IPsec: Odd behaviour with policies
Nick Slager
ns at zith.net
Tue Feb 24 23:38:00 PST 2004
I have a newly created VPN between a 4.8 box and a Cisco VPN 3000
Concentrator. The concentrator is not under my control, being owned by an
associated company.
The policies are extremely restrictive, and permit a single host in our
network (behind the FreeBSD end) to communicate with 2 hosts at the other
end (behind the concentrator).
I am able to establish the VPN from our host by pinging one of the hosts
in the remote network. The VPN is established and all works fine, but I
can only communicate with the one remote host I pinged to establish the
VPN link. I am unable to communicate with the other host.
If I tear down the IPsec tunnel, and re-establish the VPN by pinging the
other remote IP address, communication is fine also, but only for the
one single remote host I pinged.
Is anyone able to shed light on why this might be the case? Anonymised
config files below.
Nick
/etc/ipsec.conf:
flush;
spdflush;
spdadd 192.168.1.1/32 1.2.3.4/32 any -P out ipsec esp/tunnel/203.1.1.1-203.2.2.2/require;
spdadd 1.2.3.4/32 192.168.1.1/32 any -P in ipsec esp/tunnel/203.2.2.2-203.1.1.1/require;
spdadd 192.168.1.1/32 1.2.3.5/32 any -P out ipsec esp/tunnel/203.1.1.1-203.2.2.2/require;
spdadd 1.2.3.5/32 192.168.1.1/32 any -P in ipsec esp/tunnel/203.2.2.2-203.1.1.1/require;
Relevant portions of racoon.conf:
remote 203.2.2.2
{
exchange_mode main,aggressive;
doi ipsec_doi;
situation identity_only;
my_identifier address "203.1.1.1";
nonce_size 16;
lifetime time 86400 sec;
initial_contact on;
support_proxy on;
proposal_check obey;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key ;
dh_group 2 ;
}
}
sainfo address 192.168.1.1/32 any address 1.2.3.4/32 any
{
pfs_group 2;
lifetime time 86400 sec;
encryption_algorithm 3des ;
authentication_algorithm hmac_sha1;
compression_algorithm deflate ;
}
sainfo address 192.168.1.1/32 any address 1.2.3.5/32 any
{
pfs_group 2;
lifetime time 86400 sec;
encryption_algorithm 3des ;
authentication_algorithm hmac_sha1;
compression_algorithm deflate ;
}
More information about the freebsd-questions
mailing list