Jun 22, 2010 at 07:08:19PM +0200, Maciej Suszko wrote:
[....]
> Set up a gif tunnel in rc.conf:
> 
> cloned_interfaces="gif0"
> ifconfig_gif0="tunnel 78.x.x.x 95.x.x.x"
> ifconfig_gif0_alias0="10.20.0.1 netmask 255.255.255.255 10.10.1.90"
> 
> 10.20.0.1 is your internal end of the tunnel, so use any address from
> beyond the net 10.10.1.90 is in.

Using such extra encapsulation generates different kind of IPsec
tunnels, which are sometimes used by some commercial devices (I guess
at least juniper will use a variant of that), but this is NOT the
usual way of setting up IPsec tunnels, and, afaik, this is probably
completely useless here (no extra feature provided, and I don't think
cisco devices uses such extra encapsulation).

Btw, his issue occurs with first phase1 exchange, so actually has
NOTHING to do with that part of negociation...


> in racoon.conf something like this:
> 
> remote 95.x.x.x [500]
> {
>     exchange_mode       main,aggressive;
[....]
>     proposal_check      obey;

This is a quite perfect example of what should NOT exist in a correct
IPsec configuration:

Once again, aggressive mode is NOT as secure as main mode, and should
be avoided as most as possible.

And proposal_check obey is really one of the worst idea people can
have when adding things to their racoon.conf, as it just disables
proposal check when we are responder !!!!



Yvan.