Hi I've been having some fun with IPSEC, owing to the need to put in a VPN between two offices. At the far end, they've got a PIX, and I was pretty sure I could do this end with one of out FreeBSD boxen. As an experiment, I set up IPSEC (with keying provided by Racoon) between my (linux) desktop and that FreeBSD machine. That worked Just Fine.
The problem comes in when I look at upgrading said BSD system, because it's running 5.0 (which doesn't get security patches any more). I installed a 5.2.1 system onto another box and tried setting up IPSEC with that. If I use fixed keys, it just goes, but I want to use IKE. I set up Racoon, copied the configuration files from the 5.0 system (just changing the IP addresses, where necessary, in /etc/ipsec.conf and /usr/local/etc/racoon/psk.txt - I'm using "remote anonymous" and "sainfo anonymous" for the policy side), and it all falls apart. Racoon on the FreeBSD box is seeing the requests from the Linux box, and is even trying to reply (it finds the psk fine, and has matching policies... I just didn't want to send a 200kB message to the list): 2004-04-08 13:03:22: DEBUG: isakmp.c:233:isakmp_handler(): === 2004-04-08 13:03:22: DEBUG: isakmp.c:234:isakmp_handler(): 248 bytes message received from 192.168.64.11[500] 2004-04-08 13:03:22: DEBUG: plog.c:193:plogdump(): f0d2ae69 5ade7e65 00000000 00000000 01100400 00000000 000000f8 04000038 00000001 00000001 0000002c 01010001 00000024 01010000 800b0001 800c0708 80010003 800e0080 80030001 80020002 80040002 0a000084 90b40fd2 73a3bde7 0acda739 d25f5e4f 2de19c28 8706b90e 003124a8 a79f623a 2e8b4e87 0f530078 a764c19f da248b1a 7ca14ee2 d69eea3e 704ae549 ba5bf17c e500f3b4 d6d276a1 2d28113d 15126a7c d5c88dae 51677cc0 a9163f94 ab85e40c 07018d52 5a26e94e bb907a98 60a2ce4e d650041e 7ba4f24b 8d04162f ecadc334 05000014 e8b263da 7af58acd 53483a50 a1eeac28 0000000c 011101f4 c0a8400b 2004-04-08 13:03:22: DEBUG: sockmisc.c:421:sendfromto(): sockname 192.168.64.57[500] 2004-04-08 13:03:22: DEBUG: sockmisc.c:423:sendfromto(): send packet from 192.168.64.57[500] 2004-04-08 13:03:22: DEBUG: sockmisc.c:425:sendfromto(): send packet to 192.168.64.11[500] 2004-04-08 13:03:22: DEBUG: sockmisc.c:570:sendfromto(): 1 times of 292 bytes message will be sent to 192.168.64.11[500] 2004-04-08 13:03:22: DEBUG: plog.c:193:plogdump(): f0d2ae69 5ade7e65 3985e317 abd11318 01100400 00000000 00000124 04000038 00000001 00000001 0000002c 01010001 00000024 01010000 800b0001 800c0708 80010003 800e0080 80030001 80020002 80040002 0a000084 9768f72c 8fde3908 8d3be8f3 40dc9a91 7b325db4 c01b86d1 716c9204 00f8de18 889d4e17 b3bafb06 e78464e7 3069fdb7 205a1b00 ffc2723e 71041732 aac71674 e7a912bc 100e8085 d76a68c3 b37b726e eda22ef9 970816fa 74ada197 f75ea520 0c07ccc9 6e5d0f18 02f62bc1 09b04085 e96e14ec d1cb304b 1debaa26 c419177d 05000014 9cd6bc28 574b425c 3b81d9ba 9e82df8c 0800000c 011101f4 c0a84039 0d000018 114f7a51 920f11e0 a2615a22 2ba6d7c2 5fdbfedc 00000014 7003cbc1 097dbe9c 2600ba69 83bc8b35 2004-04-08 13:03:22: NOTIFY: isakmp.c:267:isakmp_handler(): the packet is retransmitted by 192.168.64.11[500]. The problem is that the reply packet never gets onto the wire - tcpdump on the FreeBSD box shows absolutely nothing going back out again. My firewall configuration is "open": gaspra: ipfw list 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 65000 allow ip from any to any 65535 deny ip from any to any I just installed Racoon from ports this morning, so that's recent, at least: /usr/ports/distfiles/racoon-20040401a.tar.gz Is there another part of this brick wall I should be bashing my head against? Can anyone enlighten me, or is there perhaps a better place to ask questions about the KAME side of things? Many thanks Richard -- Richard Stevenson _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
