[ previous ] [ next ] [ threads ]
 
 From:  "Cory Strobel" <corys at medican dot com>
 To:  =?iso-8859-2?Q?Uro=B9_Gruber?= <uros dot gruber at vizija dot si>
 Cc:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] IPSEC with FreeBSD
 Date:  Fri, 16 Sep 2005 16:02:09 -0600
Still think the problem is the subnet masking. If the tunnel is being established (you said you can
ping the two hosts) but nothing else, the problem is most likely with the masks you are using.

You are trying to access both LANs but you have this line:

sainfo address 10.0.0.0/8 any address 192.168.0.1/32 any {

It should be a 192.168.0.1/24 based on the other info you sent. Try resetting that and it should
work.

-Cory


-----Original Message-----

Sent: Friday, September 16, 2005 12:57 PM
To: m0n0wall at lists dot m0n0 dot ch
Subject: RE: [m0n0wall] IPSEC with FreeBSD

On Fri, September 16, 2005 4:59 pm, Cory Strobel wrote:
>

> Do you see any SAD or SPD entries on the Diagnostics->IPSEC page on 
> the monowall when you try connecting?
>
> I am not 100% sure based on the information you gave, but I believe 
> your subnet masks in your spdadd entries should be something other 
> than /32, likely /24. A /32 only allows access to and from a single host.
>
> Also check the racoon log file (typically /var/log/racoon) on your BSD 
> box for clues, it usually will help diagnose where the problem is.

Hm. I'm kida make this work, but with a little modification. I have this on my monowall:

$ cat /var/etc/racoon.conf
path pre_shared_key "/var/etc/psk.txt";

path certificate  "/var/etc";

remote 217.72.81.133 {
	exchange_mode aggressive;
	my_identifier address "A.B.C.D";

	peers_identifier address X.Y.W.Z;
	initial_contact on;
	support_proxy on;
	proposal_check obey;

	proposal {
		encryption_algorithm 3des;
		hash_algorithm sha1;
		authentication_method pre_shared_key;
		dh_group 2;
	}
}

sainfo address 10.0.0.0/8 any address 192.168.0.1/32 any {
	encryption_algorithm 3des;
	authentication_algorithm hmac_sha1,hmac_md5;
	compression_algorithm deflate;
	pfs_group 1;
}

and

spdadd 10.0.0.0/8 10.255.255.252/32 any -P in none; spdadd 10.255.255.252/32 10.0.0.0/8 any -P out
none;

spdadd 10.0.0.0/8 192.168.0.1/24 any -P out ipsec esp/tunnel/A.B.C.D-X.Y.W.Z/unique;

spdadd 192.168.0.1/24 10.0.0.0/8 any -P in ipsec esp/tunnel/X.Y.W.Z-A.B.C.D/unique;

I have to set spdadd similar to this because ipencap was not working. I was getting error sadinfo
all the time.

Now I can ping those two hosts. But problem is how to ping entire network behind monowall. I tried
with static routes but i give up.

Can anybody help with some examples. I try with traceroute but everything stops on router.

regards

> -----Original Message-----

> Sent: Friday, September 16, 2005 12:24 AM
> To: m0n0wall at lists dot m0n0 dot ch
> Subject: [m0n0wall] IPSEC with FreeBSD
>
>
> Hi!
>
>
> I'm running 1.2b10 and I would like to get monowall and my remote 
> server to comunicate via IPSEC VPN.
>
> I setup IPSEC with preshared-key on monowal and follow the instruction 
> from
>
> http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html
>
>
> but nothing is working. Can somebody give me some info about this.
>
> what I did.
>
> monowall have one remote address (A) and local address 10.255.255.252 
> server have local address 192.168.0.1 and remote address (B). I set up 
> monowall from documentation (IPSEC on WAN and local is LAN), remote 
> gateway is set to adress B. I also setup to use preshared-key.
>
> Then I create gif0 on my freebsd and create tunnel as i said from 
> handbook. Then install racoon and kreate psk.txt and start the racoon. 
> And also set IPSEC policy with two rules and start the IPSEC.
>
> spdadd B/32 A/32 ipencap -P out ipsec esp/tunnel/B-A/require; spdadd 
> A/32
> B/32 ipencap -P in ipsec
> esp/tunnel/A-B/require;
>
> But I can't se anthing to work.
>
>
> Did I miss something
>
>
> regards
>
> Uros
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>
>



---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch