Date: Tue, 22 Jun 2010 19:08:19 +0200 From: Maciej Suszko <maciej@suszko.eu> To: freebsd-net@freebsd.org Subject: Re: vpn trouble Message-ID: <20100622190819.270aaa74@gda-arsenic> In-Reply-To: <6caa9895ae1710b9f48a227116a4340c@ewipo.pl> References: <87260c422232fa7409a4b374341dd106@ewipo.pl> <20100622143543.GA72020@zeninc.net> <c5781e9db1e6339b5b23c0c403c68d9a@ewipo.pl> <20100622153541.GA72211@zeninc.net> <6caa9895ae1710b9f48a227116a4340c@ewipo.pl>
next in thread | previous in thread | raw e-mail | index | archive | help
--Sig_/Ify9D1+r8WdySmm7nNrXHH0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: quoted-printable
<ralf@dzie-ciuch.pl> wrote:
>=20
> Hmmm, aggressive mode wasn't help :(
> Still I got only negotiation, so I try to send packets but I don't
> receive it at all.
>=20
> On my server 78.x.x.x I got ipfw allow all from any to any.
> On the other side 95.x.x.x they tell me that they do it everything
> right - only I can't connect :(
>=20
> Maybe I don't set route correctly?
>=20
> Is this mean that I don't receive password from other side?
> ERROR: phase1 negotiation failed due to time up.
> 5d300bcf894a18f5:0000000000000000
All the addresses you write about (despite of those x) and especially
this 10.10.1.90 sound familiar (anyway it might be conicidence). I've
got more than dozen working tunnels of this kind. You can try this way:
Set up a gif tunnel in rc.conf:
cloned_interfaces=3D"gif0"
ifconfig_gif0=3D"tunnel 78.x.x.x 95.x.x.x"
ifconfig_gif0_alias0=3D"10.20.0.1 netmask 255.255.255.255 10.10.1.90"
10.20.0.1 is your internal end of the tunnel, so use any address from
beyond the net 10.10.1.90 is in.
in racoon.conf something like this:
remote 95.x.x.x [500]
{
exchange_mode main,aggressive;
doi ipsec_doi;
situation identity_only;
my_identifier address 78.x.x.x;
peers_identifier address 95.x.x.x;
lifetime time 8 hour;
passive off;
proposal_check obey;
generate_policy off;
proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo (address 10.20.0.1/32 any address 10.10.1.90/32 any)
{
pfs_group 2;
lifetime time 3600 sec;
encryption_algorithm 3des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}
The other side needs to know you have 10.20.0.1 on your side of the
tunnel - this way you should have working IPSEC bettween both 10. ends.
--=20
regards, Maciej Suszko.
--Sig_/Ify9D1+r8WdySmm7nNrXHH0
Content-Type: application/pgp-signature; name=signature.asc
Content-Disposition: attachment; filename=signature.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (FreeBSD)
iEYEARECAAYFAkwg7gYACgkQCikUk0l7iGpjvgCffAp8jZSl0tP13FvNKw9dvDfI
ToQAniSrDHXL4ZP8RPJsCKgEHIAKGAzC
=AGWW
-----END PGP SIGNATURE-----
--Sig_/Ify9D1+r8WdySmm7nNrXHH0--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100622190819.270aaa74>