Hello guys;
I'm using a FreeBSD 7.0 in my firewall/gateway, and I have to connect
via VPN to a Cisco box.
The scene here is:
* Peer A (Cisco): 200.xxx.xxx.xxx
IPs that Peer B need to access:
- 192.168.10.24
- 192.168.201.196
- 10.115.90.236
* Peer B (FreeBSD 7.0): 187.yyy.yyy.yyy (me)
How can I configure this scene without using gif0 interface?
I have no idea how to route the network traffic from my IP
(187.yyy.yyy.yyy) to the 3 -Peer A- non-routing IPs.
I started /usr/local/etc/rc.d/racoon and /etc/rc,d/ipsec.
When I try do access SSH in 192.168.10.24, racoon writes a lot of
things in the log file (as far as I can see there is no error), but
the SSH give me a timeout error. After that, I look in the " setkey
-D" command, and I get that:
======== setkey -D ========
187.yyy.yyy.yyy 200.xxx.xxx.xxx
esp mode=tunnel spi=3246074620(0xc17b2afc) reqid=16385(0x00004001)
E: 3des-cbc 466cb043 de788f18 88545f35 d89be53e 4a0e85e9 3d026286
A: hmac-sha1 832a11aa ea68bc5a ec6f919b 23e28d91 7ecd7c6b
seq=0x00000007 replay=4 flags=0x00000000 state=mature
created: Jul 7 19:17:35 2010 current: Jul 7 19:25:45 2010
diff: 490(s) hard: 28800(s) soft: 28800(s)
last: Jul 7 19:18:09 2010 hard: 0(s) soft: 0(s)
current: 728(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 7 hard: 0 soft: 0
sadb_seq=1 pid=21919 refcnt=2
200.xxx.xxx.xxx 187.yyy.yyy.yyy
esp mode=tunnel spi=220854578(0x0d29f932) reqid=16386(0x00004002)
E: 3des-cbc b1cd13a6 d0696e70 778fe5b3 4bfde61c 6cb81d8f 2a8e9f62
A: hmac-sha1 4ad86b36 ff7d5c14 6cb744e5 85d97017 2b0f196c
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Jul 7 19:17:35 2010 current: Jul 7 19:25:45 2010
diff: 490(s) hard: 28800(s) soft: 28800(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=0 pid=21919 refcnt=1
========================
means that my ipsec tunnel is up, right?
Any idea?
Configuration files:
==== Here is my /etc/ipsec.conf ====
flush;
spdflush;
spdadd 0.0.0.0/0 10.115.90.0/24 any -P out ipsec
esp/tunnel/187.yyy.yyy.yyy-200.xxx.xxx.xxx/require;
spdadd 10.115.90.0/24 0.0.0.0/0 any -P in ipsec
esp/tunnel/200.xxx.xxx.xxx-187.yyy.yyy.yyy/require;
spdadd 0.0.0.0/0 192.168.10.0/24 any -P out ipsec
esp/tunnel/187.yyy.yyy.yyy-200.xxx.xxx.xxx/require;
spdadd 192.168.10.0/24 0.0.0.0/24 any -P in ipsec
esp/tunnel/200.xxx.xxx.xxx-187.yyy.yyy.yyy/require;
spdadd 0.0.0.0/0 192.168.201.0/24 any -P out ipsec
esp/tunnel/187.yyy.yyy.yyy-200.xxx.xxx.xxx/require;
spdadd 192.168.201.0/24 0.0.0.0/0 any -P in ipsec
esp/tunnel/200.xxx.xxx.xxx-187.yyy.yyy.yyy/require;
======================================
==== Here is my /usr/local/etc/racoon/racoon.conf ====
path pre_shared_key "/usr/local/etc/racoon/psk.txt";
log debug2;
remote anonymous
{
exchange_mode main;
my_identifier address 187.4.201.197;
peers_identifier address 200.186.89.186;
lifetime time 28800 sec; # sec,min,hour
generate_policy off;
# phase 1 proposal (for ISAKMP SA)
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
# phase 2 proposal (for IPsec SA).
# actual phase 2 proposal will obey the following items:
# - kernel IPsec policy configuration (like "esp/transport//use)
# - permutation of the crypto/hash/compression algorithms presented below
sainfo address anonymous
{
lifetime time 28800 sec;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
=========================================
--
============================
Matheus Weber da Conceição
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
