From owner-freebsd-net@FreeBSD.ORG  Tue Jun 22 18:11:37 2010
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id B5215106566B
	for <freebsd-net@freebsd.org>; Tue, 22 Jun 2010 18:11:37 +0000 (UTC)
	(envelope-from maciej@suszko.eu)
Received: from mail.suszko.eu (suszko.eu [174.136.96.226])
	by mx1.freebsd.org (Postfix) with ESMTP id 7D6DE8FC0A
	for <freebsd-net@freebsd.org>; Tue, 22 Jun 2010 18:11:37 +0000 (UTC)
Received: from oxygen.suszko.eu (localhost [127.0.0.1])
	by mail.suszko.eu (Postfix) with ESMTP id 86C233F47D;
	Tue, 22 Jun 2010 18:03:45 +0000 (UTC)
X-Virus-Scanned: amavisd-new using ClamaAV
Received: from gda-arsenic (unknown [62.61.57.118])
	by mail.suszko.eu (Postfix) with ESMTPSA id 3A3853F474;
	Tue, 22 Jun 2010 18:03:44 +0000 (UTC)
Date: Tue, 22 Jun 2010 20:11:30 +0200
From: Maciej Suszko <maciej@suszko.eu>
To: <ralf@dzie-ciuch.pl>
Message-ID: <20100622201130.5824d585@gda-arsenic>
In-Reply-To: <4f378cfb416582c3081377ba714e508a@ewipo.pl>
References: <87260c422232fa7409a4b374341dd106@ewipo.pl>
	<20100622143543.GA72020@zeninc.net>
	<c5781e9db1e6339b5b23c0c403c68d9a@ewipo.pl>
	<20100622153541.GA72211@zeninc.net>
	<6caa9895ae1710b9f48a227116a4340c@ewipo.pl>
	<20100622190819.270aaa74@gda-arsenic>
	<4f378cfb416582c3081377ba714e508a@ewipo.pl>
X-Mailer: Claws Mail 3.7.6 (GTK+ 2.20.1; amd64-portbld-freebsd8.1)
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=PGP-SHA1;
	boundary="Sig_/3A.lGlBAur05zO14p_5oVjJ";
	protocol="application/pgp-signature"
Cc: freebsd-net@freebsd.org
Subject: Re:  vpn trouble
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Jun 2010 18:11:37 -0000

--Sig_/3A.lGlBAur05zO14p_5oVjJ
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: quoted-printable

<ralf@dzie-ciuch.pl> wrote:
>=20
>=20
> >> Hmmm, aggressive mode wasn't help :(
> >> Still I got only negotiation, so I try to send packets but I don't
> >> receive it at all.
> >>=20
> >> On my server 78.x.x.x I got ipfw allow all from any to any.
> >> On the other side 95.x.x.x they tell me that they do it everything
> >> right - only I can't connect :(
> >>=20
> >> Maybe I don't set route correctly?
> >>=20
> >> Is this mean that I don't receive password from other side?
> >> ERROR: phase1 negotiation failed due to time up.
> >> 5d300bcf894a18f5:0000000000000000
> >=20
> > All the addresses you write about (despite of those x) and
> > especially this 10.10.1.90 sound familiar (anyway it might be
> > conicidence). I've got more than dozen working tunnels of this
> > kind. You can try this way:
> >=20
> > Set up a gif tunnel in rc.conf:
> >=20
> > cloned_interfaces=3D"gif0"
> > ifconfig_gif0=3D"tunnel 78.x.x.x 95.x.x.x"
> > ifconfig_gif0_alias0=3D"10.20.0.1 netmask 255.255.255.255 10.10.1.90"
> >=20
> > 10.20.0.1 is your internal end of the tunnel, so use any address
> > from beyond the net 10.10.1.90 is in.
> >=20
> >=20
> > in racoon.conf something like this:
> >=20
> > remote 95.x.x.x [500]
> > {
> >     exchange_mode       main,aggressive;
> >     doi                 ipsec_doi;
> >     situation           identity_only;
> >     my_identifier       address 78.x.x.x;
> >     peers_identifier    address 95.x.x.x;
> >     lifetime            time 8 hour;
> >     passive             off;
> >     proposal_check      obey;
> >     generate_policy     off;
> >     proposal {
> >         encryption_algorithm    3des;
> >         hash_algorithm          md5;
> >         authentication_method   pre_shared_key;
> >         dh_group                2;
> >     }
> > }
> >=20
> > sainfo (address 10.20.0.1/32 any address 10.10.1.90/32 any)
> > {
> >     pfs_group                   2;
> >     lifetime                    time 3600 sec;
> >     encryption_algorithm        3des;
> >     authentication_algorithm    hmac_md5;
> >     compression_algorithm       deflate;
> > }
> >=20
> > The other side needs to know you have 10.20.0.1 on your side of the
> > tunnel - this way you should have working IPSEC bettween both 10.
> > ends.
>=20
> So as you write they should set: ??
> 10.20.0.1 (my ip on gif device) <-> 78.x <-> 95.x <-> 10.10.1.90
> (other side)

Yes, indeed.

> And additionaly I thing I should correct set spd policy to:
>=20
> spdadd 10.20.0.1 10.10.1.90 any -P out ipsec
> esp/tunnel/78.x.x.x-95.x.x.x/require;
> spdadd 10.10.1.90 10.20.0.1 any -P in ipsec
> esp/tunnel/95.x.x.x-78.x.x.x/require;
>=20
> Am I wrong?

No, you're right :)

You can set up the tunnel first - check whether both 10. are accessible
from both sides, then you "cover" communication between them with IPSEC.
--=20
regards, Maciej Suszko.

--Sig_/3A.lGlBAur05zO14p_5oVjJ
Content-Type: application/pgp-signature; name=signature.asc
Content-Disposition: attachment; filename=signature.asc

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (FreeBSD)

iEYEARECAAYFAkwg/NUACgkQCikUk0l7iGrP3wCeIhASZ9EtJw6upxnXEosEuONM
2HYAnicpFDl8hMR1xAjNvt+uFsMqjEA4
=MiZT
-----END PGP SIGNATURE-----

--Sig_/3A.lGlBAur05zO14p_5oVjJ--