Hello,

I'm trying to set up a tunnel between two laptops running 5.2-CURRENT, connected with crossed cable, that have 192.168.1.1 and 192.168.1.2 addresses respectively.

Here's how I configured the boxes:

[kernel on both]:
options         IPSEC
options         IPSEC_ESP
options         IPSEC_DEBUG

[rc.conf on both]:
ipsec_enable="YES"

[/etc/ipsec.conf on 192.168.1.1]:
flush;
spdflush;
spdadd 192.168.1.2/32 0.0.0.0/0 any -P in ipsec esp/tunnel/192.168.1.2-192.168.1.1/require;
spdadd 0.0.0.0/0 192.168.1.2/32 any -P out ipsec esp/tunnel/192.168.1.1-192.168.1.2/require;


[/etc/ipsec.conf on 192.168.1.2]:
flush;
spdflush;
spdadd 192.168.1.1/32 0.0.0.0/0 any -P in ipsec esp/tunnel/192.168.1.1-192.168.1.2/require;
spdadd 0.0.0.0/0 192.168.1.1/32 any -P out ipsec esp/tunnel/192.168.1.2-192.168.1.1/require;


I also installed the latest version of racoon from ports. Here's how the configuration files look like:

[psk.txt on 192.168.1.1]:
192.168.1.2     mypassword

[psk.txt on 192.168.1.2]:
192.168.1.1     mypassword

[racoon.conf on both]:
path include "/usr/local/etc/racoon" ;
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
path certificate "/usr/local/etc/cert" ;
#log debug;
padding
{
        maximum_length 20;      # maximum padding length.
        randomize off;          # enable randomize length.
        strict_check off;       # enable strict check.
        exclusive_tail off;     # extract last one octet.
}
listen
{
        isakmp 192.168.1.1 [500]; # 192.168.1.2 on the second box
}
timer
{
        counter 5;              # maximum trying count to send.
        interval 20 sec;        # maximum interval to resend.
        persend 1;              # the number of packets per a send.
        phase1 30 sec;
        phase2 15 sec;
}
remote anonymous
{
        exchange_mode aggressive,main;
        doi ipsec_doi;
        situation identity_only;
        my_identifier address 192.168.1.1; # 192.168.1.2 on 2nd box
        peers_identifier address 192.168.1.2; # 192.168.1.1 on 2nd box
        nonce_size 16;
        lifetime time 24 hour;  # sec,min,hour
        initial_contact on;
        support_mip6 on;
        proposal_check obey;    # obey, strict or claim
        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method pre_shared_key ;
                dh_group 2 ;
        }
}
sainfo anonymous
{
        pfs_group 1;
        lifetime time 12 hour;
        encryption_algorithm 3des ;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate ;
}


I run setkey -f /etc/ipsec.conf and start racoon -F -v on each box, and try to ping one box from another. And that's where I'm stuck:


on 192.168.1.1:

# racoon -F -v
Foreground mode.
2004-05-18 18:36:43: INFO: main.c:172:main(): @(#)package version freebsd-20040408a
2004-05-18 18:36:43: INFO: main.c:174:main(): @(#)internal version 20001216 [EMAIL PROTECTED]
2004-05-18 18:36:43: INFO: main.c:175:main(): @(#)This product linked OpenSSL 0.9.7d 17 Mar 2004 (http://www.openssl.org/)
2004-05-18 18:36:43: WARNING: cftoken.l:514:yywarn(): /usr/local/etc/racoon/racoon.conf:67: "support_mip6" it is obsoleted. use "support_proxy".
2004-05-18 18:36:43: INFO: isakmp.c:1368:isakmp_open(): 192.168.1.1[500] used as isakmp port (fd=5)
2004-05-18 18:36:53: INFO: isakmp.c:904:isakmp_ph1begin_r(): respond new phase 1 negotiation: 192.168.1.1[500]<=>192.168.1.2[500]
2004-05-18 18:36:53: INFO: isakmp.c:909:isakmp_ph1begin_r(): begin Aggressive mode.
2004-05-18 18:36:53: NOTIFY: oakley.c:2084:oakley_skeyid(): couldn't find the proper pskey, try to get one by the peer's address.
2004-05-18 18:36:53: INFO: isakmp.c:2459:log_ph1established(): ISAKMP-SA established 192.168.1.1[500]-192.168.1.2[500] spi:c112917078329613:62ce70ffe54cfcda
2004-05-18 18:36:53: INFO: isakmp.c:1059:isakmp_ph2begin_r(): respond new phase 2 negotiation: 192.168.1.1[0]<=>192.168.1.2[0]
2004-05-18 18:36:53: ERROR: isakmp_quick.c:2030:get_proposal_r(): no policy found: 0.0.0.0/0[0] 192.168.1.1/32[0] proto=any dir=in
2004-05-18 18:36:53: ERROR: isakmp_quick.c:1071:quick_r1recv(): failed to get proposal for responder.
2004-05-18 18:36:53: ERROR: isakmp.c:1073:isakmp_ph2begin_r(): failed to pre-process packet.


I'd appreciate any pointers. Thanks in advance.

-Radek
_______________________________________________
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to