Hi,
If someone can help me on...
<workstations>---rl0--[obsdGW]--rl1--INTERNET---(win7)
i tried an other config file for iked.conf :
ikev2 "win7" passive esp \
from 10.10.0.0/24 to 0.0.0.0/0 \
local any peer any \
eap "mschap-v2" \
config address 10.10.0.7 \
tag "$name-$id"
'/sbin/iked -n' give me "Configuration OK"
Now if i run /sbin/iked -dvv :
/etc/iked.conf: loaded 2 configuration rules
config_new_user: inserting new user bandit
user "bandit" "numbers"
ca_reload: loaded ca file ca.crt
ca_reload: /C=FR/ST=REUNION/L=Sainte
Clotilde/O=e-solutions/CN=vpn.solutions.lan
ca_reload: loaded 1 ca certificate
ca_reload: loaded cert file 81.255.127.115.crt
ca_validate_cert: /C=FR/ST=REUNION/L=Sainte Clotilde/O=e-solutions ok
ikev2_dispatch_cert: updated local CERTREQ signatures length 20
config_getpolicy: received policy
ikev2 "win7" passive esp from 10.10.0.0/24 to 0.0.0.0/0 local any peer
any ikesa enc aes-256,aes-192,aes-128,3des prf
hmac-sha2-256,hmac-sha1,hmac-md5 auth hmac-sha2-256,hmac-sha1,hmac-md5
group modp2048-256,modp2048,modp1536,modp1024 childsa enc
aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1 lifetime 10800
bytes 536870912 eap "MSCHAP_V2" config address 10.10.0.7 tag "$name-$id"
config_getpfkey: received pfkey fd 4
config_getcompile: compilation done
config_getsocket: received socket fd 11
config_getsocket: received socket fd 12
config_getsocket: received socket fd 14
config_getsocket: received socket fd 20
When i try to connect using the win7 workstation (road warrior) :
a "tail -f /var/log/daemon" give me :
Apr 3 14:32:57 vpn iked[15924]: ikev2_recv: IKE_SA_INIT from initiator
RR.WW.RR.WW:52711 to AA.BB.CC.DD:500 policy 'win7', 528 bytes
Apr 3 14:32:57 vpn iked[15924]: ikev2_msg_send: IKE_SA_INIT from
AA.BB.CC.DD:500 to RR.WW.RR.WW:52711, 325 bytes
Apr 3 14:32:57 vpn iked[15924]: ikev2_recv: IKE_AUTH from initiator
RR.WW.RR.WW:53054 to AA.BB.CC.DD:4500 policy 'win7', 1164 bytes
I can't connect on.
Thank you very much.
Wesley.
Le 2012-04-02 16:37, mxb a C)critB :
On 04/02/2012 10:17 AM, Wesley wrote:
Hi,
I'm using an OpenBSD Gateway running :
OpenBSD vpn.area.lan
5.1 GENERIC.MP#214 i386
So what i'm trying to build
:
<10.10.0.0/24>----rl0----[obsd]----rl1----(INTERNET)----(win7 with
dynamic IP)
IP Address (INTERNET, rl1) : AA.BB.CC.DD
Dynamic IP for
win7 : RR.WW.RR.WW
I start the ikev2 vpn (it stop on password and user
verification) and have this on the OBSD gateway :
tail -f
/var/log/daemon :
Apr 2 12:13:22 vpn iked[19494]: ikev2_recv:
IKE_SA_INIT from initiator RR.WW.RR.WW:59317 to AA.BB.CC.DD:500
policy
'win7', 528 bytes
Apr 2 12:13:22 vpn iked[19494]: ikev2_msg_send:
IKE_SA_INIT fromAA.BB.CC.DD:500 to RR.WW.RR.WW:59317, 325 bytes
Apr 2
12:13:22 vpn iked[19494]: ikev2_recv: IKE_AUTH from initiator
RR.WW.RR.WW:58268 to AA.BB.CC.DD:4500 policy 'win7', 1164 bytes
Any
idea ?
Thank you very much.
-- OpenBSD Gateway :
rl0 group : lan
rl1
group : egress
IP Address (INTERNET, rl1) : AA.BB.CC.DD
iked.conf
:
user "bandit" "123456"
ikev2 "win7" passive esp
from 10.10.3.0/24 to
10.10.0.0/24
local any peer any
eap "mschap-v2"
config address
10.10.3.7
config name-server 10.10.0.51
tag "$name-$id"
pf.conf
:
set skip on {lo,enc0}
set block-policy drop
match out on egress from
lan:network to any nat-to egress
block log all
pass out
pass in on
egress proto esp
pass in on egress proto udp to port 500
pass in on
egress proto udp to port 4500
pass in on egress proto tcp to port
22
pass in on lan inet from lan:network to any
net.inet.ip.forwarding
= 1
What i have done about certificates :
ikectl ca vpn create
ikectl
ca vpn certificate AA:BB:CC:DD create
ikectl ca vpn install
ikectl ca
vpn certificate AA:BB:CC:DD install
ikectl ca vpn certificate
AA:BB:CC:DD export
I put the certs exported on the win7 workstation.
And then run iked.
-- Win7 workstation
Import certificate in mmc
snap (Certificates/Authority)
Wesley.
Hi,
try to run iked with '-vd' and see what you get.
An alternative could be to run experimental npppd, eg L2TP over
IPSec.
Work fine here.
//maxim
