Salut.
Are cineva experienta cu ipsec intre un freebsd si un linux? E prima oara
cand fac intre cele doua, pana acum variantele freebsd/freebsd si
linux/linux au mers fara probleme.
Premise: Computador FreeBSD (6.1) pe partea mea cu reteaua A
(192.168.150.0), computador Debian Linux (3.1. cu kernel din backports) pe
partea cealalta in reteaua B (192.168.100.0). Iata cum se manifesta. La
prima incercare s-a creat tunelul, eu puteam sa ajung in reteaua B, din B
in A insa ioc. Firewallu era setat sa dea voie la tot (facut cu pf) tocmai
pentru a elimina o cauza a problemelor. Bon, zic eu, ma stiu mai bine cu
ipfw-u, cine stie, fac cu ipfw. Iarasi minim:
/sbin/ipfw -f flush
/sbin/ipfw add divert natd all from any to any via fxp0
/sbin/ipfw add pass all from any to any
Totul merge ok, mai putin ipsec, care moare cu ERROR: phase1 negotiation
failed due to time up.
Nu stiu daca e din cauza firewall sau altceava. Iata fisierele de
configurare:
Facut:
ifconfig gif0 create
ifconfig gif0 tunnel Freebsd Debian
fconfig gif0 192.168.150.29 192.168.100.11 netmask 0xffffffff
1. ifconfig imi arata:
gif0: flags=8050<POINTOPOINT,RUNNING,MULTICAST> mtu 1280
tunnel inet FreeBSD --> Debian
inet6 fe80::202:55ff:fe74:6535%gif0 prefixlen 64 scopeid 0x7
inet 192.168.150.29 --> 192.168.100.11 netmask 0xffffffff
netstat -r:
192.168.100.11 192.168.150.29 UH 0 0 gif0
2. /etc/ipsec.conf
flush;
spdflush;
spdadd FreeBSD Debian any -P out ipsec
esp/tunnel/FreeBSD-Debian/require;
spdadd Debian FreeBSD any -P in ipsec esp/tunnel/Debian-FreeBSD/require;
spdadd 192.168.150.0/24 192.168.100.0/24 any -P out ipsec
esp/tunnel/FreeBSD-Debian/require;
spdadd 192.168.100.0/24 192.168.150.0/24 any -P in ipsec
esp/tunnel/Debian-FreeBSD/require;
3. /usr/local/etc/racoon.conf
path pre_shared_key "/usr/local/etc/racoon/psk.txt";
#local ipsec interface
listen {
isakmp FreeBSD [500];
}
#remote ipsec-gw
remote Debian {
exchange_mode main;
proposal {
encryption_algorithm aes;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
#local net to remote net
sainfo address 192.168.100.0/24 any address 192.168.150.0/24 any {
pfs_group 2;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
#local net to remote ipsec-gw
sainfo address 192.168.100.0/24 any address FreeBSD/32 any {
pfs_group 2;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
#local ipsec-gw to remote net
sainfo address Debian/32 any address 192.168.150.0/24 any {
pfs_group 2;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
#local ipsec-gw to remote ipsec-gw
sainfo address Debian/32 any address FreeBSD/32 any {
pfs_group 2;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
(am inlocuit adresele de ip cu numele calculatoarelor doar aici, pentru
motive evidente :)
Va multumesc.
Noroc.
lefty
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
________________________________________________________
To unsubscribe send a mail to [EMAIL PROTECTED]
