vpn trouble

Wed Jun 23 11:35:09 UTC 2010

Thanks guys it's working. 

I couldn't ping 10.10.1.90 (external network) but they could ping me.
I got another question: How to set another tunnel to me host like:

10.20.0.1 (my gif0) --> 78.x.x.x (my bce1) <---> 78.y.y.y <--> 10.20.1.1 

I copy 2 lines (with changing ip's) so now i got 4 lines and I opy block
remote and sainfo in racoon.conf.
I restart racoon and now I could only connect to 95.x.x.x (like last time)
but to 78.y.y.y I counldn't

Is it possible to do not create interface gif1 or should I do it?
Have I change someting in route table?

Regards
Ralf

On Tue, 22 Jun 2010 20:26:36 +0200, Maciej Suszko <maciej at suszko.eu>
wrote:
> <ralf at dzie-ciuch.pl> wrote:
>> 
>> Hi,
>> 
>> I try to set VPN like I wrote earlier.
>> 78.x is server and this is not NAT. He dont forward anything.
>> 
>> >> I try to configure VPN over my server and my client
>> >> 
>> >> Sheme is like this
>> >> 78.x.x.x <--> 95.x.x.x <--> 10.10.1.90
>> > 
>> > Are you trying to set up IPSEC tunneling of networks behind these
>> > gateways, or are you only trying to secure traffic between the peers
>> > themselves?
>> 
>> I try to set tunnel behing my server 78.x and gateway 95.x translating
>> packets to 10.x. I can only set 78.x side.
>> 
>> > 
>> > The fact that you don't receive any reply to your IKE packets would
>> > indicate something basic, like something is blocking traffic.
>> 
>> But how to check it? Telnet to port 500 wont work. But when I set SSH
>> to listen on port 500 I can login, port is not blocked
> 
> Telnet host 500 uses proto tcp, isakmp - udp.
> 
>> >> # setkey -DP
>> >> 10.10.1.90[any] 78.x.x.x[any] any
>> >> 	in ipsec
>> >> 	esp/tunnel/95.x.x.x-78.x.x.x/require
>> >> 	created: Jun 22 15:39:25 2010  lastused: Jun 22 15:39:25
>> >> 2010 lifetime: 0(s) validtime: 0(s)
>> >> 	spid=16461 seq=1 pid=83142
>> >> 	refcnt=1
>> >> 78.x.x.x[any] 10.10.1.90[any] any
>> >> 	out ipsec
>> >> 	esp/tunnel/78.x.x.x-95.x.x.x/require
>> >> 	created: Jun 22 15:39:25 2010  lastused: Jun 22 15:40:50
>> >> 2010 lifetime: 0(s) validtime: 0(s)
>> >> 	spid=16460 seq=0 pid=83142
>> >> 	refcnt=1
>> > 
>> > Your IPSEC policy specifies "esp/tunnel" mode, but if you are not
>> > actually encapsulating traffic originating from somewhere else, you
>> > might do better to just use "transport" mode to encrypt without
>> > encapsulation.
>> 
>> Hmmm, I don't understand it? I set policy only for there IP's and
>> connection for it is ESP encrypced
>> 
>> > 
>> >> And tcpdump
>> >> #tcpdump -i bce1 host 95.x.x.x 
>> >> 
>> >> 
>> >> 15:53:47.355130 IP 78.x.x.x.isakmp > 95.x.x.x.isakmp: isakmp:
>> >> phase 1 I ident
>> >> 15:54:07.003371 IP 78.x.x.x.isakmp > 95.x.x.x.isakmp: isakmp:
>> >> phase 1 I ident
>> >> 15:57:39.067765 IP 78.x.x.x.isakmp > 95.x.x.x.isakmp: isakmp:
>> >> phase 1 I ident
>> > 
>> > My first thought was that your IPSEC policy attempts to encrypt all
>> > traffic between you and your peers, but the IKE traffic is also
>> > traffic between you and your peers, so doesn't it lead to a policy
>> > loop of some sort?  Will the IPSEC layer attempt to capture and
>> > encrypt the IKE packets?
>> 
>> Can you explain how can I check it? I new on it and I don't understand
>> some things.
> 
> I've got such tunnels up and working - tunnel mode, encryption between
> peers, without using any internal networks - strange, but working :) -
> policy looks like that:
> spdadd 195.x.x.x 213.x.x.x any -P out ipsec
> esp/tunnel/195.x.x.x-213.x.x.x/require;
> spdadd 213.x.x.x 195.x.x.x any -P in  ipsec
> esp/tunnel/213.x.x.x-195.x.x.x/require;