Date: Fri, 17 Feb 2006 11:49:29 -0500 From: Mike Tancsa <mike@sentex.net> To: =?iso-8859-1?Q?K=F6vesd=E1n?= =?iso-8859-1?Q?_G=E1bor?= <gabor.kovesdan@t-hosting.hu> Cc: freebsd-questions@freebsd.org Subject: Re: Setting up VPN+IPSec+Racoon Message-ID: <6.2.3.4.0.20060217113503.087c1580@64.7.153.2> In-Reply-To: <43F5F91E.5020005@t-hosting.hu> References: <43F4B5D2.6020303@t-hosting.hu> <r08av1dk6pikmg7ac9po76ho5k98jviol5@4ax.com> <43F5F91E.5020005@t-hosting.hu>
next in thread | previous in thread | raw e-mail | index | archive | help
At 11:26 AM 17/02/2006, K=F6vesd=E1n G=E1bor wrote: >Mike Tancsa wrote: > >>As for tutorials, google around and read through various posts. There >>is lots of good info out there. Perhaps if you describe what you want >>to do, people can make specific suggestions. >> >> ---Mike >> >> >Unfortunately, I haven't found a good howto. The situation is the= following: freebsd ipsec tutorial in google comes up with a number of starting points including http://www.onlamp.com/pub/a/bsd/2002/12/26/FreeBSD_Basics.html >This project will be some kind of SMS service.=20 >The serv will connect to the SMS server and get=20 >the received SMSes, but the connection to the=20 >SMS server is only allowed via VPN. Here are two=20 >IP addresses, one of them is the VPN peers=20 >address. I have to set up a VPN connection to=20 >this host with 3DES SHA IPsec and a DH=20 >pre-shared key. The other IP address is the SMS=20 >servers adress but that is only accessible via VPN. First, you need to show what your policy is. typical setup described is internalNet_A----externalIP_A-------internet-----externalIP_B----internalNet= _B Where internalNet_A needs to talk to internalNet_B in a safe and secure way. So, identify what those parts of the policy are. Put it in a shell script like Bsubnet=3D172.24.0.17/29 BexternalIP=3D80.244.96.229 Asubnet=3D192.168.2.186/32 AexternalIP=3D80.98.231.227 setkey -F setkey -FP /usr/sbin/setkey -c <<EOF1 spdadd $Asubnet $Bsubnet any -P out ipsec=20 esp/tunnel/$AexternalIP-$Bsubnet/unique; spdadd $Bsubnet $Asubnet any -P in ipsec=20 esp/tunnel/$Bsubnet-$AexternalIP/unique; EOF1 This sets up the policy. Type setkey -DP It will show you the installed policies. Once=20 you try and send some traffic across with PhaseI=20 and PhaseII negotiated, you will see the associations with setkey -D >I've installed ipsec-tools, and tried to=20 >configure it, but I can't start racoon and I get=20 >a configuration file parse error. I couldn't=20 >found out which line is wrong. I just got this: >racoon: failed to parse configuration file. IPSEC Tools is fussy about where the config=20 is. Its saying it cant find the config. Try racoon -d -f /usr/local/etc/racoon/racoon.conf Also, make sure for your sainfo config, it must=20 match your policies, otherwise it will hit the=20 anonymous config. For your initial setup, try it=20 with an anonymous config for now and then work on=20 getting only a specific config. e.g. sainfo address 172.24.0.17/29 any address 192.168.2.186/24 any >Here is the racoon.conf: > ># $KAME: racoon.conf.in,v 1.18 2001/08/16 06:33:40 itojun Exp $ > >path include "@sysconfdir_x@/racoon"; >#include "remote.conf"; ---Mike=20
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6.2.3.4.0.20060217113503.087c1580>