IPSec and Racoon Question
Timothy Radigan
tradigan at newrevolutions.net
Tue Feb 15 15:28:01 GMT 2005
Hey all,
I have a question or two regarding IPSec and the Racoon port. I have a
wired LAN and a wireless LAN in my house. The BSD box acts as the primary
gateway/firewall/router. For the wireless LAN, the AP has WEP enabled with
a 128-bit key. Of course, with all of the nifty WEP cracking tools out
there I definitely want more protection, so I found a wireless networking
how-to using FreeBSD with IPSec and Racoon.
The initial configuration went very well and I am able to use IPSec between
the Windows XP wireless clients and the FreeBSD box. However, the
connection seems to "time out" from time to time. It's not the wireless
network because if I don't use IPSec I get an occasional time out due to
signal loss, but nothing near as much when I'm using IPSec.
It seems as though when the client(s) are idle for a period of time, they
loose their connection with the server and can no longer communicate. When
I ping the BSD box from an XP client, it just states "Negotiating Security"
forever until I stop the IPSec service, wait a few minutes, and restart it.
Obviously I do not want to do this for each and every client when they drop
their wireless connection due to something with IPSec and/or Racoon.
Again, I do NOT have this problem when I take IPSec out of the picture. I
never drop connections when I'm a floor away or on the same floor as the AP.
It's only an anomaly when I'm using IPSec.
Below are the following configuration files: racoon.conf, psk.txt, and
ipsec.conf.
If anyone has any ideas on why these connections are dropping, any help
would be appreciated. Maybe there is another method of creating a VPN
tunnel for the wireless LAN?
Thanks,
Tim
****** /usr/local/etc/racoon/racoon.conf ******
path include "/usr/local/etc/racoon" ;
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
path certificate "/usr/local/etc/cert" ;
log debug;
padding
{
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
}
listen
{
isakmp 192.168.20.1 [500];
}
timer
{
counter 5; # maximum trying count to send.
interval 20 sec; # maximum interval to resend.
persend 1; # the number of packets per a send.
phase1 30 sec;
phase2 15 sec;
}
remote anonymous
{
exchange_mode aggressive,main;
doi ipsec_doi;
situation identity_only;
my_identifier user_fqdn "radigan at newrevolutions.net";
peers_identifier user_fqdn "radigan at newrevolutions.net";
nonce_size 16;
lifetime time 1 min; # sec,min,hour
initial_contact on;
support_mip6 on;
proposal_check obey; # obey, strict or claim
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key ;
dh_group 2 ;
}
}
remote ::1 [8000]
{
exchange_mode aggressive,main;
doi ipsec_doi;
situation identity_only;
my_identifier user_fqdn "radigan at newrevolutions.net";
peers_identifier user_fqdn "radigan at newrevolutions.net";
nonce_size 16;
lifetime time 1 min; # sec,min,hour
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key ;
dh_group 2 ;
}
}
sainfo anonymous
{
pfs_group 1;
lifetime time 30 sec;
encryption_algorithm 3des ;
authentication_algorithm hmac_sha1;
compression_algorithm deflate ;
}
sainfo address ::1 icmp6 address ::1 icmp6
{
pfs_group 1;
lifetime time 60 sec;
encryption_algorithm 3des, cast128, blowfish 448, des ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}
****** /usr/local/etc/racoon/racoon.conf ******
****** /usr/local/etc/racoon/psk.txt ******
192.168.20.3 <pre shared key 1>
192.168.20.4 <pre shared key 2>
****** /usr/local/etc/racoon/psk.txt ******
****** /etc/ipsec.conf ******
flush;
spdflush;
spdadd 192.168.20.3/32 0.0.0.0/0 any -P in ipsec
esp/tunnel/192.168.20.3-192.168.20.1/use;
spdadd 0.0.0.0/0 192.168.20.3/32 any -P out ipsec
esp/tunnel/192.168.20.1-192.168.20.3/use;
spdadd 192.168.20.4/32 0.0.0.0/0 any -P in ipsec
esp/tunnel/192.168.20.4-192.168.20.1/use;
spdadd 0.0.0.0/0 192.168.20.4/32 any -P out ipsec
esp/tunnel/192.168.20.1-192.168.20.4/use;
****** /etc/ipsec.conf ******
More information about the freebsd-questions
mailing list