Helo,
I'm searching for two days now to establish an IPSEC TUNNEL between two
hosts. The tunnel is established but I can't ping through the tunnel. I
don't really understand what's wrong.
If someone could help me it would be really nice ;)
Here are all of the information :
Schema
-------
[DUMMY]
(81.246.56.70)
x
|
x
(81.246.56.69)
[###IPSEC1###]
(172.22.150.1)
x
|
x
(172.22.254.254)
[MAIN GATEWAY]
(192.168.63.254)
x
|
x
(192.168.63.100)
[###IPSEC2###]
(192.168.80.1)
The tunnel is established but I can't ping from dummy to ipsec2
(192.168.80.1)
SERVER1 : ipsec1
----------------
eth0 : 172.22.150.1
eth1 : 81.246.56.69
SERVER2 : ipsec2
----------------
eth0 : 192.168.63.100
eth1 : 192.168.80.1
SERVER3 : dummy
---------------
eth0 : 81.246.56.70
default gateway : ipsec1 (81.246.56.69)
ipsec-tools.conf on SERVER1
---------------------------
#!/usr/sbin/setkey -f
flush;
spdflush;
spdadd 81.246.56.64/27 192.168.80.0/24 any -P out ipsec
esp/tunnel/172.22.150.1-192.168.63.100/require;
spdadd 192.168.80.0/24 81.246.56.64/27 any -P in ipsec
esp/tunnel/192.168.63.100-172.22.150.1/require;
racoon.conf on SERVER1
----------------------
path pre_shared_key "/etc/racoon/psk.txt";
remote 192.168.63.100 {
exchange_mode main,aggressive;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo address 81.246.56.64/27 any address 192.168.80.0/24 any {
pfs_group 2;
lifetime time 1 hour ;
encryption_algorithm 3des, blowfish 448, rijndael ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}
routes on SERVER1
-----------------
$ ip route
81.246.56.64/27 dev eth1 proto kernel scope link src 81.246.56.69
192.168.80.0/24 via 172.22.150.1 dev eth0 src 172.22.150.1
172.22.0.0/16 dev eth0 proto kernel scope link src 172.22.150.1
default via 172.22.254.254 dev eth0
ipsec-tools.conf on SERVER2
---------------------------
#!/usr/sbin/setkey -f
flush;
spdflush;
spdadd 192.168.80.0/24 81.246.56.64/27 any -P out ipsec
esp/tunnel/192.168.63.100-172.22.150.1/require;
spdadd 81.246.56.64/27 192.168.80.0/24 any -P in ipsec
esp/tunnel/172.22.150.1-192.168.63.100/require;
racoon.conf on SERVER2
----------------------
path pre_shared_key "/etc/racoon/psk.txt";
remote 172.22.150.1 {
exchange_mode main,aggressive;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo address 192.168.80.0/24 any address 81.246.56.64/27 any {
pfs_group 2;
lifetime time 1 hour ;
encryption_algorithm 3des, blowfish 448, rijndael ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}
routes on SERVER2
-----------------
ip route
81.246.56.64/27 via 192.168.63.100 dev eth0 src 192.168.63.100
192.168.80.0/24 dev eth1 proto kernel scope link src 192.168.80.1
192.168.63.0/24 dev eth0 proto kernel scope link src 192.168.63.100
default via 192.168.63.254 dev eth0
log on SERVER1
--------------
2011-09-08 10:51:35: DEBUG: get pfkey UPDATE message
2011-09-08 10:51:35: DEBUG: pfkey UPDATE succeeded: ESP/Tunnel
192.168.63.100[0]->172.22.150.1[0] spi=132545011(0x7e679f3)
2011-09-08 10:51:35: INFO: IPsec-SA established: ESP/Tunnel
192.168.63.100[0]->172.22.150.1[0] spi=132545011(0x7e679f3)
2011-09-08 10:51:35: DEBUG: ===
2011-09-08 10:51:35: DEBUG: pk_recv: retry[0] recv()
2011-09-08 10:51:35: DEBUG: get pfkey ADD message
2011-09-08 10:51:35: INFO: IPsec-SA established: ESP/Tunnel
172.22.150.1[500]->192.168.63.100[500] spi=168459473(0xa0a7cd1)
2011-09-08 10:51:35: DEBUG: ===
log on SERVER2
--------------
2011-09-08 10:51:34: DEBUG: pfkey UPDATE succeeded: ESP/Tunnel
172.22.150.1[0]->192.168.63.100[0] spi=168459473(0xa0a7cd1)
2011-09-08 10:51:34: INFO: IPsec-SA established: ESP/Tunnel
172.22.150.1[0]->192.168.63.100[0] spi=168459473(0xa0a7cd1)
2011-09-08 10:51:34: DEBUG: ===
2011-09-08 10:51:34: DEBUG: pk_recv: retry[0] recv()
2011-09-08 10:51:34: DEBUG: get pfkey ADD message
2011-09-08 10:51:34: INFO: IPsec-SA established: ESP/Tunnel
192.168.63.100[500]->172.22.150.1[500] spi=132545011(0x7e679f3)
2011-09-08 10:51:34: DEBUG: ===
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
