IPsec with racoon2

Fri, 05 May 2006 05:20:28 -0700 

Hi,
I'm trying to get IPsec running between 2 FreeBSD (VMware) boxes, using racoon2. spmd and iked start up okay, but I get an error when I try a ping across the tunnel. 
/var/log/messages shows:
May 5 13:52:36 biosa-vm4 iked: [INTERNAL_ERR]: if_spmd.c:726: SLID failed: 550 Operation failed May 5 13:52:36 biosa-vm4 iked: [INTERNAL_ERR]: isakmp.c:647:isakmp_initiate_cont(): 0:172.20.36.55[0] - 172.20.36.52[0]:0x0:can't find selector (index (null)) 



2006-05-05 13:53:54 [INFO]: main.c:269:main(): starting iked for racoon2 
20051102a

2006-05-05 13:53:54 [INFO]: main.c:272:main(): OPENSSLDIR: "/etc/ssl"

2006-05-05 13:53:54 [INFO]: main.c:282:main(): reading config 
/usr/local/etc/racoon2.conf
2006-05-05 13:53:54 [DEBUG]: 
ike_conf.c:3247:ike_conf_check_consistency(): checking configuration
2006-05-05 13:53:54 [DEBUG]: if_spmd.c:350: spmd I/F connection ok: 220 
F8A......76C2B9
2006-05-05 13:53:54 [DEBUG]: cfsetup.c:3306: 
spmd_read_password_file([/usr/local/etc/racoon2/spmd.pwd], 
[cfsetup.c:3376], 1)

2006-05-05 13:53:54 [DEBUG]: cfsetup.c:3351: read 16 bytes
2006-05-05 13:53:54 [DEBUG]: if_spmd.c:413: spmd LOGIN ok: 250 OK

2006-05-05 13:53:54 [INFO]: isakmp.c:339:isakmp_open(): socket 5 bind 
172.20.36.55[500]



Heres my network: (Running under vmware on Linux) The host has 2 network 
cards and they're functional from vmware.


ifconfig_lnc0="inet 172.20.36.55 netmask 0xfffff800"
ifconfig_lnc1="inet 192.168.4.1 netmask 0xffffff00"

#     _______________________                 _______________________
#    / Ext IP A.B.C.D        \    tunnel     / Ext IP W.X.Y.Z        \
# ---| Int IP 192.168.1.1/24 |===============| Int IP 192.168.4.1/24 |---
#    \_______________________/               \_______________________/
# For host "A.B.C.D"
# gif_interfaces="gif0"
# gifconfig_gif0="A.B.C.D W.X.Y.Z"
# ifconfig_gif0="inet 192.168.1.1 192.168.4.1 netmask 0xffffffff"
# static_routes="vpn"
# route_vpn="-net 192.168.4.0/24 192.168.4.1"

gif_interfaces="gif0"
gifconfig_gif0="172.20.36.55 172.20.36.52"
ifconfig_gif0="inet 192.168.4.1 192.168.1.1 netmask 0xffffffff"
static_routes="vpn"
route_vpn="-net 192.168.1.0/24 192.168.1.1"


Without IPsec running, I can ping the remote interfaces 192.168.[14].1 
both ways


My racoon2.conf looks like:

setval {
       PSKDIR  "/usr/local/etc/racoon2/psk";
       CERTDIR "/usr/local/etc/racoon2/cert";
};

# interface info
interface
{
       ike {
               MY_IPV4%lnc0;
       };
       spmd {
               unix "/var/run/racoon/spmif";
       };
       spmd_password "/usr/local/etc/racoon2/spmd.pwd";
};

# resolver info
resolver
{
       resolver off;
};

#
# default section
#
default
{
       remote {
               ikev2 {
                       logmode normal;
                       kmp_sa_lifetime_time infinite;
                       kmp_sa_lifetime_byte infinite;
                       max_retry_to_send 3;
                       interval_to_send 10 sec;
                       times_per_send 1;
                       kmp_sa_nego_time_limit 60 sec;
                       ipsec_sa_nego_time_limit 40 sec;
                       kmp_enc_alg { aes256_cbc; 3des_cbc; };
                       kmp_hash_alg { hmac_sha1; hmac_md5; aes_xcbc; };
                       kmp_auth_method { dss; };
                       kmp_dh_group { 1; 2; 5; 14; 15; };
                       random_pad_content on;
                       random_padlen on;
                       max_padlen 50 bytes;
               };
       };

       policy {
               ipsec_mode tunnel;
               ipsec_level unique; # Not Yet Implemented, always 'unique'
       };

       ipsec {
               ipsec_sa_lifetime_time infinite;
               ipsec_sa_lifetime_byte infinite;
       };

       sa {
               esp_enc_alg { aes128_cbc; 3des_cbc; };
               esp_auth_alg { hmac_sha1; hmac_md5; };
       };
};
ipsec ipsec_ah_esp {
       ipsec_sa_lifetime_time 28800 sec;
       sa_index { ah_01; esp_01; };
};
ipsec ipsec_esp {
       ipsec_sa_lifetime_time 28800 sec;
       sa_index esp_01;
};
sa ah_01 {
       sa_protocol ah;
       ah_auth_alg { hmac_sha1; hmac_md5; };
};
sa esp_01 {
       sa_protocol esp;
       esp_enc_alg { aes128_cbc; 3des_cbc; };
       esp_auth_alg { hmac_sha1; hmac_md5; };
};

# biosa-vm1.ch.genedata.com
remote biosa-vm1.nowhere.com {
       acceptable_kmp { ikev2; };
       ikev2 {
               my_id fqdn "biosa-vm4.nowhere.com";
               peers_id fqdn "biosa-vm1.nowhere.com";
               peers_ipaddr 172.20.36.52 port 500;
               kmp_enc_alg { aes256_cbc; aes192_cbc; 3des_cbc; };
               kmp_prf_alg { hmac_md5; hmac_sha1; aes128_cbc; };
               kmp_hash_alg { hmac_md5; hmac_sha1; aes_xcbc; };
               kmp_dh_group { 5; };
               kmp_auth_method { psk; };
               pre_shared_key "${PSKDIR}/secret.psk";
       };
       selector_index 42;
};
selector 41 {
       direction outbound;
       src 172.20.36.55;
       dst 172.20.36.52;
       upper_layer_protocol "tcp";
       policy_index TUNNEL;
};
selector 42 {
       direction inbound;
       dst 172.20.36.52;
       src 172.20.36.55;
       upper_layer_protocol "tcp";
       policy_index TUNNEL;
};
policy TUNNEL {
       action auto_ipsec;
       remote_index biosa-vm1.nowhere.com;
       ipsec_mode tunnel;
       ipsec_index { ipsec_esp; };
       ipsec_level unique;
       peers_sa_ipaddr 172.20.36.52;
       my_sa_ipaddr 172.20.36.55;
};

Anyone got any idea what I'm doing wrong?

Thanks in advance
John Ryan


_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"














    











					Reply via email to