Re: VPN IPsec Help

2010-07-09 Thread Matheus Weber da Conceição 
 % route add 192.168.10.24/32 200.x.x.x
 % route add 192.168.201.196/32 200.x.x.x
 % route add 10.115.90.236/32 200.x.x.x
 add net 192.168.10.24: gateway 200.x.x.x: Network is unreachable
 --


The kernel will not create routes automatically?


-- 

Matheus Weber da Conceição
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: VPN IPsec Help

2010-07-08 Thread Matheus Weber da Conceição 
  00:1c:c0:76:48:5e  UHLW1 5091vr1   1148
192.168.1.189  00:1d:60:03:a9:c3  UHLW11vr1723
192.168.1.197  00:1b:fc:1b:7a:c0  UHLW150767vr1   1171
192.168.1.200  00:19:d1:21:2d:07  UHLW1 2850vr1   1128
192.168.1.220  00:1c:c0:48:4d:13  UHLW123607vr1958
192.168.1.223  00:1c:c0:a4:70:c4  UHLW184310vr1826
192.168.1.251  00:1c:c0:54:c3:ac  UHLW1   387597vr1826
192.168.1.252  00:08:54:12:36:11  UHLW1  905vr1845
192.168.1.253  00:1c:c0:21:e7:fc  UHLW1   14vr1826
192.168.1.255  ff:ff:ff:ff:ff:ff  UHLWb   11vr1
192.168.5.0/24 192.168.5.2UGS 00   tun5
192.168.5.1127.0.0.1  UH  00lo0
192.168.5.2192.168.5.1UH  17   tun5
192.168.254.0/24   link#2 UC  00vr0
192.168.254.11 127.0.0.1  UH  00lo0
192.168.254.255ff:ff:ff:ff:ff:ff  UHLWb   11vr0
201.zzz.zzz.zzz187.yyy.yyy.yyyUH  00   tun0

Internet6:
Destination   Gateway   Flags
Netif Expire
::1   ::1   UHL lo0
fe80::%lo0/64 fe80::1%lo0   U   lo0
fe80::1%lo0   link#5UHL lo0
ff01:5::/32   fe80::1%lo0   UC  lo0
ff01:6::/32   link#6UGCtun0
ff02::%lo0/32 fe80::1%lo0   UC  lo0
ff02::%tun0/32fe80::21c:c0ff:fe54:bba9%tun0 UGCtun0



Thanks;
-- 

Matheus Weber da Conceição
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: VPN IPsec Help

2010-07-08 Thread Matheus Weber da Conceição 
 % route add 192.168.10.24/32 200.x.x.x
 % route add 192.168.201.196/32 200.x.x.x
 % route add 10.115.90.236/32 200.x.x.x
add net 192.168.10.24: gateway 200.x.x.x: Network is unreachable
-- 

Matheus Weber da Conceição
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

VPN IPsec Help

2010-07-07 Thread Matheus Weber da Conceição 
Hello guys;

I'm using a FreeBSD 7.0 in my firewall/gateway, and I have to connect
via VPN to a Cisco box.

The scene here is:

* Peer A (Cisco): 200.xxx.xxx.xxx
   IPs that Peer B need to access:
  - 192.168.10.24
  - 192.168.201.196
  - 10.115.90.236

* Peer B (FreeBSD 7.0): 187.yyy.yyy.yyy (me)


How can I configure this scene without using gif0 interface?

I have no idea how to route the network traffic from my IP
(187.yyy.yyy.yyy) to the 3 -Peer A- non-routing IPs.

