Date: Wed, 9 Jan 2002 10:26:23 +0100 (CET) From: Hakan Olsson <ho@crt.se> To: jack xiao <jack_xiao99@hotmail.com> Cc: tech@openbsd.org, <freebsd-security@FreeBSD.ORG> Subject: Re: isakmpd configuration Message-ID: <Pine.BSO.4.40.0201091012120.14373-100000@bloodwine.crt.se> In-Reply-To: <OE69BB7Oqn1y7aG8jN20000bd5c@hotmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
(Cc:ed to freebsd-security@FreeBSD.ORG? Ok, whatever...) On Tue, 8 Jan 2002, jack xiao wrote: =2E.. > I am going to set up two IPSec tunnels. One is 192.168.100.0/24 - > 10.10.11.0/24, the other is 192.168.100.0/24 - 172.30.1.0/24. The > diagram is like the following, 216.95.234.162 and 216.95.234.110 are > two VPN gateways. =2E.. > I set in the isakmpd.conf as something like the following, > > [Phase 1] > 216.95.234.110=3D VPN-11 > > [Phase 2] > Connections=3D VPN-12,VPN-22 Correct. > > [VPN-11] > Phase=3D 1 > Transport=3D udp > Local-address=3D 216.95.234.162 > Address=3D 216.95.234.110 > Configuration=3D Default-main-mode > Authentication=3D qqqqqqqq You need to define the [Default-main-mode] section as per the examples. > > [VPN-12] > Phase=3D 2 > ISAKMP-peer=3D VPN-11 > Configuration=3D Default-quick-mode > Local-ID=3D Net-local-01 > Remote-ID=3D Net-remote-01 Dito, [Default-quick-mode]. > > [Net-local-01] > ID-type=3D IPV4_ADDR_SUBNET > Network=3D 192.168.100.0 > Netmask=3D 255.255.255.0 > > [Net-remote-01] > ID-type=3D IPV4_ADDR_SUBNET > Network=3D 10.10.11.0 > Netmask=3D 255.255.255.0 > > [VPN-22] > Phase=3D 2 > ISAKMP-peer=3D VPN-11 > Configuration=3D Default-quick-mode > Local-ID=3D Net-local-02 > Remote-ID=3D Net-remote-02 You can simply re-use 'Net-local-01' for Local-ID here. Even though defining and using an identical ... > [Net-local-02] > ID-type=3D IPV4_ADDR_SUBNET > Network=3D 192.168.100.0 > Netmask=3D 255.255.255.0 =2E.. is perfectly ok, it's not really required. > > [Net-remote-02] > ID-type=3D IPV4_ADDR_SUBNET > Network=3D 172.30.1.0 > Netmask=3D 255.255.255.0 > > Is it correct? It seems not work fine. Any ideas will be appreciated. > The rest looks fine, AFAICT. I'm sorry to say, however, that as usual you don't specify HOW it "seems not to work fine". Am I supposed to guess? /H -- H=E5kan Olsson <ho@crt.se> (+46) 708 437 337 Carlstedt Research Unix, Networking, Security (+46) 31 701 4264 & Technology AB To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSO.4.40.0201091012120.14373-100000>