From owner-freebsd-questions Wed Jan 29 8:49:52 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 861BC37B401 for ; Wed, 29 Jan 2003 08:49:50 -0800 (PST) Received: from diana.northnetworks.ca (att-ws20.switchview.com [216.13.70.20]) by mx1.FreeBSD.org (Postfix) with ESMTP id D813343F3F for ; Wed, 29 Jan 2003 08:49:49 -0800 (PST) (envelope-from iaccounts@northnetworks.ca) Received: from northnetworks.ca ([192.168.0.250]) by diana.northnetworks.ca (8.11.6/8.11.6) with ESMTP id h0TGnjd38782; Wed, 29 Jan 2003 11:49:45 -0500 (EST) (envelope-from iaccounts@northnetworks.ca) Message-ID: <3E3805BB.3020708@northnetworks.ca> Date: Wed, 29 Jan 2003 11:47:55 -0500 From: Steve Bertrand User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.0.1) Gecko/20021218 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Peter Haight Cc: freebsd-questions@freebsd.org Subject: Re: FreeBSD IPSEC tunnel stoped working. References: <200301291326.h0TDQsLG007646@wartch.sapros.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Peter Haight wrote: >>Looks like the 'spi' are out of sync on the 2 machines. This is after a >>quick glance, but I know on my IPSec setup, (with manual keys), the >>spi's have to be such: >> >>Stable in spi == Release out spi >>Release in spi == Stable out spi >> >>Are you using racoon? If not, post your ipsec script. >> >> > >Here you go: > > >local_ip="XX.XX.XX.XX" >local_net_ip="10.10.1.1" >local_net_prefixlen="24" >remote_ip="YY.YY.YY.YY" >remote_net_ip="192.168.1.1" >remote_net_prefixlen="12" >remote_net_netmask="255.255.0.0" > >ifconfig gif0 create >ifconfig gif0 tunnel ${local_ip} ${remote_ip} >ifconfig gif0 inet ${local_net_ip} ${remote_net_ip} netmask ${remote_net_netmask} >setkey -c << EOF >flush; >spdflush; >add XX.XX.XX.XX YY.YY.YY.YY esp 9991 -E blowfish-cbc "foobar"; >add YY.YY.YY.YY XX.XX.XX.XX esp 9992 -E blowfish-cbc "foobar"; >spdadd ${local_net_ip}/${local_net_prefixlen} ${remote_net_ip}/${remote_net_prefixlen} any -P out ipsec >esp/tunnel/${local_ip}-${remote_ip}/require; spdadd ${remote_net_ip}/${remote_net_prefixlen} >${local_net_ip}/${local_net_prefixlen} any -P in ipsec esp/tunnel/${remote_ip}-${local_ip}/require; >EOF > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-questions" in the body of the message > > > > This is ok on one machine. Copy the script to the other machine, and swap out all of the 'local' variables with the values of the 'remote' variables and vise versa. This will allow the keys to be configured correctly. If this still does not work, let me know. I wrote a perl program that will automatically configure a vpn tunnel for you, and it produces 2 scripts. One for localhost and the other for remote host. It works for me every time. Steve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message