Setting up VPN+IPSec+Racoon

Fri Feb 17 10:35:02 PST 2006

Mike Tancsa wrote:

> At 11:26 AM 17/02/2006, Kövesdán Gábor wrote:
>
>> Mike Tancsa wrote:
>>
>>> As for tutorials, google around and read through various posts.  There
>>> is lots of good info out there.  Perhaps if you describe what you want
>>> to do, people can make specific suggestions.
>>>
>>>         ---Mike
>>>
>>>
>> Unfortunately, I haven't found a good howto. The situation is the 
>> following:
>
>
>
> freebsd ipsec tutorial
>
> in google comes up with a number of starting points including
>
> http://www.onlamp.com/pub/a/bsd/2002/12/26/FreeBSD_Basics.html
>
>
>
>
>> This project will be some kind of SMS service. The serv will connect 
>> to the SMS server and get the received SMSes, but the connection to 
>> the SMS server is only allowed via VPN. Here are two IP addresses, 
>> one of them is the VPN peers address. I have to set up a VPN 
>> connection to this host with 3DES SHA IPsec and a DH pre-shared key. 
>> The other IP address is the SMS servers adress but that is only 
>> accessible via VPN.
>
>
>
> First, you need to show what your policy is.
>
> typical setup described is
>
> internalNet_A----externalIP_A-------internet-----externalIP_B----internalNet_B 
>
>
> Where internalNet_A needs to talk to internalNet_B in a safe and 
> secure way.
>
>
> So, identify what those parts of the policy are.
>
> Put it in a shell script like
>
> Bsubnet=172.24.0.17/29
> BexternalIP=80.244.96.229
> Asubnet=192.168.2.186/32
> AexternalIP=80.98.231.227
> setkey -F
> setkey -FP
>
> /usr/sbin/setkey -c <<EOF1
> spdadd $Asubnet $Bsubnet any -P out ipsec 
> esp/tunnel/$AexternalIP-$Bsubnet/unique;
> spdadd $Bsubnet $Asubnet any -P in ipsec 
> esp/tunnel/$Bsubnet-$AexternalIP/unique;
> EOF1
>
> This sets up the policy.
>
> Type
> setkey -DP
>
> It will show you the installed policies.  Once you try and send some 
> traffic across with PhaseI and PhaseII negotiated, you will see the 
> associations with
> setkey -D
>
>
>
>
>> I've installed ipsec-tools, and tried to configure it, but I can't 
>> start racoon and I get a configuration file parse error. I couldn't 
>> found out which line is wrong. I just got this:
>> racoon: failed to parse configuration file.
>
>
> IPSEC Tools is fussy about where the config is.  Its saying it cant 
> find the config.
> Try racoon -d -f /usr/local/etc/racoon/racoon.conf
>
>
> Also, make sure for your sainfo config, it must match your policies, 
> otherwise it will hit the anonymous config. For your initial setup, 
> try it with an anonymous config for now and then work on getting only 
> a specific config.
> e.g.
> sainfo address 172.24.0.17/29 any address 192.168.2.186/24 any
>
Thanks, it seems to be okay now, racoon is running, and I see tcp 
packages going out via the VPN, but icmp host unreachable packets are 
coming from the VPN peer. I think there's some problem with the routing 
here, I started a new thread about this.

Thanks in advance,

Gabor Kovesdan