Re: [lopsa-tech] IPSec VPN using racoon

Thu, 23 Dec 2010 16:17:45 -0800 

Hi,

In IPSec, it is required to have an SA for every subnet.

What you currently have is an SA for talking between the boxes.
You could hide the subnets from IPSec in a GRE tunnel.
Or, create an SA for 192.168.0.0/24 and one for 192.168.1.0/24.

On 12/23/10 15:59, Paul Mooring wrote:
> Hello everyone,
> 
> I'm trying to set up an IPSec Tunnel between 2 office using racoon.
> One side is running PfSense, the other a custom linux based router.
> The tunnel connects (phase 1 & 2 are ok) and I can ping the tunnel IP
> addresses but can't get traffic across the internal subnets.  So it
> looks something like this (IP address are changed):
> 
> PfSense (Office 1):
>  - Ext IP: 98.76.54.32
>  - Int IP: 192.168.0.1/24
>  - IPSec IP: 172.16.0.2
> 
> Linux (Office 2):
>  - Ext IP: 12.34.56.78
>  - Int IP: 192.168.1.1/24
>  - IPSec IP: 172.16.0.1
> 
> my racoon.conf on the linux side looks like this (IPs changed again 
> obviously):
> path pre_shared_key "/etc/racoon/psk.txt" ;
> 
> remote anonymous
> {
>         exchange_mode aggressive ;
>         my_identifier address 98.76.54.32 ;
>         lifetime time 24 hour ;
>         ike_frag on;
>         mode_cfg on;
>         proposal {
>                 encryption_algorithm 3des;
>                 hash_algorithm sha1;
>                 authentication_method pre_shared_key ;
>                 dh_group 2 ;
>         }
> }
> 
> sainfo anonymous
> {
>         pfs_group 2;
>         lifetime time 12 hour ;
>         encryption_algorithm 3des, blowfish, des, rijndael ;
>         authentication_algorithm hmac_sha1, hmac_md5 ;
>         compression_algorithm deflate ;
> }
> 
> the IPSec status shows it connecting and I can ping the 172.16.0.2
> address from the linux router but not the 192.168.0.1.  I would assume
> I need to add some routes, so I tried this:
> ip route add 172.16.0.0/24 dev eth0
> ip route add 192.168.0.0/24 via 172.16.0.2
> 
> but it didn't work.  I'm not very familar with IPSec on linux but I've
> been told there shouldn't be a new ethernet device listed.  Any ideas
> where I'm going wrong with this?
> _______________________________________________
> Tech mailing list
> [email protected]
> https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech
> This list provided by the League of Professional System Administrators
>  http://lopsa.org/


-- 
END OF LINE
      --MCP
_______________________________________________
Tech mailing list
[email protected]
https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech
This list provided by the League of Professional System Administrators
 http://lopsa.org/

Reply via email to