Re: tunnel ipsec whith racoon2-20070720a
thank u . The probleme was with gif interface. when i start iked, it trys to bind the ip @ already allowed by the kernel for gif. Now, i'm looking fro experience using racoo2-02006... or racon2-2007...whith (net|free)BSD best regards ckd 2007/9/19, Lowell Gilbert [EMAIL PROTECTED]: ckd ckd [EMAIL PROTECTED] writes: hi, i'm looking for some experience using racoon2 to create tunnel IPSEC between 2 freebsd 6.2 gateways. i followed the procedure described in freebsd handbook, but whne i start iked, i get the follow message : iked: [INTERNAL ERR]: isakmþ.c:521:isakmp_øþen_address(): bind(10.0.2.254[500]): Address already in use. there is no iked/racoon daemon started before . thank for ur help Use sockstat(1) to see what is holding the port? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: tunnel ipsec whith racoon2-20070720a
ckd ckd [EMAIL PROTECTED] writes: hi, i'm looking for some experience using racoon2 to create tunnel IPSEC between 2 freebsd 6.2 gateways. i followed the procedure described in freebsd handbook, but whne i start iked, i get the follow message : iked: [INTERNAL ERR]: isakmþ.c:521:isakmp_øþen_address(): bind(10.0.2.254[500]): Address already in use. there is no iked/racoon daemon started before . thank for ur help Use sockstat(1) to see what is holding the port? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
tunnel ipsec whith racoon2-20070720a
hi, i'm looking for some experience using racoon2 to create tunnel IPSEC between 2 freebsd 6.2 gateways. i followed the procedure described in freebsd handbook, but whne i start iked, i get the follow message : iked: [INTERNAL ERR]: isakmþ.c:521:isakmp_øþen_address(): bind(10.0.2.254[500]): Address already in use. there is no iked/racoon daemon started before . thank for ur help ckd ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
IPsec with racoon2
Hi,
I'm trying to get IPsec running between 2 FreeBSD (VMware) boxes, using
racoon2.
spmd and iked start up okay, but I get an error when I try a ping across
the tunnel.
/var/log/messages shows:
May 5 13:52:36 biosa-vm4 iked: [INTERNAL_ERR]: if_spmd.c:726: SLID
failed: 550 Operation failed
May 5 13:52:36 biosa-vm4 iked: [INTERNAL_ERR]:
isakmp.c:647:isakmp_initiate_cont(): 0:172.20.36.55[0] -
172.20.36.52[0]:0x0:can't find selector (index (null))
2006-05-05 13:53:54 [INFO]: main.c:269:main(): starting iked for racoon2
20051102a
2006-05-05 13:53:54 [INFO]: main.c:272:main(): OPENSSLDIR: /etc/ssl
2006-05-05 13:53:54 [INFO]: main.c:282:main(): reading config
/usr/local/etc/racoon2.conf
2006-05-05 13:53:54 [DEBUG]:
ike_conf.c:3247:ike_conf_check_consistency(): checking configuration
2006-05-05 13:53:54 [DEBUG]: if_spmd.c:350: spmd I/F connection ok: 220
F8A..76C2B9
2006-05-05 13:53:54 [DEBUG]: cfsetup.c:3306:
spmd_read_password_file([/usr/local/etc/racoon2/spmd.pwd],
[cfsetup.c:3376], 1)
2006-05-05 13:53:54 [DEBUG]: cfsetup.c:3351: read 16 bytes
2006-05-05 13:53:54 [DEBUG]: if_spmd.c:413: spmd LOGIN ok: 250 OK
2006-05-05 13:53:54 [INFO]: isakmp.c:339:isakmp_open(): socket 5 bind
172.20.36.55[500]
Heres my network: (Running under vmware on Linux) The host has 2 network
cards and they're functional from vmware.
