Hello,
I'm trying to set up a tunnel between two laptops running 5.2-CURRENT, connected with crossed cable, that have 192.168.1.1 and 192.168.1.2 addresses respectively.
Here's how I configured the boxes:
[kernel on both]: options IPSEC options IPSEC_ESP options IPSEC_DEBUG
[rc.conf on both]: ipsec_enable="YES"
[/etc/ipsec.conf on 192.168.1.1]:
flush;
spdflush;
spdadd 192.168.1.2/32 0.0.0.0/0 any -P in ipsec esp/tunnel/192.168.1.2-192.168.1.1/require;
spdadd 0.0.0.0/0 192.168.1.2/32 any -P out ipsec esp/tunnel/192.168.1.1-192.168.1.2/require;
[/etc/ipsec.conf on 192.168.1.2]:
flush;
spdflush;
spdadd 192.168.1.1/32 0.0.0.0/0 any -P in ipsec esp/tunnel/192.168.1.1-192.168.1.2/require;
spdadd 0.0.0.0/0 192.168.1.1/32 any -P out ipsec esp/tunnel/192.168.1.2-192.168.1.1/require;
I also installed the latest version of racoon from ports. Here's how the configuration files look like:
[psk.txt on 192.168.1.1]: 192.168.1.2 mypassword
[psk.txt on 192.168.1.2]: 192.168.1.1 mypassword
[racoon.conf on both]: path include "/usr/local/etc/racoon" ; path pre_shared_key "/usr/local/etc/racoon/psk.txt" ; path certificate "/usr/local/etc/cert" ; #log debug; padding { maximum_length 20; # maximum padding length. randomize off; # enable randomize length. strict_check off; # enable strict check. exclusive_tail off; # extract last one octet. } listen { isakmp 192.168.1.1 [500]; # 192.168.1.2 on the second box } timer { counter 5; # maximum trying count to send. interval 20 sec; # maximum interval to resend. persend 1; # the number of packets per a send. phase1 30 sec; phase2 15 sec; } remote anonymous { exchange_mode aggressive,main; doi ipsec_doi; situation identity_only; my_identifier address 192.168.1.1; # 192.168.1.2 on 2nd box peers_identifier address 192.168.1.2; # 192.168.1.1 on 2nd box nonce_size 16; lifetime time 24 hour; # sec,min,hour initial_contact on; support_mip6 on; proposal_check obey; # obey, strict or claim proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key ; dh_group 2 ; } } sainfo anonymous { pfs_group 1; lifetime time 12 hour; encryption_algorithm 3des ; authentication_algorithm hmac_sha1; compression_algorithm deflate ; }
I run setkey -f /etc/ipsec.conf and start racoon -F -v on each box, and try to ping one box from another. And that's where I'm stuck:
on 192.168.1.1:
# racoon -F -v
Foreground mode.
2004-05-18 18:36:43: INFO: main.c:172:main(): @(#)package version freebsd-20040408a
2004-05-18 18:36:43: INFO: main.c:174:main(): @(#)internal version 20001216 [EMAIL PROTECTED]
2004-05-18 18:36:43: INFO: main.c:175:main(): @(#)This product linked OpenSSL 0.9.7d 17 Mar 2004 (http://www.openssl.org/)
2004-05-18 18:36:43: WARNING: cftoken.l:514:yywarn(): /usr/local/etc/racoon/racoon.conf:67: "support_mip6" it is obsoleted. use "support_proxy".
2004-05-18 18:36:43: INFO: isakmp.c:1368:isakmp_open(): 192.168.1.1[500] used as isakmp port (fd=5)
2004-05-18 18:36:53: INFO: isakmp.c:904:isakmp_ph1begin_r(): respond new phase 1 negotiation: 192.168.1.1[500]<=>192.168.1.2[500]
2004-05-18 18:36:53: INFO: isakmp.c:909:isakmp_ph1begin_r(): begin Aggressive mode.
2004-05-18 18:36:53: NOTIFY: oakley.c:2084:oakley_skeyid(): couldn't find the proper pskey, try to get one by the peer's address.
2004-05-18 18:36:53: INFO: isakmp.c:2459:log_ph1established(): ISAKMP-SA established 192.168.1.1[500]-192.168.1.2[500] spi:c112917078329613:62ce70ffe54cfcda
2004-05-18 18:36:53: INFO: isakmp.c:1059:isakmp_ph2begin_r(): respond new phase 2 negotiation: 192.168.1.1[0]<=>192.168.1.2[0]
2004-05-18 18:36:53: ERROR: isakmp_quick.c:2030:get_proposal_r(): no policy found: 0.0.0.0/0[0] 192.168.1.1/32[0] proto=any dir=in
2004-05-18 18:36:53: ERROR: isakmp_quick.c:1071:quick_r1recv(): failed to get proposal for responder.
2004-05-18 18:36:53: ERROR: isakmp.c:1073:isakmp_ph2begin_r(): failed to pre-process packet.
I'd appreciate any pointers. Thanks in advance.
-Radek _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"