Date: Tue, 22 Jun 2010 12:19:45 -0500 From: "David DeSimone" <fox@verio.net> To: <freebsd-net@freebsd.org> Subject: Re: vpn trouble Message-ID: <20100622171944.GQ2620@verio.net> In-Reply-To: <87260c422232fa7409a4b374341dd106@ewipo.pl> References: <87260c422232fa7409a4b374341dd106@ewipo.pl>
next in thread | previous in thread | raw e-mail | index | archive | help
ralf@dzie-ciuch.pl <ralf@dzie-ciuch.pl> wrote: > > I try to configure VPN over my server and my client > > Sheme is like this > 78.x.x.x <--> 95.x.x.x <--> 10.10.1.90 Are you trying to set up IPSEC tunneling of networks behind these gateways, or are you only trying to secure traffic between the peers themselves? The fact that you don't receive any reply to your IKE packets would indicate something basic, like something is blocking traffic. > # setkey -DP > 10.10.1.90[any] 78.x.x.x[any] any > in ipsec > esp/tunnel/95.x.x.x-78.x.x.x/require > created: Jun 22 15:39:25 2010 lastused: Jun 22 15:39:25 2010 > lifetime: 0(s) validtime: 0(s) > spid=16461 seq=1 pid=83142 > refcnt=1 > 78.x.x.x[any] 10.10.1.90[any] any > out ipsec > esp/tunnel/78.x.x.x-95.x.x.x/require > created: Jun 22 15:39:25 2010 lastused: Jun 22 15:40:50 2010 > lifetime: 0(s) validtime: 0(s) > spid=16460 seq=0 pid=83142 > refcnt=1 Your IPSEC policy specifies "esp/tunnel" mode, but if you are not actually encapsulating traffic originating from somewhere else, you might do better to just use "transport" mode to encrypt without encapsulation. > And tcpdump > #tcpdump -i bce1 host 95.x.x.x > > > 15:53:47.355130 IP 78.x.x.x.isakmp > 95.x.x.x.isakmp: isakmp: phase 1 I > ident > 15:54:07.003371 IP 78.x.x.x.isakmp > 95.x.x.x.isakmp: isakmp: phase 1 I > ident > 15:57:39.067765 IP 78.x.x.x.isakmp > 95.x.x.x.isakmp: isakmp: phase 1 I > ident My first thought was that your IPSEC policy attempts to encrypt all traffic between you and your peers, but the IKE traffic is also traffic between you and your peers, so doesn't it lead to a policy loop of some sort? Will the IPSEC layer attempt to capture and encrypt the IKE packets? -- David DeSimone == Network Admin == fox@verio.net "I don't like spinach, and I'm glad I don't, because if I liked it I'd eat it, and I just hate it." -- Clarence Darrow This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio, Inc. makes no warranty that this email is error or virus free. Thank you.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100622171944.GQ2620>