Date: Tue, 22 Jun 2010 15:59:50 +0200 From: <ralf@dzie-ciuch.pl> To: <freebsd-net@freebsd.org> Subject: vpn trouble Message-ID: <87260c422232fa7409a4b374341dd106@ewipo.pl>
next in thread | raw e-mail | index | archive | help
Hi,
I try to configure VPN over my server and my client
Sheme is like this
78.x.x.x <--> 95.x.x.x <--> 10.10.1.90
When I try to ping 10.10.1.90, all packets are lost.
What can I change to run it?
Thanks
This is my setting:
# setkey -DP
10.10.1.90[any] 78.x.x.x[any] any
in ipsec
esp/tunnel/95.x.x.x-78.x.x.x/require
created: Jun 22 15:39:25 2010 lastused: Jun 22 15:39:25 2010
lifetime: 0(s) validtime: 0(s)
spid=16461 seq=1 pid=83142
refcnt=1
78.x.x.x[any] 10.10.1.90[any] any
out ipsec
esp/tunnel/78.x.x.x-95.x.x.x/require
created: Jun 22 15:39:25 2010 lastused: Jun 22 15:40:50 2010
lifetime: 0(s) validtime: 0(s)
spid=16460 seq=0 pid=83142
refcnt=1
#cat racoon.conf
path include "/usr/local/etc/racoon";
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
log debug;
padding
{
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
}
listen
{
isakmp 78.x.x.x [500];
}
timer
{
counter 5; # maximum trying count to send.
interval 20 sec; # maximum interval to resend.
persend 1; # the number of packets per a send.
phase1 30 sec;
phase2 15 sec;
}
remote 95.x.x.x
{
exchange_mode main, aggressive; # For Firewall-1 Aggressive mode
lifetime time 8 hour; # sec,min,hour
proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group 2 ;
lifetime time 28800 sec;
}
}
sainfo anonymous
{
pfs_group 2;
lifetime time 3600 sec;
encryption_algorithm 3des;
authentication_algorithm hmac_md5;
compression_algorithm deflate ;
}
Racoon log:
Foreground mode.
2010-06-22 15:52:50: INFO: @(#)ipsec-tools 0.7.3
(http://ipsec-tools.sourceforge.net)
2010-06-22 15:52:50: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25
Oct 2004 (http://www.openssl.org/)
2010-06-22 15:52:50: INFO: Reading configuration from
"/usr/local/etc/racoon/racoon.conf"
2010-06-22 15:52:50: DEBUG: hmac(modp1024)
2010-06-22 15:52:50: DEBUG: compression algorithm can not be checked
because sadb message doesn't support it.
2010-06-22 15:52:50: DEBUG: getsainfo params: loc='ANONYMOUS',
rmt='ANONYMOUS', peer='NULL', id=0
2010-06-22 15:52:50: DEBUG: getsainfo pass #2
2010-06-22 15:52:50: INFO: 78.x.x.x[500] used as isakmp port (fd=4)
2010-06-22 15:52:50: DEBUG: pk_recv: retry[0] recv()
2010-06-22 15:52:50: DEBUG: get pfkey X_SPDDUMP message
2010-06-22 15:52:50: DEBUG: pk_recv: retry[0] recv()
2010-06-22 15:52:50: DEBUG: get pfkey X_SPDDUMP message
2010-06-22 15:52:50: DEBUG: sub:0x7fffffffe480: 78.x.x.x/32[0]
10.10.1.90/32[0] proto=any dir=out
2010-06-22 15:52:50: DEBUG: db :0x5a8610: 10.10.1.90/32[0] 78.x.x.x/32[0]
proto=any dir=in
2010-06-22 15:53:32: DEBUG: caught rtm:14, need update interface address
list
2010-06-22 15:53:47: DEBUG: pk_recv: retry[0] recv()
2010-06-22 15:53:47: DEBUG: get pfkey ACQUIRE message
2010-06-22 15:53:47: DEBUG: suitable outbound SP found: 78.x.x.x/32[0]
10.10.1.90/32[0] proto=any dir=out.
2010-06-22 15:53:47: DEBUG: sub:0x7fffffffe430: 10.10.1.90/32[0]
78.x.x.x/32[0] proto=any dir=in
2010-06-22 15:53:47: DEBUG: db :0x5a8610: 10.10.1.90/32[0] 78.x.x.x/32[0]
proto=any dir=in
2010-06-22 15:53:47: DEBUG: suitable inbound SP found: 10.10.1.90/32[0]
78.x.x.x/32[0] proto=any dir=in.
