I've got a problem configuring IPSEC tunnel with racoon and setkey.

a.b.c.1 - LAN - a.b.c.254 <- IPSEC -> w.x.y.254 - LAN - w.x.y.1

w.x.y.254 - CISCO.
a.b.c.254 - FreeBSD 5.0
a.b.c.1 - Windows
w.x.y.1 - Windows
a.b.c.253 - gateway to internet


path include "/usr/local/etc/racoon" ;
#include "remote.conf" ;

path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;

log debug;

        maximum_length 20;      # maximum padding length.
        randomize off;          # enable randomize length.
        strict_check off;       # enable strict check.
        exclusive_tail off;     # extract last one octet.

        isakmp a.b.c.254 [500];
        #admin [7002];          # administrative's port by kmpstat.
        #strict_address;        # required all addresses must be bound.

        counter 5;              # maximum trying count to send.
        interval 60 sec;        # maximum interval to resend.
        persend 1;              # the number of packets per a send.

        # timer for waiting to complete each phase.
        phase1 60 sec;
        phase2 35 sec;

remote anonymous
        exchange_mode aggressive,main;
        doi ipsec_doi;
        situation identity_only;

        nonce_size 16;
        lifetime time 86400 sec;

        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method pre_shared_key ;
                dh_group 2 ;

sainfo anonymous
        pfs_group 2;
        lifetime time 3600 sec;
        encryption_algorithm 3des ;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate ;

freebsd# cat /root/ipsec-conf.sh

ifn=`ifconfig gif create`
ifconfig ${ifn} tunnel a.b.c.254 w.x.y.254
ifconfig ${ifn} inet a.b.c.1 w.x.y.1

setkey -FP
setkey -F

setkey -c << EOF
spdadd a.b.c.1/32 w.x.y.1/32 any -P out ipsec
spdadd w.x.y.1/32 a.b.c.1/32 any -P in  ipsec

After running racoon and ipsec-conf.sh script i've got:
freebsd# ifconfig -a
ed1: a.b.c.254 netmask
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
        tunnel inet a.b.c.254 --> w.x.y.254
        inet a.b.c.1 --> w.x.y.1 netmask 0xffffff00

Why such netmask? I want to have tunnel beetwen a.b.c.1 and w.x.y.1 only...

freebsd# netstat -rn
Routing tables

Destination        Gateway            Flags    Refs      Use  Netif Expire
default            a.b.c.253          UGSc        0        5    ed1          UH          0        0    lo0
w.x.y.1            a.b.c.1            UH          0        0   gif0
                   ^^^^^^^ why such gateway?

then from a.b.c.1 i try to ping w.x.y.1. a.b.c.254 and w.x.y.254
establish IPSEC tunnel but no packets go through IPSEC connection,
making tcpdump -i gif0 shows nothing.

Of course on a.b.c.1 i've set up routing for w.x.y.1 through a.b.c.254...


To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message

Reply via email to