[ previous ] [ next ] [ threads ]
 
 From:  =?iso-8859-2?Q?Uro=B9_Gruber?= <uros dot gruber at vizija dot si>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  RE: [m0n0wall] IPSEC with FreeBSD
 Date:  Fri, 16 Sep 2005 20:57:28 +0200 (CEST)
On Fri, September 16, 2005 4:59 pm, Cory Strobel wrote:
>

> Do you see any SAD or SPD entries on the Diagnostics->IPSEC page on the
> monowall when you try connecting?
>
> I am not 100% sure based on the information you gave, but I believe your
> subnet masks in your spdadd entries should be something other than /32,
> likely /24. A /32 only allows access to and from a single host.
>
> Also check the racoon log file (typically /var/log/racoon) on your BSD
> box for clues, it usually will help diagnose where the problem is.

Hm. I'm kida make this work, but with a little modification. I have this
on my monowall:

$ cat /var/etc/racoon.conf
path pre_shared_key "/var/etc/psk.txt";

path certificate  "/var/etc";

remote 217.72.81.133 {
	exchange_mode aggressive;
	my_identifier address "A.B.C.D";

	peers_identifier address X.Y.W.Z;
	initial_contact on;
	support_proxy on;
	proposal_check obey;

	proposal {
		encryption_algorithm 3des;
		hash_algorithm sha1;
		authentication_method pre_shared_key;
		dh_group 2;
	}
}

sainfo address 10.0.0.0/8 any address 192.168.0.1/32 any {
	encryption_algorithm 3des;
	authentication_algorithm hmac_sha1,hmac_md5;
	compression_algorithm deflate;
	pfs_group 1;
}

and

spdadd 10.0.0.0/8 10.255.255.252/32 any -P in none;
spdadd 10.255.255.252/32 10.0.0.0/8 any -P out none;

spdadd 10.0.0.0/8 192.168.0.1/24 any -P out ipsec
esp/tunnel/A.B.C.D-X.Y.W.Z/unique;

spdadd 192.168.0.1/24 10.0.0.0/8 any -P in ipsec
esp/tunnel/X.Y.W.Z-A.B.C.D/unique;

I have to set spdadd similar to this because ipencap was not working. I
was getting error sadinfo all the time.

Now I can ping those two hosts. But problem is how to ping entire network
behind monowall. I tried with static routes but i give up.

Can anybody help with some examples. I try with traceroute but everything
stops on router.

regards

> -----Original Message-----

> Sent: Friday, September 16, 2005 12:24 AM
> To: m0n0wall at lists dot m0n0 dot ch
> Subject: [m0n0wall] IPSEC with FreeBSD
>
>
> Hi!
>
>
> I'm running 1.2b10 and I would like to get monowall and my remote server
> to comunicate via IPSEC VPN.
>
> I setup IPSEC with preshared-key on monowal and follow the instruction
> from
>
> http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html
>
>
> but nothing is working. Can somebody give me some info about this.
>
> what I did.
>
> monowall have one remote address (A) and local address 10.255.255.252
> server have local address 192.168.0.1 and remote address (B). I set up
> monowall from documentation (IPSEC on WAN and local is LAN), remote
> gateway is set to adress B. I also setup to use preshared-key.
>
> Then I create gif0 on my freebsd and create tunnel as i said from
> handbook. Then install racoon and kreate psk.txt and start the racoon. And
> also set IPSEC policy with two rules and start the IPSEC.
>
> spdadd B/32 A/32 ipencap -P out ipsec esp/tunnel/B-A/require; spdadd A/32
> B/32 ipencap -P in ipsec
> esp/tunnel/A-B/require;
>
> But I can't se anthing to work.
>
>
> Did I miss something
>
>
> regards
>
> Uros
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>
>