FreeBSD Mail Archives

Date:      Wed, 7 Jul 2010 19:28:37 -0300
From:      =?ISO-8859-1?Q?Matheus_Weber_da_Concei=E7=E3o?= <matheuswcon@gmail.com>
To:        freebsd-questions@freebsd.org
Subject:   VPN IPsec Help
Message-ID:  <AANLkTikffXjLu2QTENeRiQ7PhFLrC3Viiar_1BZOQAeP@mail.gmail.com>

next in thread | raw e-mail | index | archive | help

Hello guys;

I'm using a FreeBSD 7.0 in my firewall/gateway, and I have to connect
via VPN to a Cisco box.

The scene here is:

* Peer A (Cisco): 200.xxx.xxx.xxx
   IPs that Peer B need to access:
      - 192.168.10.24
      - 192.168.201.196
      - 10.115.90.236

* Peer B (FreeBSD 7.0): 187.yyy.yyy.yyy (me)


How can I configure this scene without using gif0 interface?

I have no idea how to route the network traffic from my IP
(187.yyy.yyy.yyy) to the 3 -Peer A- non-routing IPs.

I started /usr/local/etc/rc.d/racoon and /etc/rc,d/ipsec.
When I try do access SSH in 192.168.10.24, racoon writes a lot of
things in the log file (as far as I can see there is no error), but
the SSH give me a timeout error. After that, I look in the " setkey
-D"  command, and I get that:
=3D=3D=3D=3D=3D=3D=3D=3D setkey -D =3D=3D=3D=3D=3D=3D=3D=3D
187.yyy.yyy.yyy 200.xxx.xxx.xxx
        esp mode=3Dtunnel spi=3D3246074620(0xc17b2afc) reqid=3D16385(0x0000=
4001)
        E: 3des-cbc  466cb043 de788f18 88545f35 d89be53e 4a0e85e9 3d026286
        A: hmac-sha1  832a11aa ea68bc5a ec6f919b 23e28d91 7ecd7c6b
        seq=3D0x00000007 replay=3D4 flags=3D0x00000000 state=3Dmature
        created: Jul  7 19:17:35 2010   current: Jul  7 19:25:45 2010
        diff: 490(s)    hard: 28800(s)  soft: 28800(s)
        last: Jul  7 19:18:09 2010      hard: 0(s)      soft: 0(s)
        current: 728(bytes)     hard: 0(bytes)  soft: 0(bytes)
        allocated: 7    hard: 0 soft: 0
        sadb_seq=3D1 pid=3D21919 refcnt=3D2
200.xxx.xxx.xxx 187.yyy.yyy.yyy
        esp mode=3Dtunnel spi=3D220854578(0x0d29f932) reqid=3D16386(0x00004=
002)
        E: 3des-cbc  b1cd13a6 d0696e70 778fe5b3 4bfde61c 6cb81d8f 2a8e9f62
        A: hmac-sha1  4ad86b36 ff7d5c14 6cb744e5 85d97017 2b0f196c
        seq=3D0x00000000 replay=3D4 flags=3D0x00000000 state=3Dmature
        created: Jul  7 19:17:35 2010   current: Jul  7 19:25:45 2010
        diff: 490(s)    hard: 28800(s)  soft: 28800(s)
        last:                           hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        sadb_seq=3D0 pid=3D21919 refcnt=3D1
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
means that my ipsec tunnel is up, right?

Any idea?


Configuration files:

=3D=3D=3D=3D Here is my /etc/ipsec.conf =3D=3D=3D=3D
flush;
spdflush;
spdadd 0.0.0.0/0 10.115.90.0/24 any -P out ipsec
esp/tunnel/187.yyy.yyy.yyy-200.xxx.xxx.xxx/require;
spdadd 10.115.90.0/24 0.0.0.0/0 any -P in ipsec
esp/tunnel/200.xxx.xxx.xxx-187.yyy.yyy.yyy/require;

spdadd 0.0.0.0/0 192.168.10.0/24 any -P out ipsec
esp/tunnel/187.yyy.yyy.yyy-200.xxx.xxx.xxx/require;
spdadd 192.168.10.0/24 0.0.0.0/24 any -P in ipsec
esp/tunnel/200.xxx.xxx.xxx-187.yyy.yyy.yyy/require;

spdadd 0.0.0.0/0 192.168.201.0/24 any -P out ipsec
esp/tunnel/187.yyy.yyy.yyy-200.xxx.xxx.xxx/require;
spdadd 192.168.201.0/24 0.0.0.0/0 any -P in ipsec
esp/tunnel/200.xxx.xxx.xxx-187.yyy.yyy.yyy/require;
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

=3D=3D=3D=3D Here is my /usr/local/etc/racoon/racoon.conf =3D=3D=3D=3D
path pre_shared_key "/usr/local/etc/racoon/psk.txt";

log debug2;

remote anonymous
{
        exchange_mode    main;
        my_identifier    address 187.4.201.197;
        peers_identifier address 200.186.89.186;
        lifetime         time 28800 sec;        # sec,min,hour
        generate_policy  off;

        # phase 1 proposal (for ISAKMP SA)
        proposal {
                encryption_algorithm  3des;
                hash_algorithm        sha1;
                authentication_method pre_shared_key;
                dh_group              2;
        }
}

# phase 2 proposal (for IPsec SA).
# actual phase 2 proposal will obey the following items:
# - kernel IPsec policy configuration (like "esp/transport//use)
# - permutation of the crypto/hash/compression algorithms presented below
sainfo address anonymous
{
        lifetime                 time 28800 sec;
        encryption_algorithm     3des;
        authentication_algorithm hmac_sha1;
        compression_algorithm    deflate;
}
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
--=20
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D
Matheus Weber da Concei=E7=E3o

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTikffXjLu2QTENeRiQ7PhFLrC3Viiar_1BZOQAeP>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation