From owner-freebsd-questions@FreeBSD.ORG Fri Feb 17 18:35:02 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0AC8116A420 for ; Fri, 17 Feb 2006 18:35:02 +0000 (GMT) (envelope-from gabor.kovesdan@t-hosting.hu) Received: from server.t-hosting.hu (server.t-hosting.hu [217.20.133.7]) by mx1.FreeBSD.org (Postfix) with ESMTP id 78DE843D45 for ; Fri, 17 Feb 2006 18:35:01 +0000 (GMT) (envelope-from gabor.kovesdan@t-hosting.hu) Received: from localhost (localhost [127.0.0.1]) by server.t-hosting.hu (Postfix) with ESMTP id 6970399842A; Fri, 17 Feb 2006 19:35:00 +0100 (CET) Received: from server.t-hosting.hu ([127.0.0.1]) by localhost (server.t-hosting.hu [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 33035-06; Fri, 17 Feb 2006 19:34:56 +0100 (CET) Received: from [192.168.2.186] (catv-5062e7e3.catv.broadband.hu [80.98.231.227]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by server.t-hosting.hu (Postfix) with ESMTP id CB8C99983CD; Fri, 17 Feb 2006 19:34:55 +0100 (CET) Message-ID: <43F6174E.5030400@t-hosting.hu> Date: Fri, 17 Feb 2006 19:34:54 +0100 From: =?ISO-8859-1?Q?K=F6vesd=E1n_G=E1bor?= User-Agent: Mozilla Thunderbird 1.0.6 (Windows/20050716) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Mike Tancsa References: <43F4B5D2.6020303@t-hosting.hu> <43F5F91E.5020005@t-hosting.hu> <6.2.3.4.0.20060217113503.087c1580@64.7.153.2> In-Reply-To: <6.2.3.4.0.20060217113503.087c1580@64.7.153.2> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit X-Virus-Scanned: amavisd-new at t-hosting.hu Cc: freebsd-questions@freebsd.org Subject: Re: Setting up VPN+IPSec+Racoon X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Feb 2006 18:35:02 -0000 Mike Tancsa wrote: > At 11:26 AM 17/02/2006, Kövesdán Gábor wrote: > >> Mike Tancsa wrote: >> >>> As for tutorials, google around and read through various posts. There >>> is lots of good info out there. Perhaps if you describe what you want >>> to do, people can make specific suggestions. >>> >>> ---Mike >>> >>> >> Unfortunately, I haven't found a good howto. The situation is the >> following: > > > > freebsd ipsec tutorial > > in google comes up with a number of starting points including > > http://www.onlamp.com/pub/a/bsd/2002/12/26/FreeBSD_Basics.html > > > > >> This project will be some kind of SMS service. The serv will connect >> to the SMS server and get the received SMSes, but the connection to >> the SMS server is only allowed via VPN. Here are two IP addresses, >> one of them is the VPN peers address. I have to set up a VPN >> connection to this host with 3DES SHA IPsec and a DH pre-shared key. >> The other IP address is the SMS servers adress but that is only >> accessible via VPN. > > > > First, you need to show what your policy is. > > typical setup described is > > internalNet_A----externalIP_A-------internet-----externalIP_B----internalNet_B > > > Where internalNet_A needs to talk to internalNet_B in a safe and > secure way. > > > So, identify what those parts of the policy are. > > Put it in a shell script like > > Bsubnet=172.24.0.17/29 > BexternalIP=80.244.96.229 > Asubnet=192.168.2.186/32 > AexternalIP=80.98.231.227 > setkey -F > setkey -FP > > /usr/sbin/setkey -c < spdadd $Asubnet $Bsubnet any -P out ipsec > esp/tunnel/$AexternalIP-$Bsubnet/unique; > spdadd $Bsubnet $Asubnet any -P in ipsec > esp/tunnel/$Bsubnet-$AexternalIP/unique; > EOF1 > > This sets up the policy. > > Type > setkey -DP > > It will show you the installed policies. Once you try and send some > traffic across with PhaseI and PhaseII negotiated, you will see the > associations with > setkey -D > > > > >> I've installed ipsec-tools, and tried to configure it, but I can't >> start racoon and I get a configuration file parse error. I couldn't >> found out which line is wrong. I just got this: >> racoon: failed to parse configuration file. > > > IPSEC Tools is fussy about where the config is. Its saying it cant > find the config. > Try racoon -d -f /usr/local/etc/racoon/racoon.conf > > > Also, make sure for your sainfo config, it must match your policies, > otherwise it will hit the anonymous config. For your initial setup, > try it with an anonymous config for now and then work on getting only > a specific config. > e.g. > sainfo address 172.24.0.17/29 any address 192.168.2.186/24 any > Thanks, it seems to be okay now, racoon is running, and I see tcp packages going out via the VPN, but icmp host unreachable packets are coming from the VPN peer. I think there's some problem with the routing here, I started a new thread about this. Thanks in advance, Gabor Kovesdan