<r...@dzie-ciuch.pl> wrote: > > Hi, > > I try to set VPN like I wrote earlier. > 78.x is server and this is not NAT. He dont forward anything. > > >> I try to configure VPN over my server and my client > >> > >> Sheme is like this > >> 78.x.x.x <--> 95.x.x.x <--> 10.10.1.90 > > > > Are you trying to set up IPSEC tunneling of networks behind these > > gateways, or are you only trying to secure traffic between the peers > > themselves? > > I try to set tunnel behing my server 78.x and gateway 95.x translating > packets to 10.x. I can only set 78.x side. > > > > > The fact that you don't receive any reply to your IKE packets would > > indicate something basic, like something is blocking traffic. > > But how to check it? Telnet to port 500 wont work. But when I set SSH > to listen on port 500 I can login, port is not blocked
Telnet host 500 uses proto tcp, isakmp - udp. > >> # setkey -DP > >> 10.10.1.90[any] 78.x.x.x[any] any > >> in ipsec > >> esp/tunnel/95.x.x.x-78.x.x.x/require > >> created: Jun 22 15:39:25 2010 lastused: Jun 22 15:39:25 > >> 2010 lifetime: 0(s) validtime: 0(s) > >> spid=16461 seq=1 pid=83142 > >> refcnt=1 > >> 78.x.x.x[any] 10.10.1.90[any] any > >> out ipsec > >> esp/tunnel/78.x.x.x-95.x.x.x/require > >> created: Jun 22 15:39:25 2010 lastused: Jun 22 15:40:50 > >> 2010 lifetime: 0(s) validtime: 0(s) > >> spid=16460 seq=0 pid=83142 > >> refcnt=1 > > > > Your IPSEC policy specifies "esp/tunnel" mode, but if you are not > > actually encapsulating traffic originating from somewhere else, you > > might do better to just use "transport" mode to encrypt without > > encapsulation. > > Hmmm, I don't understand it? I set policy only for there IP's and > connection for it is ESP encrypced > > > > >> And tcpdump > >> #tcpdump -i bce1 host 95.x.x.x > >> > >> > >> 15:53:47.355130 IP 78.x.x.x.isakmp > 95.x.x.x.isakmp: isakmp: > >> phase 1 I ident > >> 15:54:07.003371 IP 78.x.x.x.isakmp > 95.x.x.x.isakmp: isakmp: > >> phase 1 I ident > >> 15:57:39.067765 IP 78.x.x.x.isakmp > 95.x.x.x.isakmp: isakmp: > >> phase 1 I ident > > > > My first thought was that your IPSEC policy attempts to encrypt all > > traffic between you and your peers, but the IKE traffic is also > > traffic between you and your peers, so doesn't it lead to a policy > > loop of some sort? Will the IPSEC layer attempt to capture and > > encrypt the IKE packets? > > Can you explain how can I check it? I new on it and I don't understand > some things. I've got such tunnels up and working - tunnel mode, encryption between peers, without using any internal networks - strange, but working :) - policy looks like that: spdadd 195.x.x.x 213.x.x.x any -P out ipsec esp/tunnel/195.x.x.x-213.x.x.x/require; spdadd 213.x.x.x 195.x.x.x any -P in ipsec esp/tunnel/213.x.x.x-195.x.x.x/require; -- regards, Maciej Suszko.
signature.asc
Description: PGP signature
