vpn trouble

Maciej Suszko maciej at suszko.eu
Tue Jun 22 17:25:34 UTC 2010 

<ralf at dzie-ciuch.pl> wrote:
> 
> Hmmm, aggressive mode wasn't help :(
> Still I got only negotiation, so I try to send packets but I don't
> receive it at all.
> 
> On my server 78.x.x.x I got ipfw allow all from any to any.
> On the other side 95.x.x.x they tell me that they do it everything
> right - only I can't connect :(
> 
> Maybe I don't set route correctly?
> 
> Is this mean that I don't receive password from other side?
> ERROR: phase1 negotiation failed due to time up.
> 5d300bcf894a18f5:0000000000000000

All the addresses you write about (despite of those x) and especially
this 10.10.1.90 sound familiar (anyway it might be conicidence). I've
got more than dozen working tunnels of this kind. You can try this way:

Set up a gif tunnel in rc.conf:

cloned_interfaces="gif0"
ifconfig_gif0="tunnel 78.x.x.x 95.x.x.x"
ifconfig_gif0_alias0="10.20.0.1 netmask 255.255.255.255 10.10.1.90"

10.20.0.1 is your internal end of the tunnel, so use any address from
beyond the net 10.10.1.90 is in.


in racoon.conf something like this:

remote 95.x.x.x [500]
{
    exchange_mode       main,aggressive;
    doi                 ipsec_doi;
    situation           identity_only;
    my_identifier       address 78.x.x.x;
    peers_identifier    address 95.x.x.x;
    lifetime            time 8 hour;
    passive             off;
    proposal_check      obey;
    generate_policy     off;
    proposal {
        encryption_algorithm    3des;
        hash_algorithm          md5;
        authentication_method   pre_shared_key;
        dh_group                2;
    }
}

sainfo (address 10.20.0.1/32 any address 10.10.1.90/32 any)
{
    pfs_group                   2;
    lifetime                    time 3600 sec;
    encryption_algorithm        3des;
    authentication_algorithm    hmac_md5;
    compression_algorithm       deflate;
}

The other side needs to know you have 10.20.0.1 on your side of the
tunnel - this way you should have working IPSEC bettween both 10. ends.
-- 
regards, Maciej Suszko.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-net/attachments/20100622/39f42a92/signature.pgp

More information about the freebsd-net mailing list