Date: Tue, 22 Jun 2010 20:26:36 +0200 From: Maciej Suszko <maciej@suszko.eu> To: freebsd-net@freebsd.org Subject: Re: vpn trouble Message-ID: <20100622202636.714bced5@gda-arsenic> In-Reply-To: <7255fc10973166ff686d074fba3fc0f6@ewipo.pl> References: <87260c422232fa7409a4b374341dd106@ewipo.pl> <20100622171944.GQ2620@verio.net> <7255fc10973166ff686d074fba3fc0f6@ewipo.pl>
next in thread | previous in thread | raw e-mail | index | archive | help
--Sig_/e607x.rueu45EtWTdepL51a Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable <ralf@dzie-ciuch.pl> wrote: >=20 > Hi, >=20 > I try to set VPN like I wrote earlier. > 78.x is server and this is not NAT. He dont forward anything. >=20 > >> I try to configure VPN over my server and my client > >>=20 > >> Sheme is like this > >> 78.x.x.x <--> 95.x.x.x <--> 10.10.1.90 > >=20 > > Are you trying to set up IPSEC tunneling of networks behind these > > gateways, or are you only trying to secure traffic between the peers > > themselves? >=20 > I try to set tunnel behing my server 78.x and gateway 95.x translating > packets to 10.x. I can only set 78.x side. >=20 > >=20 > > The fact that you don't receive any reply to your IKE packets would > > indicate something basic, like something is blocking traffic. >=20 > But how to check it? Telnet to port 500 wont work. But when I set SSH > to listen on port 500 I can login, port is not blocked Telnet host 500 uses proto tcp, isakmp - udp. > >> # setkey -DP > >> 10.10.1.90[any] 78.x.x.x[any] any > >> in ipsec > >> esp/tunnel/95.x.x.x-78.x.x.x/require > >> created: Jun 22 15:39:25 2010 lastused: Jun 22 15:39:25 > >> 2010 lifetime: 0(s) validtime: 0(s) > >> spid=3D16461 seq=3D1 pid=3D83142 > >> refcnt=3D1 > >> 78.x.x.x[any] 10.10.1.90[any] any > >> out ipsec > >> esp/tunnel/78.x.x.x-95.x.x.x/require > >> created: Jun 22 15:39:25 2010 lastused: Jun 22 15:40:50 > >> 2010 lifetime: 0(s) validtime: 0(s) > >> spid=3D16460 seq=3D0 pid=3D83142 > >> refcnt=3D1 > >=20 > > Your IPSEC policy specifies "esp/tunnel" mode, but if you are not > > actually encapsulating traffic originating from somewhere else, you > > might do better to just use "transport" mode to encrypt without > > encapsulation. >=20 > Hmmm, I don't understand it? I set policy only for there IP's and > connection for it is ESP encrypced >=20 > >=20 > >> And tcpdump > >> #tcpdump -i bce1 host 95.x.x.x=20 > >>=20 > >>=20 > >> 15:53:47.355130 IP 78.x.x.x.isakmp > 95.x.x.x.isakmp: isakmp: > >> phase 1 I ident > >> 15:54:07.003371 IP 78.x.x.x.isakmp > 95.x.x.x.isakmp: isakmp: > >> phase 1 I ident > >> 15:57:39.067765 IP 78.x.x.x.isakmp > 95.x.x.x.isakmp: isakmp: > >> phase 1 I ident > >=20 > > My first thought was that your IPSEC policy attempts to encrypt all > > traffic between you and your peers, but the IKE traffic is also > > traffic between you and your peers, so doesn't it lead to a policy > > loop of some sort? Will the IPSEC layer attempt to capture and > > encrypt the IKE packets? >=20 > Can you explain how can I check it? I new on it and I don't understand > some things. I've got such tunnels up and working - tunnel mode, encryption between peers, without using any internal networks - strange, but working :) - policy looks like that: spdadd 195.x.x.x 213.x.x.x any -P out ipsec esp/tunnel/195.x.x.x-213.x.x.x/= require; spdadd 213.x.x.x 195.x.x.x any -P in ipsec esp/tunnel/213.x.x.x-195.x.x.x/= require; --=20 regards, Maciej Suszko. --Sig_/e607x.rueu45EtWTdepL51a Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (FreeBSD) iEYEARECAAYFAkwhAF8ACgkQCikUk0l7iGoc1wCfSz2Al4p8uuQxR5ZG7lAKSarR J04AnR2GJkCAaSPevcxjYn4YoSwwojaQ =CVB6 -----END PGP SIGNATURE----- --Sig_/e607x.rueu45EtWTdepL51a--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100622202636.714bced5>