[ previous ] [ next ] [ threads ]
 
 From:  Jim Gifford <jim at giffords dot net>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  help with ipsec?
 Date:  Mon, 9 Feb 2004 22:02:47 -0500
I hate asking for help, but I've been pounding my head against the
monitor for many hours now, and I can't get this to work right.

What I'm trying is this:  I have a server at a colo facility running
freebsd 4.9 with ipfw and ipsec compiled in.  I have a DSL connection at
home with a dynamic IP via PPPoE with m0n0wall (latest) running there.  I
want to set up a IPSEC connection between the m0n0wall and the server.

I've read the VPN tunnel doc in the FreeBSD handbook, but it seems to
assume a static IP at each end.  I've read the "How do I set up mobile
user VPN with IPSEC" documentation, and it seems to assume that the other
end is dynamic but not necessarily the m0n0wall end.

I've read the man pages for raccoon and raccoon.conf, but I must confess
I'm a bit stumped by it.  I followed the example raccoon.conf file, but
it didn't work for me.

I've never set up ipsec before, and I'm not sure where I'm going wrong.

I'm running raccoon with -F so I can see errors as they happen.  Here's
the errors (I replaced my DSL IP address with DSL_IP_ADDRESS):

------------- cut here ------------
2004-02-09 21:28:04: ERROR: oakley.c:2098:oakley_skeyid(): couldn't find the pskey for
DSL_IP_ADDRESS.
2004-02-09 21:28:04: ERROR: isakmp.c:625:ph1_main(): failed to process packet.
2004-02-09 21:28:04: ERROR: isakmp.c:440:isakmp_main(): phase1 negotiation failed.
------------- cut here ------------

raccoon.conf:
------------- cut here ------------
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
remote anonymous
{
        exchange_mode aggressive,main,base;
        lifetime time 24 hour;
        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group 2;
        }
}

sainfo anonymous
{
        pfs_group 2;
        lifetime time 12 hour ;
        encryption_algorithm 3des, blowfish 448, rijndael ;
        authentication_algorithm hmac_sha1, hmac_md5 ;
        compression_algorithm deflate ;
}
------------- cut here ------------
psk.txt:
------------- cut here ------------
192.168.1.1	testingipsec
------------- cut here ------------
m0n0wall.conf bits:
------------- cut here ------------
    <ipsec>
        <tunnel>
            <interface>wan</interface>
            <local-subnet>
                <network>lan</network>
            </local-subnet>
            <remote-subnet>192.168.255.1/32</remote-subnet>
            <remote-gateway>X.X.X.X</remote-gateway>
            <p1>
                <mode>main</mode>
                <myident>
                    <address>192.168.1.1</address>
                </myident>
                <encryption-algorithm>3des</encryption-algorithm>
                <hash-algorithm>sha1</hash-algorithm>
                <dhgroup>2</dhgroup>
                <lifetime/>
                <pre-shared-key>xxxxx</pre-shared-key>
            </p1>
            <p2>
                <protocol>esp</protocol>
                <encryption-algorithm-option>3des</encryption-algorithm-option>
                <encryption-algorithm-option>blowfish</encryption-algorithm-option>
                <encryption-algorithm-option>cast128</encryption-algorithm-option>
                <encryption-algorithm-option>rijndael</encryption-algorithm-option>
                <hash-algorithm-option>hmac_md5</hash-algorithm-option>
                <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
                <pfsgroup>2</pfsgroup>
                <lifetime/>
            </p2>
            <descr>incan</descr>
        </tunnel>
        <enable/>
    </ipsec>
------------- cut here ------------

I feel like I'm really close to having it work, and if I could just
figure out how to specify the key so both ends agree without tying it to
the dynamic IP address, it would all work.

Anyone have any suggestions that might help?

Once I get mine working, I hope to get my parents m0n0wall to do the
same thing (at the same time) and then proceed to route between our VPN
connections so that I'll be able to remotely fix their systems when they
break them.  That's the hope anyway...

Thanks in advance,
jim gifford