ifconfig_lnc0=inet 172.20.36.55 netmask 0xf800
ifconfig_lnc1=inet 192.168.4.1 netmask 0xff00
# ___ ___
#/ Ext IP A.B.C.D\tunnel / Ext IP W.X.Y.Z\
# ---| Int IP 192.168.1.1/24 |===| Int IP 192.168.4.1/24 |---
#\___/ \___/
# For host A.B.C.D
# gif_interfaces=gif0
# gifconfig_gif0=A.B.C.D W.X.Y.Z
# ifconfig_gif0=inet 192.168.1.1 192.168.4.1 netmask 0x
# static_routes=vpn
# route_vpn=-net 192.168.4.0/24 192.168.4.1
gif_interfaces=gif0
gifconfig_gif0=172.20.36.55 172.20.36.52
ifconfig_gif0=inet 192.168.4.1 192.168.1.1 netmask 0x
static_routes=vpn
route_vpn=-net 192.168.1.0/24 192.168.1.1
Without IPsec running, I can ping the remote interfaces 192.168.[14].1
both ways
My racoon2.conf looks like:
setval {
PSKDIR /usr/local/etc/racoon2/psk;
CERTDIR /usr/local/etc/racoon2/cert;
};
# interface info
interface
{
ike {
MY_IPV4%lnc0;
};
spmd {
unix /var/run/racoon/spmif;
};
spmd_password /usr/local/etc/racoon2/spmd.pwd;
};
# resolver info
resolver
{
resolver off;
};
#
# default section
#
default
{
remote {
ikev2 {
logmode normal;
kmp_sa_lifetime_time infinite;
kmp_sa_lifetime_byte infinite;
max_retry_to_send 3;
interval_to_send 10 sec;
times_per_send 1;
kmp_sa_nego_time_limit 60 sec;
ipsec_sa_nego_time_limit 40 sec;
kmp_enc_alg { aes256_cbc; 3des_cbc; };
kmp_hash_alg { hmac_sha1; hmac_md5; aes_xcbc; };
kmp_auth_method { dss; };
kmp_dh_group { 1; 2; 5; 14; 15; };
random_pad_content on;
random_padlen on;
max_padlen 50 bytes;
};
};
policy {
ipsec_mode tunnel;
ipsec_level unique; # Not Yet Implemented, always 'unique'
};
ipsec {
ipsec_sa_lifetime_time infinite;
ipsec_sa_lifetime_byte infinite;
};
sa {
esp_enc_alg { aes128_cbc; 3des_cbc; };
esp_auth_alg { hmac_sha1; hmac_md5; };
};
};
ipsec ipsec_ah_esp {
ipsec_sa_lifetime_time 28800 sec;
sa_index { ah_01; esp_01; };
};
ipsec ipsec_esp {
ipsec_sa_lifetime_time 28800 sec;
sa_index esp_01;
};
sa ah_01 {
sa_protocol ah;
ah_auth_alg { hmac_sha1; hmac_md5; };
};
sa esp_01 {
sa_protocol esp;
esp_enc_alg { aes128_cbc; 3des_cbc; };
esp_auth_alg { hmac_sha1; hmac_md5; };
};
# biosa-vm1.ch.genedata.com
remote biosa-vm1.nowhere.com {
acceptable_kmp { ikev2; };
ikev2 {
my_id fqdn biosa-vm4.nowhere.com;
peers_id fqdn biosa-vm1.nowhere.com;
peers_ipaddr 172.20.36.52 port 500;
kmp_enc_alg { aes256_cbc; aes192_cbc; 3des_cbc; };
kmp_prf_alg { hmac_md5; hmac_sha1; aes128_cbc; };
kmp_hash_alg { hmac_md5; hmac_sha1; aes_xcbc; };
kmp_dh_group { 5; };
kmp_auth_method { psk; };
pre_shared_key ${PSKDIR}/secret.psk;
};
selector_index 42;
};
selector 41 {
direction outbound;
src 172.20.36.55;
dst 172.20.36.52;
upper_layer_protocol
