Date: Tue, 22 Jun 2010 19:42:03 +0200 From: <ralf@dzie-ciuch.pl> To: Maciej Suszko <maciej@suszko.eu> Cc: freebsd-net@freebsd.org Subject: Re: vpn trouble Message-ID: <4f378cfb416582c3081377ba714e508a@ewipo.pl> In-Reply-To: <20100622190819.270aaa74@gda-arsenic> References: <87260c422232fa7409a4b374341dd106@ewipo.pl> <20100622143543.GA72020@zeninc.net> <c5781e9db1e6339b5b23c0c403c68d9a@ewipo.pl> <20100622153541.GA72211@zeninc.net> <6caa9895ae1710b9f48a227116a4340c@ewipo.pl> <20100622190819.270aaa74@gda-arsenic>
next in thread | previous in thread | raw e-mail | index | archive | help
>> Hmmm, aggressive mode wasn't help :(
>> Still I got only negotiation, so I try to send packets but I don't
>> receive it at all.
>>
>> On my server 78.x.x.x I got ipfw allow all from any to any.
>> On the other side 95.x.x.x they tell me that they do it everything
>> right - only I can't connect :(
>>
>> Maybe I don't set route correctly?
>>
>> Is this mean that I don't receive password from other side?
>> ERROR: phase1 negotiation failed due to time up.
>> 5d300bcf894a18f5:0000000000000000
>
> All the addresses you write about (despite of those x) and especially
> this 10.10.1.90 sound familiar (anyway it might be conicidence). I've
> got more than dozen working tunnels of this kind. You can try this way:
>
> Set up a gif tunnel in rc.conf:
>
> cloned_interfaces="gif0"
> ifconfig_gif0="tunnel 78.x.x.x 95.x.x.x"
> ifconfig_gif0_alias0="10.20.0.1 netmask 255.255.255.255 10.10.1.90"
>
> 10.20.0.1 is your internal end of the tunnel, so use any address from
> beyond the net 10.10.1.90 is in.
>
>
> in racoon.conf something like this:
>
> remote 95.x.x.x [500]
> {
> exchange_mode main,aggressive;
> doi ipsec_doi;
> situation identity_only;
> my_identifier address 78.x.x.x;
> peers_identifier address 95.x.x.x;
> lifetime time 8 hour;
> passive off;
> proposal_check obey;
> generate_policy off;
> proposal {
> encryption_algorithm 3des;
> hash_algorithm md5;
> authentication_method pre_shared_key;
> dh_group 2;
> }
> }
>
> sainfo (address 10.20.0.1/32 any address 10.10.1.90/32 any)
> {
> pfs_group 2;
> lifetime time 3600 sec;
> encryption_algorithm 3des;
> authentication_algorithm hmac_md5;
> compression_algorithm deflate;
> }
>
> The other side needs to know you have 10.20.0.1 on your side of the
> tunnel - this way you should have working IPSEC bettween both 10. ends.
So as you write they should set: ??
10.20.0.1 (my ip on gif device) <-> 78.x <-> 95.x <-> 10.10.1.90 (other
side)
And additionaly I thing I should correct set spd policy to:
spdadd 10.20.0.1 10.10.1.90 any -P out ipsec
esp/tunnel/78.x.x.x-95.x.x.x/require;
spdadd 10.10.1.90 10.20.0.1 any -P in ipsec
esp/tunnel/95.x.x.x-78.x.x.x/require;
Am I wrong?
Regards
Ralf
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4f378cfb416582c3081377ba714e508a>