Date: Tue, 05 Aug 2003 0:09:12 --300 From: "ddg" <ddg@yan.com.br> To: ajthomson@optushome.com.au Cc: freebsd-questions@freebsd.org Subject: Ipsec Racoon FreeBSD 5.1 Problem Message-ID: <20030805030912.16613.qmail@athenas.yan.com.br>
next in thread | raw e-mail | index | archive | help
Hi, I recently looked at your email in archive freebsd:
Racoon / VPN problem
Andrew Thomson ajthomson at optushome.com.au
Thu Jul 10 22:03:20 PDT 2003
Previous message: Racoon / VPN problem
Next message: Dead natd -> dead system
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
--------------------------------------------------------------------------------
That looks a bit like mine too.. (this output taken from host .14.1) Of
course these would be reversed on 14.2 ie, the in and out bits)
192.168.14.2[any] 0.0.0.0/0[any] any
in ipsec
esp/tunnel/192.168.14.2-192.168.14.1/require
spid=1 seq=1 pid=42486
refcnt=1
0.0.0.0/0[any] 192.168.14.2[any] any
out ipsec
esp/tunnel/192.168.14.1-192.168.14.2/require
spid=2 seq=0 pid=42486
refcnt=1
I'm using this to IPSEC my wireless traffic.
Works a treat coupled with racoon.
ajt.
On Fri, 2003-07-11 at 05:12, Company 2210 wrote:
> I have two freebsd 5.0 boxes authenticating at stage one of the VPN, however stage 2 fails. with:
>
> ph2begin_r(): respond new phase 2 negotiation: 10.0.0.1[0]<=>10.0.0.2[0]
> get_proposal_r(): no policy found: 10.0.0.2/32[0] 0.0.0.0/0[0] proto=any dir=in
> quick_r1recv(): failed to get proposal for responder.
> _ph2begin_r(): failed to pre-process packet.
>
> I'm a bit new too this, so I'm guessing the lack of a policy refers to my SPD Database. Setkey -DP looks like this:
>
> 0.0.0.0/0[any] 10.0.0.1[any] any
> in ipsec
> esp/tunnel/10.0.0.2-10.0.0.1/require
> spid=19 seq=1 pid=770
> refcnt=1
>
> 10.0.0.1[any] 0.0.0.0/0[any] any
> out ipsec
> esp/tunnel/10.0.0.1-10.0.0.2/require
> spid=18 seq=0 pid=770
> refcnt=1
>
> As I understand it, this means all packets heading too or from 10.0.0.1 must be encapsulated (which is what I want, as I'm running a VPN between too FreeBSD gateway boxes). If I replace the 0.0.0.0/0 with the IP of the other boxes inteface (i.e. 10.0.0.2) the VPN works between 10.0.0.1<->10.0.0.2, but other traffic from other interfaces is not encrypted. Any help in resolving/understanding this issue is greatly appericated.
>
> Many Thanks
>
> Colin
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
>
--------------------------------------------------------------------------------
Previous message: Racoon / VPN problem
Next message: Dead natd -> dead system
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
--------------------------------------------------------------------------------
More information about the freebsd-questions mailing list
Use the same rules that you in my net wireless:
spdadd XXX.XXX.XXX.10 0.0.0.0/0 any -P out ipsec esp/tunnel/XXX.XXX.XXX.10-XXX.XXX.XXX.9/require;
spdadd 0.0.0.0/0 XXX.XXX.XXX.10 any -P in ipsec esp/tunnel/XXX.XXX.XXX.9-XXX.XXX.XXX.10/require;
These rules functioned perfectly in FreeBSD 5.0, later that I update for FreeBSD 5.1 nd ipsec continued to function but the computers of the intranet had not connected for the VPN...
I tried to substitute the binary one of natd of FreeBSD 5.0 for FreeBSD 5.1 but without success...
Any Idea ?
[]s Daniel Dias Gonçalves
f22@netbsd.com.br
----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030805030912.16613.qmail>