Hi all, I know, it must be somewhat in all mens mouth, at least, I got lots of results when googling for it, however, I am very out of luck in getting this run.
As I'm now able to setup a fake class C network on a real
internet server, I'd now like to let this be the VPN server
on this fake network: 192.168.42.1/24.
I've been playing with ipsec-tools quite some time now,
though, I basically know how to use it in at least its
transport mode.
However, I want dynamic-IP clients to connect via an IPsec
VPN to this fake network I've created on the public server.
For this, I've done the following on the server:
THIS is the /etc/ipsec.conf file on SERVER:
#! /usr/sbin/setkey -f
flush;
spdflush;
THIS is the /etc/racoon/racoon.conf file on SERVER:
path pre_shared_key "/etc/racoon/psk.txt";
remote anonymous {
exchange_mode aggressive,main;
doi ipsec_doi;
situation identity_only;
my_identifier fqdn "server.fq.dn";
generate_policy on;
passive on;
lifetime time 2 minute; # (sec,min,hour)
initial_contact on;
proposal_check obey; # (obey, strict, claim)
proposal {
encryption_algorithm rijndael;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo anonymous {
pfs_group 2;
lifetime time 2 minute;
encryption_algorithm rijndael, 3des, blowfish 448, twofish;
authentication_algorithm hmac_sha1, hmac_md5;
compression_algorithm deflate;
}
THIS is the respective /etc/racoon/psk.txt on SERVER:
client.fq.dn "secret-X"
Now I'm supposed to perform /etc/init.d/racoon start;
The client side is said to be called "road warrior" because
their public IP is subject to change on each and every time
they dial up.
There now shall be a way to setup the client (via racoon) as
automatically as possible, however, *HOW* do I have to do this?
The CLIENT at least requires the following /etc/racoon/psk.txt:
server.fq.dn "secret-X"
The /etc/ipsec.conf - I guess - shall be somewhat empty, as
my local's public IP address is somewhat unknown, however,
the remote's (VPN server's) public is known.
So, the CLIENT's /etc/ipsec.conf *could* look like:
spdadd 0.0.0.0/0 1.2.3.4 any -P out ipsec
esp/tunnel/192.168.2.22-192.168.42.22/require
ah/tunnel/192.168.2.22-192.168.42.22/require;
spdadd 1.2.3.4 0.0.0.0/0 any -P in ipsec
esp/tunnel/192.168.42.22-192.168.2.22/require
ah/tunnel/192.168.42.22-192.168.2.22/require;
Well, I did not found *any* tutorial showing me a tunnel example
for ESP *and* AH - in fact, they only provided examples for
ESP-only (but I wanna use AH - for authentification - as well).
As hopefully mentioned clearly above:
the CLIENTs LAN is 192.168.2.22/24 with the goal to have
192.168.42.22 IP within the IPsec-ified VPN's fake network,
and it wants the connect to the SERVER having the public IP 1.2.3.4
But when starting racoon on the client side as well, and trying to ping the
server's fake VPN IP (192.168.42.1) I just get timeouts, and although, I'm
not able to speak to the server's public IP either.
Please, can someone help me find a way though this and/or provide me with
useful links I *obviousely* did not found?
Thanks in advance,
Christian Parpart.
pgpVySlwpzhzr.pgp
Description: PGP signature
