Date: Fri, 17 Feb 2006 19:34:54 +0100 From: =?ISO-8859-1?Q?K=F6vesd=E1n_G=E1bor?= <gabor.kovesdan@t-hosting.hu> To: Mike Tancsa <mike@sentex.net> Cc: freebsd-questions@freebsd.org Subject: Re: Setting up VPN+IPSec+Racoon Message-ID: <43F6174E.5030400@t-hosting.hu> In-Reply-To: <6.2.3.4.0.20060217113503.087c1580@64.7.153.2> References: <43F4B5D2.6020303@t-hosting.hu> <r08av1dk6pikmg7ac9po76ho5k98jviol5@4ax.com> <43F5F91E.5020005@t-hosting.hu> <6.2.3.4.0.20060217113503.087c1580@64.7.153.2>
next in thread | previous in thread | raw e-mail | index | archive | help
Mike Tancsa wrote: > At 11:26 AM 17/02/2006, Kövesdán Gábor wrote: > >> Mike Tancsa wrote: >> >>> As for tutorials, google around and read through various posts. There >>> is lots of good info out there. Perhaps if you describe what you want >>> to do, people can make specific suggestions. >>> >>> ---Mike >>> >>> >> Unfortunately, I haven't found a good howto. The situation is the >> following: > > > > freebsd ipsec tutorial > > in google comes up with a number of starting points including > > http://www.onlamp.com/pub/a/bsd/2002/12/26/FreeBSD_Basics.html > > > > >> This project will be some kind of SMS service. The serv will connect >> to the SMS server and get the received SMSes, but the connection to >> the SMS server is only allowed via VPN. Here are two IP addresses, >> one of them is the VPN peers address. I have to set up a VPN >> connection to this host with 3DES SHA IPsec and a DH pre-shared key. >> The other IP address is the SMS servers adress but that is only >> accessible via VPN. > > > > First, you need to show what your policy is. > > typical setup described is > > internalNet_A----externalIP_A-------internet-----externalIP_B----internalNet_B > > > Where internalNet_A needs to talk to internalNet_B in a safe and > secure way. > > > So, identify what those parts of the policy are. > > Put it in a shell script like > > Bsubnet=172.24.0.17/29 > BexternalIP=80.244.96.229 > Asubnet=192.168.2.186/32 > AexternalIP=80.98.231.227 > setkey -F > setkey -FP > > /usr/sbin/setkey -c <<EOF1 > spdadd $Asubnet $Bsubnet any -P out ipsec > esp/tunnel/$AexternalIP-$Bsubnet/unique; > spdadd $Bsubnet $Asubnet any -P in ipsec > esp/tunnel/$Bsubnet-$AexternalIP/unique; > EOF1 > > This sets up the policy. > > Type > setkey -DP > > It will show you the installed policies. Once you try and send some > traffic across with PhaseI and PhaseII negotiated, you will see the > associations with > setkey -D > > > > >> I've installed ipsec-tools, and tried to configure it, but I can't >> start racoon and I get a configuration file parse error. I couldn't >> found out which line is wrong. I just got this: >> racoon: failed to parse configuration file. > > > IPSEC Tools is fussy about where the config is. Its saying it cant > find the config. > Try racoon -d -f /usr/local/etc/racoon/racoon.conf > > > Also, make sure for your sainfo config, it must match your policies, > otherwise it will hit the anonymous config. For your initial setup, > try it with an anonymous config for now and then work on getting only > a specific config. > e.g. > sainfo address 172.24.0.17/29 any address 192.168.2.186/24 any > Thanks, it seems to be okay now, racoon is running, and I see tcp packages going out via the VPN, but icmp host unreachable packets are coming from the VPN peer. I think there's some problem with the routing here, I started a new thread about this. Thanks in advance, Gabor Kovesdan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?43F6174E.5030400>