I started /usr/local/etc/rc.d/racoon and /etc/rc,d/ipsec.
When I try do access SSH in 192.168.10.24, racoon writes a lot of
things in the log file (as far as I can see there is no error), but
the SSH give me a timeout error. After that, I look in the  setkey
-D  command, and I get that:
 setkey -D 
187.yyy.yyy.yyy 200.xxx.xxx.xxx
esp mode=tunnel spi=3246074620(0xc17b2afc) reqid=16385(0x4001)
E: 3des-cbc  466cb043 de788f18 88545f35 d89be53e 4a0e85e9 3d026286
A: hmac-sha1  832a11aa ea68bc5a ec6f919b 23e28d91 7ecd7c6b
seq=0x0007 replay=4 flags=0x state=mature
created: Jul  7 19:17:35 2010   current: Jul  7 19:25:45 2010
diff: 490(s)hard: 28800(s)  soft: 28800(s)
last: Jul  7 19:18:09 2010  hard: 0(s)  soft: 0(s)
current: 728(bytes) hard: 0(bytes)  soft: 0(bytes)
allocated: 7hard: 0 soft: 0
sadb_seq=1 pid=21919 refcnt=2
200.xxx.xxx.xxx 187.yyy.yyy.yyy
esp mode=tunnel spi=220854578(0x0d29f932) reqid=16386(0x4002)
E: 3des-cbc  b1cd13a6 d0696e70 778fe5b3 4bfde61c 6cb81d8f 2a8e9f62
A: hmac-sha1  4ad86b36 ff7d5c14 6cb744e5 85d97017 2b0f196c
seq=0x replay=4 flags=0x state=mature
created: Jul  7 19:17:35 2010   current: Jul  7 19:25:45 2010
diff: 490(s)hard: 28800(s)  soft: 28800(s)
last:   hard: 0(s)  soft: 0(s)
current: 0(bytes)   hard: 0(bytes)  soft: 0(bytes)
allocated: 0hard: 0 soft: 0
sadb_seq=0 pid=21919 refcnt=1

means that my ipsec tunnel is up, right?

Any idea?


Configuration files:

 Here is my /etc/ipsec.conf 
flush;
spdflush;
spdadd 0.0.0.0/0 10.115.90.0/24 any -P out ipsec
esp/tunnel/187.yyy.yyy.yyy-200.xxx.xxx.xxx/require;
spdadd 10.115.90.0/24 0.0.0.0/0 any -P in ipsec
esp/tunnel/200.xxx.xxx.xxx-187.yyy.yyy.yyy/require;

spdadd 0.0.0.0/0 192.168.10.0/24 any -P out ipsec
esp/tunnel/187.yyy.yyy.yyy-200.xxx.xxx.xxx/require;
spdadd 192.168.10.0/24 0.0.0.0/24 any -P in ipsec
esp/tunnel/200.xxx.xxx.xxx-187.yyy.yyy.yyy/require;

spdadd 0.0.0.0/0 192.168.201.0/24 any -P out ipsec
esp/tunnel/187.yyy.yyy.yyy-200.xxx.xxx.xxx/require;
spdadd 192.168.201.0/24 0.0.0.0/0 any -P in ipsec
esp/tunnel/200.xxx.xxx.xxx-187.yyy.yyy.yyy/require;
==

 Here is my /usr/local/etc/racoon/racoon.conf 
path pre_shared_key /usr/local/etc/racoon/psk.txt;

log debug2;

remote anonymous
{
exchange_modemain;
my_identifieraddress 187.4.201.197;
peers_identifier address 200.186.89.186;
lifetime time 28800 sec;# sec,min,hour
generate_policy  off;

# phase 1 proposal (for ISAKMP SA)
proposal {
encryption_algorithm  3des;
hash_algorithmsha1;
authentication_method pre_shared_key;
dh_group  2;
}
}

# phase 2 proposal (for IPsec SA).
# actual phase 2 proposal will obey the following items:
# - kernel IPsec policy configuration (like esp/transport//use)
# - permutation of the crypto/hash/compression algorithms presented below
sainfo address anonymous
{
lifetime time 28800 sec;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
compression_algorithmdeflate;
}
=
-- 

Matheus Weber da Conceição
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org