Date: Tue, 14 Nov 2000 16:04:04 -0500 From: Mike Tancsa <mike@sentex.net> To: Mike <mikey@kappaisle.com> Cc: freebsd-net@freebsd.org, security@freebsd.org Subject: Re: VPN over PPPoE (racoon at fault? - no pilot error) Message-ID: <5.0.1.4.0.20001114153658.00a58df0@marble.sentex.ca> In-Reply-To: <Pine.BSF.4.21.0011141404280.92064-100000@greencreek.kappai sle.com> References: <mcg11tscg1muv0kl3n46ojldqbjid4ruql@4ax.com>
next in thread | previous in thread | raw e-mail | index | archive | help
OK, thanks very much to Mike Cambria, (mcambria@avaya.com) for suggesting
adjusting the lifetime settings. I am cc'ing to security@freebsd.org in
case others run into this problem of using racoon over slower than ethernet
links.
Setup is a FreeBSD box running PPPoE over DSL across a few hops to another
FreeBSD machine on the ethernet. The trick is to bump up the lifetime
value in racoon.conf and to make sure you have a recent version of racoon.
I used the one from November 11th.
Here is a quick sample config for two machines
PPPoE machine's _public_ address on tun0 : 169.1.134.1
PPPoE machine's _private_ address aliased on lo0 : 10.1.2.1
Office Server's _public_ address on fxp0 172.168.93.4
Office Server's _private_ address aliased on lo0 : 10.1.1.1
*Note, if your machine has 2 interfaces, you can of course use the RFC1918
space on it instead.
This example assumes you just have the one NIC to play with.
#!/bin/sh
#PPPoE config
ifconfig lo0 10.1.2.1 netmask 255.255.255.0 alias
gifconfig gif0 169.1.134.1 172.168.93.4
ifconfig gif0 inet 10.1.2.1 10.1.1.1 netmask 255.255.255.0
setkey -FP
setkey -F
setkey -c <<EOF
spdadd 10.1.2.0/24 10.1.1.0/24 any -P out ipsec
esp/tunnel/169.1.134.1-172.168.93.4/require;
spdadd 10.1.1.0/24 10.1.2.0/24 any -P in ipsec
esp/tunnel/172.168.93.4-169.1.134.1/require;
EOF
#!/bin/sh
#server at office config
ifconfig lo0 10.1.1.1 netmask 255.255.255.0 alias
gifconfig gif0 172.168.93.4 169.1.134.1
ifconfig gif0 inet 10.1.1.1 10.1.2.1 netmask 255.255.255.0
setkey -FP
setkey -F
setkey -c <<EOF
spdadd 10.1.1.0/24 10.1.2.0/24 any -P out ipsec
esp/tunnel/172.168.93.4-169.1.134.1/require;
spdadd 10.1.2.0/24 10.1.1.0/24 any -P in ipsec
esp/tunnel/169.1.134.1-172.168.93.4/require;
EOF
The changes I made to the default racoon.conf was simply to increase the
lifetime values
on both ends of the connection.
e.g.
@@ -101,8 +101,8 @@
sainfo anonymous
{
pfs_group 1;
- lifetime time 30 sec;
- lifetime byte 5000 KB;
+ lifetime time 3600 sec;
+ lifetime byte 25000 KB;
encryption_algorithm 3des ;
authentication_algorithm hmac_sha1;
compression_algorithm deflate ;
> > On 9 Nov 2000 17:01:58 -0500, in sentex.lists.freebsd.net you wrote:
> >
> > >Hi all,
> > >
> > >Has anyone ever successfully configured VPN (using IPSec protocol) over
> > >PPPoE connection? I have 1 VPN configured over 2 locations with T1
> > >connections without any problem (using the KAME IPSec on FreeBSD
> > >4.1.1). However, when I tried the same configuration with the 3rd
> > >location running DSL, it seems the IPSec packets can't reach out via tun0
> > >device.
> >
> > I can do it with manual keying, but not with racoon. Both transport and
> > tunnel mode work for me, but neither works with racoon. NAT is a bit
> > tricky, but then again with tunnel mode, it doesnt really matter.
> >
> >
> > One end is
> > 4.2-BETA FreeBSD 4.2-BETA #0: Mon Nov 13 13:52:46 EST 2000
> > other is
> > 4.2-BETA FreeBSD 4.2-BETA #0: Sun Nov 5 18:25:14 EST 2000
> >
> > This is via the same sort of DSL you are using i.e. Bell Nexxia type stuff
> > through a Redback etc...
> >
> > I havent had time to send a note to the KAME folk, but when using racoon on
> > DSL, I get these sorts of log entries that I dont normally get
> >
> > 2000-11-13 23:46:29: isakmp_agg.c:927:agg_r2recv():
> > real.addr.totally-diff-subnet.1 ignore the packet, received unexpecting
> > payload type 1.
> > 2000-11-13 23:46:10: isakmp_inf.c:177:isakmp_info_recv():
> > real.addr.totally-diff-subnet.1 ignore the packet, received unexpecting
> > payload type 89.
> > 2000-11-13 23:52:37: isakmp_inf.c:177:isakmp_info_recv():
> > real.addr.totally-diff-subnet.4 ignore the packet, received unexpecting
> > payload type 187.
> >
> > ---Mike
> > Mike Tancsa (mdtancsa@sentex.net)
> > Sentex Communications Corp,
> > Waterloo, Ontario, Canada
> > "Given enough time, 100 monkeys on 100 routers
> > could setup a national IP network." (KDW2)
> >
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.0.1.4.0.20001114153658.00a58df0>