Hi,
> Hello Anne,
>
>> I got it working! :-D
> Nice.
>
>> I thought nothing was logged on the other side but I was mistaken.
There was a mismatch in both fase 1 and fase 2 settings. I corrected it
and now it works.
> Can you send me your working config?
racoon.conf:
I changed remote router ip to 123.456.123.456
path pre_shared_key "/root/.kde/share/apps/kvpnc/psk.NXS.key";
remote 123.456.123.456 {
exchange_mode main;
proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo address 192.168.20.3
any address 192.168.50.0/24 any {
encryption_algorithm 3des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}
setkey.NXS.conf:
spdadd 192.168.20.3
123.456.123.456 any -P out ipsec esp/tunnel/192.168.20.3
-123.456.123.456/require;
spdadd 123.456.123.456 192.168.20.3
any -P in ipsec esp/tunnel/123.456.123.456-192.168.20.3
/require;
spdadd 192.168.20.3
192.168.50.0/24 any -P out ipsec esp/tunnel/192.168.20.3
-123.456.123.456/require;
spdadd 192.168.50.0/24 192.168.20.3
any -P in ipsec esp/tunnel/123.456.123.456-192.168.20.3
/require;
>> A few remarks:
>> - can't change 3DES and MD5 in kVpnc (can't find it)
> For what? Racoon supports encryption_algorithm and
> authentication_algorithm.
> I'll implement options selecting it.
The remote router was set to accept SHA1. I had to change it to MD5. When
many (different) clients are used, it would not be a desired situation to
adapt the router settings to the client, so a way to select the protocols
in kVpnc would be nice.
>> - can't change local ID (can't find it)
> I'll add it. Please tell me what you have to set.
The local id on the client should match the remote id set on the router
and vice versa. kVpnc sent my LAN ip address as local id so I changed the
remote id set on the router to the local ip of the client.
>> - can't disconnect. kVpnc says it's not connected but it is. This one
is
>> important for me since I'll be switching between tunnels often.
> Can you send me a log?
kvpnc.log:
default interface: eth0
Local IP address: 192.168.20.3
tmppath: /root/.kde/share/apps/kvpnc/
"chmod go-rwx /root/.kde/share/apps/kvpnc/psk.NXS.key" started.
info: Policy successful activated and daemon (NXS) running for server
"123.456.123.456" at date Mon Aug 15 21:31:59 2005, profile "racoon" (%4)
debug: "tail -f /root/.kde/share/apps/kvpnc/racoon.NXS.log" started.
out:
info: Not connected. <--- after clicking on disconnect
info: Not connected. <--- after clicking on disconnect
racoon.NXS.log:
2005-08-15 21:31:59: INFO: @(#)ipsec-tools 0.5
(http://ipsec-tools.sourceforge.net)
2005-08-15 21:31:59: INFO: @(#)This product linked OpenSSL 0.9.7e 25 Oct
2004 (http://www.openssl.org/)
2005-08-15 21:31:59: INFO: 127.0.0.1[500] used as isakmp port (fd=5)
2005-08-15 21:31:59: INFO: 127.0.0.1[500] used for NAT-T
2005-08-15 21:31:59: INFO: 192.168.20.3[500] used as isakmp port (fd=6)
2005-08-15 21:31:59: INFO: 192.168.20.3[500] used for NAT-T
2005-08-15 21:31:59: INFO: ::1[500] used as isakmp port (fd=7)
2005-08-15 21:31:59: INFO: fe80::20c:6eff:fef8:ed08%eth0[500] used as
isakmp port (fd=8)
2005-08-15 21:34:16: INFO: IPsec-SA request for 123.456.123.456 queued due
to no phase1 found.
2005-08-15 21:34:16: INFO: initiate new phase 1 negotiation:
192.168.20.3[500]<=>123.456.123.456[500]
2005-08-15 21:34:16: INFO: begin Identity Protection mode.
2005-08-15 21:34:18: INFO: ISAKMP-SA established
192.168.20.3[500]-123.456.123.456[500]
spi:98b817c6d8861461:63c4e57881281d43
2005-08-15 21:34:19: INFO: initiate new phase 2 negotiation:
192.168.20.3[0]<=>123.456.123.456[0]
2005-08-15 21:34:19: WARNING: attribute has been modified.
2005-08-15 21:34:19: INFO: IPsec-SA established: ESP/Tunnel
123.456.123.456->192.168.20.3 spi=25845058(0x18a5d42)
2005-08-15 21:34:19: INFO: IPsec-SA established: ESP/Tunnel
192.168.20.3->123.456.123.456 spi=780431211(0x2e846f6b)
>> How can I manually destroy a tunnel?
> killall racoon
> setkey -PF
> setkey -F
ok, that works. I also added 'iptables -F'. I don't have any other rules
so I can do that...
One more thing:
I'm able to setup a VPN tunnel to both locations I want, but with one of
them there's no traffic. Can't ping anything on the remote side. I don't
think this is a problem on my client however. Tcpdump shows the ICMP
packets are sent. But any hints are welcome.
thanks,
Anne
