IPsec troubles

From: Julian Stecklina (der_julian_at_web.de)
Date: 11/30/04

• Next message: Davis Doherty: "WPC11 wireless card on FreeBSD 4.10"
• Previous message: Bob: "Re: JAVA for FreeBSD"
• Next in thread: Julian Stecklina: "Re: IPsec troubles"
• Reply: Julian Stecklina: "Re: IPsec troubles"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Tue, 30 Nov 2004 00:32:26 +0100

Hello,

I try to setup a secure WLAN with IPsec, but no traffic seems to get
through, as key exchanges failes. I hope someone can spot my mistake.

My network is laid out as follows:

The router boelthorn running FreeBSD 5.3 has three network cards:
fxp0 is connected to the internet.
fxp1 is connected to my LAN and has the IP 192.168.0.1.
ath0 is my WiFi card on 10.0.0.1.

The laptop cornerstone running Gentoo with 2.6.9 linux kernel has
the interface wlan0 with 10.0.0.2.

As WEP is totally insecure and there are quite a lot students with the
knowledge and time to break it, I want to secure my WLAN via IPsec. I
tried to understand what the handbook had to say about VPNs and
IPsec. So I installed racoon on both my laptop and the router.

boelthorn has in its psk.txt: 10.0.0.2 <password>
cornerstone has in its psk.txt: 10.0.0.1 <password>

racoon.conf on boelthorn and cornerstone are the default ones.

boelthorn's /etc/ipsec.conf:

spdadd 10.0.0.1/32 10.0.0.0/24 any -P out ipsec
 esp/transport//require;

spdadd 10.0.0.0/24 10.0.0.1/32 any -P in ipsec
 esp/transport//require;

cornerstone's /etc/ipsec.conf:

spdadd 10.0.0.0/24 10.0.0.0/24 any
    -P out ipsec esp/transport//require;

spdadd 10.0.0.0/24 10.0.0.0/24 any
    -P in ipsec esp/transport//require;

Soooo.....

If I try to ping boelthorn from cornerstone I see that racoon on
cornerstone sends a packet on port 500 to boelthorn to initiate the
key exchange, but it receives no answer.
Same the other way round: If I try to ping cornerstone from boelthorn,
boelthorn's racoon sends an isakmp packet and receives no answer.

What am I doing wrong? Ok, I guess my ipsec.confs are a bit confused,
but at least key exchange should be working, shouldn't it?

I am grateful for any help...

Regards,

-- 
                    ____________________________
 Julian Stecklina  /  _________________________/
  ________________/  /
  \_________________/  LISP - truly beautiful

• Next message: Davis Doherty: "WPC11 wireless card on FreeBSD 4.10"
• Previous message: Bob: "Re: JAVA for FreeBSD"
• Next in thread: Julian Stecklina: "Re: IPsec troubles"
• Reply: Julian Stecklina: "Re: IPsec troubles"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

• Security
• UNIX
• Linux
• Coding
• Usenet

• Mailing-Lists
• Newsgroups
• About
• Privacy
• Search
• Imprint