VPN and racoon
Hi, I try to configure VPN but it dont want to work.
This is scheme: Code: 10.10.1.90 <--> externalIP1 <--> MY external IP My /etc/ipsec.conf where I type setkey -f Code:
cat /etc/ipsec.conf Code:
path include "/usr/local/etc/racoon"; Code:
$setkey -D And part of racoon.log Code:
2010-06-18 11:45:00: DEBUG: pk_recv: retry[0] recv() I use FreeBSD 6.3 |
Are you married to BSD for this?
I've been trying to get this to work for a few weeks (including on pfSense/BSD), and the thing that worked for me (in VMs) is this. For this, assume that network 1 has IP range 192.168.1.x, and network 2 has IP range 192.168.2.x, and the two networks talk to each other through the "Internet", which is on range 192.168.0.x (that is, on a testbench LAN connection):
* Clean install Debian Lenny (standard system only, nothing extra) * apt-get install sysvconfig openswan When openswan installs, say no to opportunistic encryption and do not generate a public key. Then (the SAME on both VPN endpoints, do NOT switch left and right), create these files: /etc/ipsec.conf (replace ..... with a tab, the indentation is important): config setup ......charonstart=yes #this line probably not required for IKEv1 ......plutostart=yes conn MyVPN ......left=192.168.0.5 # "public" IP of network 1's router ......leftsubnet=192.168.1.0/24 ......right=192.168.0.6 # "public" IP of network 2's router ......rightsubnet=192.168.2.0/24 ......auto=start ......authby=secret #manpage says that this is the default, but the behavior of openswan says otherwise /etc/ipsec.secrets: 192.168.0.5 192.168.0.6 : PSK "mysecretpassword" Then run "service ipsec restart" on both boxes. Once this is done, run "ipsec setup --status" to see status. If you are having problems, "ipsec barf" will give loads of information about it. Please be aware that this configuration is a testbench configuration only, you really need to research x509 certificates and the cipher suites to set it up in a secure manner -- but it is much easier to change one setting at a time once you have something basic working. If you are using virtual servers be aware that entropy will be a problem (especially if running on a 2.6 kernel) -- I think that timer_entropyd that is the best solution (unless you can get USB or serial passthrough to work and fit a hardware TRNG). Does anyone know how good the entropy from timer_entropyd is? |
All times are GMT -5. The time now is 08:24 PM. |