Racoon / Draytek Setup

From: Steve Greenshaw (steve_at_softgreen.co.uk)
Date: 02/24/04

  • Next message: Vulpes Velox: "file selector and shell scripts" 
    To: "freebsd-questions" <freebsd-questions@freebsd.org>
Date: Tue, 24 Feb 2004 22:15:25 -0000

    Hi,

    I'm having trouble attempting to set up a lan to lan VPN between FreeBSD 4.9
    and a Draytek 'Vigor2900 router'. I'm trying to use IPSec tunnelling.

    My aim is to connect 192.168.32.0/24 (FreeBSD) to 192.168.1.0/24 (Draytek)

    On the FreeBSD box I've gone ahead and created a tunnel (gif)
    AAA.AAA.AAA.AAA => BBB.BBB.BBB.BBB
    This tunnel joins 192.168.32.1 and 192.168.1.1
    There's a route to 192.168.1.0/24 via 192.168.1.1 added and present in the
    routing table.

    I've completd the VPN setup on the Draytek Vigor2900.

    I've removed all firewall or filtering rules so these are not an issue.

    Running racoon in verbose mode, when I try to start the connection from the
    Draytek I see:

    2004-02-24 21:46:36: INFO: isakmp.c:892:isakmp_ph1begin_r(): respond new
    phase 1 negotiation: AAA.AAA.AAA.AAA[500]<=>BBB.BBB.BBB.BBB[500]
    2004-02-24 21:46:36: INFO: isakmp.c:897:isakmp_ph1begin_r(): begin
    Aggressive mode.
    2004-02-24 21:46:36: NOTIFY: oakley.c:2084:oakley_skeyid(): couldn't find
    the proper pskey, try to get one by the peer's address.
    2004-02-24 21:46:38: INFO: isakmp.c:2410:log_ph1established(): ISAKMP-SA
    established AAA.AAA.AAA.AAA[500]-BBB.BBB.BBB.BBB[500]
    spi:361b8dc6e371b85c:30034bf29701e1a1
    2004-02-24 21:46:38: INFO: isakmp.c:1047:isakmp_ph2begin_r(): respond new
    phase 2 negotiation: AAA.AAA.AAA.AAA[0]<=>BBB.BBB.BBB.BBB[0]
    2004-02-24 21:46:38: INFO: pfkey.c:1197:pk_recvupdate(): IPsec-SA
    established: ESP/Tunnel BBB.BBB.BBB.BBB->AAA.AAA.AAA.AAA
    spi=227581104(0xd909cb0)
    2004-02-24 21:46:38: INFO: pfkey.c:1420:pk_recvadd(): IPsec-SA established:
    ESP/Tunnel AAA.AAA.AAA.AAA->BBB.BBB.BBB.BBB spi=4193511423(0xf9f3e7ff)

    The Draytek also tells me that I have a VPN up and running and that data is
    encrypted.

    The problem is that this is as far as it gets. I can't ping either of my
    private networks from the other etc., etc. I get 100% packet loss. This is
    really bugging me as the tunnel *has* to be there for the keys to be set,
    doesn't it? If that's the case then there must be a route? I use exactly
    this method FreeBSD - FreeBSD all the time ...

    Anyway. I'm really stuck now and was hoping that maybe somebody might be
    able to shed some light on this for me? Has anybody ever set up a
    FreeBSD/Draytek lan to lan VPN using IPSec? Does anybody know if it's
    possible?

    Below is the security policy that I use for setkey and also my racoon.conf,
    just in case that is useful ...

    ################
    spdadd 192.168.32.0/24 192.168.1.0/24 ipencap -P out ipsec
    esp/tunnel/AAA.AAA.AAA.AAA-BBB.BBB.BBB.BBB/require;
    spdadd 192.168.1.0/24 192.168.32.0/24 ipencap -P in ipsec
    esp/tunnel/BBB.BBB.BBB.BBB-AAA.AAA.AAA.AAA/require;
    ################

    ################
    path include "/usr/local/etc/racoon" ;
    path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
    listen
    {
            isakmp AAA.AAA.AAA.AAA [500];
    }

    padding
    {
            maximum_length 20;
            randomize off;
            strict_check off;
            exclusive_tail off;
    }

    timer
    {
            counter 5;
            interval 20 sec;
            persend 1;

            phase1 2800 sec;
            phase2 3600 sec;
    }

    remote anonymous
    {
            exchange_mode aggressive,main;
            situation identity_only;

            nonce_size 16;
            lifetime time 24 hour;
            initial_contact on;
            support_proxy on;
            proposal_check obey;

            proposal {
                    encryption_algorithm 3des;
                    hash_algorithm sha1;
                    authentication_method pre_shared_key ;
                    dh_group 2 ;
                    }
    }

    sainfo anonymous
    {
            pfs_group 2;
            lifetime time 12 hour ;
            encryption_algorithm 3des, blowfish, des, rijndael ;
            authentication_algorithm hmac_md5, hmac_sha1;
            compression_algorithm deflate ;
     }
    ################

    Regards,

    Steve

    _______________________________________________
    freebsd-questions@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-questions
    To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"

  • Next message: Vulpes Velox: "file selector and shell scripts"

    Relevant Pages

    • FreeBSD (Racoon) / Draytek Setup
      ... I'm having trouble attempting to set up a lan to lan VPN between FreeBSD 4.9 ... This tunnel joins 192.168.32.1 and 192.168.1.1 There's a route to ... I've completd the VPN setup on the Draytek Vigor2900. ... FreeBSD/Draytek lan to lan VPN using IPSec? ...
      (freebsd-net)
    • IPSEC tunnel & setkey, How do I tell if setkey worked?
      ... now I want it to be an IPSEC tunnel endpoint. ... another freeBSD box first, and maybe eventually a Watchguard firebox2 ... firewall "appliance". ... My kernels have the IPSEC and IPSEC_ESP options included. ...
      (FreeBSD-Security)
    • Re: Routing IPSEC packets?
      ... >>> implementation of IPsec, ... >>> Can someone either confirm my above statement that FreeBSD ... >> IPsec tunnel mode. ... > IPsec devices that use IPsec tunnel mode. ...
      (freebsd-net)
    • Re: VPN with FAST_IPSEC and ipsec tools
      ... I guess this means you're following the instructions in the FreeBSD ... of setting up IPSEC (GIF tunneling running on top of IPSEC *tunnel* mode). ... Most people are better off just setting up IPSEC tunnel mode. ...
      (freebsd-net)
    • Re: FreeBSD NAT-T patch integration
      ... IPsec is about security and not features. ... mostly evenings and weekends that I can spend on FreeBSD. ... People ask about review. ...
      (freebsd-net)