Thanks guys it's working. I couldn't ping 10.10.1.90 (external network) but they could ping me. I got another question: How to set another tunnel to me host like:
10.20.0.1 (my gif0) --> 78.x.x.x (my bce1) <---> 78.y.y.y <--> 10.20.1.1 I copy 2 lines (with changing ip's) so now i got 4 lines and I opy block remote and sainfo in racoon.conf. I restart racoon and now I could only connect to 95.x.x.x (like last time) but to 78.y.y.y I counldn't Is it possible to do not create interface gif1 or should I do it? Have I change someting in route table? Regards Ralf On Tue, 22 Jun 2010 20:26:36 +0200, Maciej Suszko <mac...@suszko.eu> wrote: > <r...@dzie-ciuch.pl> wrote: >> >> Hi, >> >> I try to set VPN like I wrote earlier. >> 78.x is server and this is not NAT. He dont forward anything. >> >> >> I try to configure VPN over my server and my client >> >> >> >> Sheme is like this >> >> 78.x.x.x <--> 95.x.x.x <--> 10.10.1.90 >> > >> > Are you trying to set up IPSEC tunneling of networks behind these >> > gateways, or are you only trying to secure traffic between the peers >> > themselves? >> >> I try to set tunnel behing my server 78.x and gateway 95.x translating >> packets to 10.x. I can only set 78.x side. >> >> > >> > The fact that you don't receive any reply to your IKE packets would >> > indicate something basic, like something is blocking traffic. >> >> But how to check it? Telnet to port 500 wont work. But when I set SSH >> to listen on port 500 I can login, port is not blocked > > Telnet host 500 uses proto tcp, isakmp - udp. > >> >> # setkey -DP >> >> 10.10.1.90[any] 78.x.x.x[any] any >> >> in ipsec >> >> esp/tunnel/95.x.x.x-78.x.x.x/require >> >> created: Jun 22 15:39:25 2010 lastused: Jun 22 15:39:25 >> >> 2010 lifetime: 0(s) validtime: 0(s) >> >> spid=16461 seq=1 pid=83142 >> >> refcnt=1 >> >> 78.x.x.x[any] 10.10.1.90[any] any >> >> out ipsec >> >> esp/tunnel/78.x.x.x-95.x.x.x/require >> >> created: Jun 22 15:39:25 2010 lastused: Jun 22 15:40:50 >> >> 2010 lifetime: 0(s) validtime: 0(s) >> >> spid=16460 seq=0 pid=83142 >> >> refcnt=1 >> > >> > Your IPSEC policy specifies "esp/tunnel" mode, but if you are not >> > actually encapsulating traffic originating from somewhere else, you >> > might do better to just use "transport" mode to encrypt without >> > encapsulation. >> >> Hmmm, I don't understand it? I set policy only for there IP's and >> connection for it is ESP encrypced >> >> > >> >> And tcpdump >> >> #tcpdump -i bce1 host 95.x.x.x >> >> >> >> >> >> 15:53:47.355130 IP 78.x.x.x.isakmp > 95.x.x.x.isakmp: isakmp: >> >> phase 1 I ident >> >> 15:54:07.003371 IP 78.x.x.x.isakmp > 95.x.x.x.isakmp: isakmp: >> >> phase 1 I ident >> >> 15:57:39.067765 IP 78.x.x.x.isakmp > 95.x.x.x.isakmp: isakmp: >> >> phase 1 I ident >> > >> > My first thought was that your IPSEC policy attempts to encrypt all >> > traffic between you and your peers, but the IKE traffic is also >> > traffic between you and your peers, so doesn't it lead to a policy >> > loop of some sort? Will the IPSEC layer attempt to capture and >> > encrypt the IKE packets? >> >> Can you explain how can I check it? I new on it and I don't understand >> some things. > > I've got such tunnels up and working - tunnel mode, encryption between > peers, without using any internal networks - strange, but working :) - > policy looks like that: > spdadd 195.x.x.x 213.x.x.x any -P out ipsec > esp/tunnel/195.x.x.x-213.x.x.x/require; > spdadd 213.x.x.x 195.x.x.x any -P in ipsec > esp/tunnel/213.x.x.x-195.x.x.x/require; _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"