[ previous ] [ next ] [ threads ]
 From:  =?iso-8859-2?Q?Uro=B9_Gruber?= <uros dot gruber at vizija dot si>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  RE: [m0n0wall] IPSEC with FreeBSD
 Date:  Fri, 16 Sep 2005 20:57:28 +0200 (CEST)
On Fri, September 16, 2005 4:59 pm, Cory Strobel wrote:

> Do you see any SAD or SPD entries on the Diagnostics->IPSEC page on the
> monowall when you try connecting?
> I am not 100% sure based on the information you gave, but I believe your
> subnet masks in your spdadd entries should be something other than /32,
> likely /24. A /32 only allows access to and from a single host.
> Also check the racoon log file (typically /var/log/racoon) on your BSD
> box for clues, it usually will help diagnose where the problem is.

Hm. I'm kida make this work, but with a little modification. I have this
on my monowall:

$ cat /var/etc/racoon.conf
path pre_shared_key "/var/etc/psk.txt";

path certificate  "/var/etc";

remote {
	exchange_mode aggressive;
	my_identifier address "A.B.C.D";

	peers_identifier address X.Y.W.Z;
	initial_contact on;
	support_proxy on;
	proposal_check obey;

	proposal {
		encryption_algorithm 3des;
		hash_algorithm sha1;
		authentication_method pre_shared_key;
		dh_group 2;

sainfo address any address any {
	encryption_algorithm 3des;
	authentication_algorithm hmac_sha1,hmac_md5;
	compression_algorithm deflate;
	pfs_group 1;


spdadd any -P in none;
spdadd any -P out none;

spdadd any -P out ipsec

spdadd any -P in ipsec

I have to set spdadd similar to this because ipencap was not working. I
was getting error sadinfo all the time.

Now I can ping those two hosts. But problem is how to ping entire network
behind monowall. I tried with static routes but i give up.

Can anybody help with some examples. I try with traceroute but everything
stops on router.


> -----Original Message-----
> From: Uro¹ Gruber [mailto:uros dot gruber at vizija dot si]
> Sent: Friday, September 16, 2005 12:24 AM
> To: m0n0wall at lists dot m0n0 dot ch
> Subject: [m0n0wall] IPSEC with FreeBSD
> Hi!
> I'm running 1.2b10 and I would like to get monowall and my remote server
> to comunicate via IPSEC VPN.
> I setup IPSEC with preshared-key on monowal and follow the instruction
> from
> http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html
> but nothing is working. Can somebody give me some info about this.
> what I did.
> monowall have one remote address (A) and local address
> server have local address and remote address (B). I set up
> monowall from documentation (IPSEC on WAN and local is LAN), remote
> gateway is set to adress B. I also setup to use preshared-key.
> Then I create gif0 on my freebsd and create tunnel as i said from
> handbook. Then install racoon and kreate psk.txt and start the racoon. And
> also set IPSEC policy with two rules and start the IPSEC.
> spdadd B/32 A/32 ipencap -P out ipsec esp/tunnel/B-A/require; spdadd A/32
> B/32 ipencap -P in ipsec
> esp/tunnel/A-B/require;
> But I can't se anthing to work.
> Did I miss something
> regards
> Uros
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch