since i've heard that the new ipsec.conf and ipsecctl command
simplify setting up vpns, i figured i would give the "old" way
of isakmpd.conf another pass to help me figure out the new
syntax. now that i have gone back and tried to setup isakmpd
as a tunnel between two machines on my home newtork using
isakmpd.conf, i can't get the configuration that i had working
in the past working again.
the trouble i have is that the two peers are definitely
exchanging information, but not establishing a tunnel. i don't
see any useful info in the output from "isakmpd -d -DA=10" and
i've included the outputs from each instance of isakmpd and a
tcpdump from the host in between them as attachments.
i'm trying to establish a tunnel between two hosts (both are
pentium IIs running a snapshot from 10/28) the with IPs
10.0.0.2 and 10.0.3.2 and living on my home network with
topology as shown:
############# ############################
# 10.0.0.2 #--------# 10.0.0.1 pub IP = Z #
############# # 10.0.3.1 #
############################
|
|
###############
# 10.0.3.2 #
###############
i have set 10.0.0.2 as peer-X and 10.0.3.2 as peer-Y. here are
their respective isakmpd.conf files:
for 10.0.0.2:
[Phase 1]
10.0.3.2= peer-Y
[Phase 2]
Connections= IPsec-X-Y
[peer-Y]
Phase= 1
#Transport= udp
Address= 10.0.3.2
Local-address= 10.0.0.2
#ID= X-internal
#Remote-ID= Y-internal
Configuration= Default-main-mode
Authentication= communism
[IPsec-X-Y]
Phase= 2
ISAKMP-peer= peer-Y
Configuration= Default-quick-mode
Local-ID= X-internal
Remote-ID= Y-internal
[X-internal]
ID-type= IPV4_ADDR
Address= 10.0.0.2
[Y-internal]
ID-type= IPV4_ADDR
Address= 10.0.3.2
[Default-main-mode]
DOI= IPSEC
EXCHANGE_TYPE= ID_PROT
Transforms= 3DES-SHA,BLF-SHA
[Default-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-3DES-SHA-SUITE
for 10.0.3.2:
[Phase 1]
10.0.0.2= peer-X
[Phase 2]
Connections= IPsec-Y-X
[peer-X]
Phase= 1
#Transport= udp
Address= 10.0.0.2
#Local-address= 10.0.3.2
#ID= Y-internal
#Remote-ID= X-internal
Configuration= Default-main-mode
Authentication= communism
[IPsec-Y-X]
Phase= 2
ISAKMP-peer= peer-X
Configuration= Default-quick-mode
Local-ID= Y-internal
Remote-ID= X-internal
[Y-internal]
ID-type= IPV4_ADDR
Address= 10.0.3.2
[X-internal]
ID-type= IPV4_ADDR
Address= 10.0.0.2
[Default-main-mode]
DOI= IPSEC
EXCHANGE_TYPE= ID_PROT
Transforms= 3DES-SHA,BLF-SHA
[Default-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-3DES-SHA-SUITE
i have tried to keep these files as simple as possible to
prevent confusion. both hosts have the same isakmpd.policy file:
Authorizer: "POLICY"
Comment: This bare-bones assertion accepts everything
the output of "netstat -rn -f encap" on each host is:
for 10.0.0.2:
Routing tables
Encap:
Source Port Destination Port Proto
SA(Address/Proto/Type/Direction)
10.0.3.2/32 0 10.0.0.2/32 0 0
10.0.3.2/50/use/in
10.0.0.2/32 0 10.0.3.2/32 0 0
10.0.3.2/50/require/out
for 10.0.3.2:
Routing tables
Encap:
Source Port Destination Port Proto
SA(Address/Proto/Type/Direction)
10.0.0.2/32 0 10.0.3.2/32 0 0
10.0.0.2/50/use/in
10.0.3.2/32 0 10.0.0.2/32 0 0
10.0.0.2/50/require/out
i have enc0 up on all 3 machines involved here, pf is disabled
and all hosts have the correct sysctl values (esp on endpoints
and forwarding for intermediate enabled).
that said, i feel really stupid posting this, but i've already
invested 2+ hours with no joy. i am also aware that this is
not the usual setup for a vpn and has low utility in the sense
that it is not linking two subnets, just two individual hosts.
regards,
jake
[demime 1.01d removed an attachment of type application/octet-stream which had
a name of isakmpd.peer-X.out]
[demime 1.01d removed an attachment of type application/octet-stream which had
a name of isakmpd.peer-Y.out]
[demime 1.01d removed an attachment of type application/octet-stream which had
a name of isakmpd.session.pcap]
