Date: Wed, 5 Sep 2007 16:12:47 +0300 From: "lost janis" <riga.bsd@gmail.com> To: freebsd-net@freebsd.org Subject: IPsec gif problems Message-ID: <a7d2ca870709050612t392ef1f7r24200642beb5d565@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hello! I'm apologise about my English I'm using FreeBSD 6.2 with kernel compiled options options IPSEC #IP security options IPSEC_ESP #IP security (crypto; define w/ IPSEC) options IPSEC_DEBUG #debug for IP security Ipesec-tools installed portversion 0.7 I'm using PF firewall. I'm feeling already self dumb and fr..out one week spending on this problem and cannot find solution. There is my problem, First GRE tunnel end-point IP address (must be public IPv4) My host A.A.A.A and host B.B.B.B Second Gre tunnel end-point C.C.C.C D.D.D.D (must be public IPv4) IPsec device IP (must be public IPv4) E.E.E.E-F.F.F.F SA - authentication - preshared secret SA cypher 3des-cbc SA encription/authentication ESP SA hash f - md5 1) I tray out making gif device like writ en in to the http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html and nothing - it's does not workout. 2) I put the IP A.A.A.A B.B.B.B e.c.t on real interfaces #my /usr/local/etc/racoon/psk.txt B.B.B.B preshared secret #my /etc/ipsec.conf spdadd A.A.A.A/32 B.B.B.B/32 any -P out ipsec esp/tunnel/A.A.A.A-B.B.B.B/require; spdadd B.B.B.B/32 A.A.A.A/32 any -P in ipsec esp/tunnel/B.B.B.B-A.A.A.A/require; #My /usr/local/etc/racoon/racoon.conf path include "/usr/local/etc/racoon" ; path pre_shared_key "/usr/local/etc/racoon/psk.txt" ; log debug2; # # "padding" defines some parameter of padding. You should not touch these. padding { maximum_length 20; # maximum padding length. randomize off; # enable randomize length. strict_check off; # enable strict check. exclusive_tail off; # extract last one octet. } listen { isakmp A.A.A.A [500]; } timer { counter 2; # maximum trying count to send. interval 20 sec; # maximum interval to resend. persend 1; # the number of packets per send. phase1 30 sec; phase2 20 sec; } remote anonymous { exchange_mode main,base; my_identifier address A.A.A.A; lifetime time 1 hour ; # sec,min,hour proposal { encryption_algorithm 3des; hash_algorithm md5; authentication_method pre_shared_key ; dh_group 2 ; } proposal_check strict; } sainfo anonymous { pfs_group 2; lifetime time 12 hour ; encryption_algorithm 3des; authentication_algorithm hmac_md5 ; compression_algorithm deflate ; } And I can not get clear how to tunnel CCCC and EEEE to AAAA-BBBB tunnel to DDDD-FFFF I try to ping #ping -S C.C.C.C D.D.D.D and got reply tcpdump esp C.C.C.C > D.D.D.D ESP(spi=0x199fecdf,seq=0x7), length 116 C.C.C.C > D.D.D.D ESP(spi=0x199fecdf,seq=0x7), length 116 C.C.C.C > D.D.D.D ESP(spi=0x199fecdf,seq=0x7), length 116 C.C.C.C > D.D.D.D ESP(spi=0x199fecdf,seq=0x7), length 116 And when I try just simple ping host D.D.D.D there is no ESP.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?a7d2ca870709050612t392ef1f7r24200642beb5d565>