2010-06-22 15:53:47: DEBUG: new acquire 78.x.x.x/32[0] 10.10.1.90/32[0]
proto=any dir=out
2010-06-22 15:53:47: DEBUG: configuration found for 95.x.x.x.
2010-06-22 15:53:47: DEBUG: getsainfo params: loc='78.x.x.x',
rmt='10.10.1.90', peer='NULL', id=0
2010-06-22 15:53:47: DEBUG: getsainfo pass #2
2010-06-22 15:53:47: DEBUG: evaluating sainfo: loc='ANONYMOUS',
rmt='ANONYMOUS', peer='ANY', id=0
2010-06-22 15:53:47: DEBUG: selected sainfo: loc='ANONYMOUS',
rmt='ANONYMOUS', peer='ANY', id=0
2010-06-22 15:53:47: DEBUG: (proto_id=ESP spisize=4 spi=00000000
spi_p=00000000 encmode=Tunnel reqid=0:0)
2010-06-22 15:53:47: DEBUG: (trns_id=3DES encklen=0 authtype=hmac-md5)
2010-06-22 15:53:47: DEBUG: in post_acquire
2010-06-22 15:53:47: DEBUG: configuration found for 95.x.x.x.
2010-06-22 15:53:47: INFO: IPsec-SA request for 95.x.x.x queued due to no
phase1 found.
2010-06-22 15:53:47: DEBUG: ===
2010-06-22 15:53:47: INFO: initiate new phase 1 negotiation:
78.x.x.x[500]<=>95.x.x.x[500]
2010-06-22 15:53:47: INFO: begin Identity Protection mode.
2010-06-22 15:53:47: DEBUG: new cookie:
6fa45a7481c1aec5
2010-06-22 15:53:47: DEBUG: add payload of len 48, next type 13
2010-06-22 15:53:47: DEBUG: add payload of len 16, next type 0
2010-06-22 15:53:47: DEBUG: 100 bytes from 78.x.x.x[500] to 95.x.x.x[500]
2010-06-22 15:53:47: DEBUG: sockname 78.x.x.x[500]
2010-06-22 15:53:47: DEBUG: send packet from 78.x.x.x[500]
2010-06-22 15:53:47: DEBUG: send packet to 95.x.x.x[500]
2010-06-22 15:53:47: DEBUG: 1 times of 100 bytes message will be sent to
95.x.x.x[500]
2010-06-22 15:53:47: DEBUG:
6fa45a74 81c1aec5 00000000 00000000 01100200 00000000 00000064 0d000034
00000001 00000001 00000028 01010001 00000020 01010000 800b0001 800c7080
80010005 80030001 80020001 80040002 00000014 afcad713 68a1f1c9 6b8696fc
77570100
2010-06-22 15:53:47: DEBUG: resend phase1 packet
6fa45a7481c1aec5:0000000000000000
2010-06-22 15:54:07: DEBUG: 100 bytes from 78.x.x.x[500] to 95.x.x.x[500]
2010-06-22 15:54:07: DEBUG: sockname 78.x.x.x[500]
2010-06-22 15:54:07: DEBUG: send packet from 78.x.x.x[500]
2010-06-22 15:54:07: DEBUG: send packet to 95.x.x.x[500]
2010-06-22 15:54:07: DEBUG: 1 times of 100 bytes message will be sent to
95.x.x.x[500]
2010-06-22 15:54:07: DEBUG:
6fa45a74 81c1aec5 00000000 00000000 01100200 00000000 00000064 0d000034
00000001 00000001 00000028 01010001 00000020 01010000 800b0001 800c7080
80010005 80030001 80020001 80040002 00000014 afcad713 68a1f1c9 6b8696fc
77570100
And tcpdump
#tcpdump -i bce1 host 95.x.x.x
15:53:47.355130 IP 78.x.x.x.isakmp > 95.x.x.x.isakmp: isakmp: phase 1 I
ident
15:54:07.003371 IP 78.x.x.x.isakmp > 95.x.x.x.isakmp: isakmp: phase 1 I
ident
15:57:39.067765 IP 78.x.x.x.isakmp > 95.x.x.x.isakmp: isakmp: phase 1 I
ident
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?87260c422232fa7409a4b374341dd106>