IPsec: Odd behaviour with policies

Nick Slager ns at zith.net
Tue Feb 24 23:38:00 PST 2004 

I have a newly created VPN between a 4.8 box and a Cisco VPN 3000
Concentrator. The concentrator is not under my control, being owned by an
associated company.

The policies are extremely restrictive, and permit a single host in our
network (behind the FreeBSD end) to communicate with 2 hosts at the other
end (behind the concentrator).

I am able to establish the VPN from our host by pinging one of the hosts
in the remote network. The VPN is established and all works fine, but I
can only communicate with the one remote host I pinged to establish the
VPN link. I am unable to communicate with the other host.

If I tear down the IPsec tunnel, and re-establish the VPN by pinging the
other remote IP address, communication is fine also, but only for the
one single remote host I pinged.

Is anyone able to shed light on why this might be the case? Anonymised
config files below.


Nick



/etc/ipsec.conf:

flush;
spdflush;
spdadd 192.168.1.1/32 1.2.3.4/32 any -P out ipsec esp/tunnel/203.1.1.1-203.2.2.2/require;
spdadd 1.2.3.4/32 192.168.1.1/32 any -P in ipsec esp/tunnel/203.2.2.2-203.1.1.1/require;

spdadd 192.168.1.1/32 1.2.3.5/32 any -P out ipsec esp/tunnel/203.1.1.1-203.2.2.2/require;
spdadd 1.2.3.5/32 192.168.1.1/32 any -P in ipsec esp/tunnel/203.2.2.2-203.1.1.1/require;



Relevant portions of racoon.conf:

remote 203.2.2.2
{
        exchange_mode main,aggressive;
        doi ipsec_doi;
        situation identity_only;

        my_identifier address "203.1.1.1";

        nonce_size 16;
        lifetime time 86400 sec;
        initial_contact on;
        support_proxy on;
        proposal_check obey;

        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method pre_shared_key ;
                dh_group 2 ;
        }
}

sainfo address 192.168.1.1/32 any address 1.2.3.4/32 any
{
        pfs_group 2;
        lifetime time 86400 sec;
        encryption_algorithm 3des ;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate ;
}

sainfo address 192.168.1.1/32 any address 1.2.3.5/32 any
{
        pfs_group 2;
        lifetime time 86400 sec;
        encryption_algorithm 3des ;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate ;
}

More information about the freebsd-questions mailing list