Hello,
I'm trying to set up a tunnel between two laptops running 5.2-CURRENT, connected with crossed cable, that have 192.168.1.1 and 192.168.1.2 addresses respectively.
Here's how I configured the boxes:
[kernel on both]: options IPSEC options IPSEC_ESP options IPSEC_DEBUG
[rc.conf on both]: ipsec_enable="YES"
[/etc/ipsec.conf on 192.168.1.1]:
flush;
spdflush;
spdadd 192.168.1.2/32 0.0.0.0/0 any -P in ipsec esp/tunnel/192.168.1.2-192.168.1.1/require;
spdadd 0.0.0.0/0 192.168.1.2/32 any -P out ipsec esp/tunnel/192.168.1.1-192.168.1.2/require;
[/etc/ipsec.conf on 192.168.1.2]:
flush;
spdflush;
spdadd 192.168.1.1/32 0.0.0.0/0 any -P in ipsec esp/tunnel/192.168.1.1-192.168.1.2/require;
spdadd 0.0.0.0/0 192.168.1.1/32 any -P out ipsec esp/tunnel/192.168.1.2-192.168.1.1/require;
I also installed the latest version of racoon from ports. Here's how the configuration files look like:
[psk.txt on 192.168.1.1]: 192.168.1.2 mypassword
[psk.txt on 192.168.1.2]: 192.168.1.1 mypassword
[racoon.conf on both]:
path include "/usr/local/etc/racoon" ;
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
path certificate "/usr/local/etc/cert" ;
#log debug;
padding
{
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
}
listen
{
isakmp 192.168.1.1 [500]; # 192.168.1.2 on the second box
}
timer
{
counter 5; # maximum trying count to send.
interval 20 sec; # maximum interval to resend.
persend 1; # the number of packets per a send.
phase1 30 sec;
phase2 15 sec;
}
remote anonymous
{
exchange_mode aggressive,main;
doi ipsec_doi;
situation identity_only;
my_identifier address 192.168.1.1; # 192.168.1.2 on 2nd box
peers_identifier address 192.168.1.2; # 192.168.1.1 on 2nd box
nonce_size 16;
lifetime time 24 hour; # sec,min,hour
initial_contact on;
support_mip6 on;
proposal_check obey; # obey, strict or claim
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key ;
dh_group 2 ;
}
}
sainfo anonymous
{
pfs_group 1;
lifetime time 12 hour;
encryption_algorithm 3des ;
authentication_algorithm hmac_sha1;
compression_algorithm deflate ;
}I run setkey -f /etc/ipsec.conf and start racoon -F -v on each box, and try to ping one box from another. And that's where I'm stuck:
on 192.168.1.1:
# racoon -F -v
Foreground mode.
2004-05-18 18:36:43: INFO: main.c:172:main(): @(#)package version freebsd-20040408a
2004-05-18 18:36:43: INFO: main.c:174:main(): @(#)internal version 20001216 [EMAIL PROTECTED]
2004-05-18 18:36:43: INFO: main.c:175:main(): @(#)This product linked OpenSSL 0.9.7d 17 Mar 2004 (http://www.openssl.org/)
2004-05-18 18:36:43: WARNING: cftoken.l:514:yywarn(): /usr/local/etc/racoon/racoon.conf:67: "support_mip6" it is obsoleted. use "support_proxy".
2004-05-18 18:36:43: INFO: isakmp.c:1368:isakmp_open(): 192.168.1.1[500] used as isakmp port (fd=5)
2004-05-18 18:36:53: INFO: isakmp.c:904:isakmp_ph1begin_r(): respond new phase 1 negotiation: 192.168.1.1[500]<=>192.168.1.2[500]
2004-05-18 18:36:53: INFO: isakmp.c:909:isakmp_ph1begin_r(): begin Aggressive mode.
2004-05-18 18:36:53: NOTIFY: oakley.c:2084:oakley_skeyid(): couldn't find the proper pskey, try to get one by the peer's address.
2004-05-18 18:36:53: INFO: isakmp.c:2459:log_ph1established(): ISAKMP-SA established 192.168.1.1[500]-192.168.1.2[500] spi:c112917078329613:62ce70ffe54cfcda
2004-05-18 18:36:53: INFO: isakmp.c:1059:isakmp_ph2begin_r(): respond new phase 2 negotiation: 192.168.1.1[0]<=>192.168.1.2[0]
2004-05-18 18:36:53: ERROR: isakmp_quick.c:2030:get_proposal_r(): no policy found: 0.0.0.0/0[0] 192.168.1.1/32[0] proto=any dir=in
2004-05-18 18:36:53: ERROR: isakmp_quick.c:1071:quick_r1recv(): failed to get proposal for responder.
2004-05-18 18:36:53: ERROR: isakmp.c:1073:isakmp_ph2begin_r(): failed to pre-process packet.
I'd appreciate any pointers. Thanks in advance.
-Radek _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
