Date: Wed, 10 Mar 2004 15:25:56 +1000 From: Nick Slager <nicks@OntheNet.com.au> To: net@freebsd.org Subject: IPsec: odd behaviour with policies Message-ID: <20040310052556.GA33553@OntheNet.com.au>
next in thread | raw e-mail | index | archive | help
This is perhaps the wrong forum for this question, however, posting on
-questions has drawn a blank.
I have a newly created VPN between a 4.8 box and a Cisco VPN 3000
Concentrator. The concentrator is not under my control, being owned by an
associated company.
The policies are extremely restrictive, and permit a single host in our
network (behind the FreeBSD end) to communicate with 2 hosts at the other
end (behind the concentrator).
I am able to establish the VPN from our internal host by pinging one of
the hosts in the remote network. The VPN is established and all works
fine, but I can only communicate with the one remote host I pinged to
establish the VPN link. I am unable to communicate with the other host.
If I tear down the IPsec tunnel, and re-establish the VPN by pinging the
other remote IP address, communication is fine also, but only for the
one single remote host I pinged.
Is anyone able to shed light on why this might be the case? Anonymised
config files below.
Nick
192.168.1.1 Our internal host
203.1.1.1 Our IPsec endpoint (FreeBSD 4.8)
1.2.3.4 Remote internal host #1
1.2.3.5 Remote internal host #2
203.2.2.2 Remote IPsec endpoint (concentrator)
/etc/ipsec.conf:
flush;
spdflush;
spdadd 192.168.1.1/32 1.2.3.4/32 any -P out ipsec esp/tunnel/203.1.1.1-203.2.2.2/require;
spdadd 1.2.3.4/32 192.168.1.1/32 any -P in ipsec esp/tunnel/203.2.2.2-203.1.1.1/require;
spdadd 192.168.1.1/32 1.2.3.5/32 any -P out ipsec esp/tunnel/203.1.1.1-203.2.2.2/require;
spdadd 1.2.3.5/32 192.168.1.1/32 any -P in ipsec esp/tunnel/203.2.2.2-203.1.1.1/require;
Relevant portions of racoon.conf:
remote 203.2.2.2
{
exchange_mode main,aggressive;
doi ipsec_doi;
situation identity_only;
my_identifier address "203.1.1.1";
nonce_size 16;
lifetime time 86400 sec;
initial_contact on;
support_proxy on;
proposal_check obey;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key ;
dh_group 2 ;
}
}
sainfo address 192.168.1.1/32 any address 1.2.3.4/32 any
{
pfs_group 2;
lifetime time 86400 sec;
encryption_algorithm 3des ;
authentication_algorithm hmac_sha1;
compression_algorithm deflate ;
}
sainfo address 192.168.1.1/32 any address 1.2.3.5/32 any
{
pfs_group 2;
lifetime time 86400 sec;
encryption_algorithm 3des ;
authentication_algorithm hmac_sha1;
compression_algorithm deflate ;
}
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040310052556.GA33553>