Salut,

I have a problem with direct connection of two servers using IPsec. The
IKE key exchange always comes up, but then it seems that both the routing
and the encryption go entirely wrong.

The host exchange their internal addresses (10.16.1.1 and 10.1.1.1) as
ID tokens for phase 2. However, if I try to ping 10.16.1.1 from
10.1.1.1, the packets go out the external interface - unencrypted.

If, however, I replace the ID tokens with the corresponding IP subnets
(10.16.0.0/16 and 10.1.0.0/16), I get an even more weird effect:

* 10.16.0.0/16 can communicate with 10.1.0.0/16 just fine
* 10.1.0.0/16 can communicate with 10.16.0.0/16 just as well
* 10.16.1.1 can not reach 10.1.0.0/16, however, people in 10.1.0.0/16 can
  connect to 10.16.1.1 just fine
* 10.1.1.1 can not reach 10.16.0.0/16, however, people in 10.16.0.0/16
  can connect to 10.1.1.1 just fine

[EMAIL PROTECTED] cat /etc/isakmpd/isakmpd.conf
[General]
Default-phase-1-lifetime= 120,60:3600
Default-phase-2-lifetime= 120,60:3600
Retransmits= 5
Check-interval= 5
Exchange-max-time= 120
Listen-on= external_ip_address_of_wg
Policy-File= /etc/isakmpd/isakmpd.policy

[Phase 1]
external_ip_address_of_sygroup= ISAKMP-peer-sygroup

[Phase 2]
Connections= IPsec-wg-sygroup

[ISAKMP-peer-sygroup]
Phase=          1
Transport=      udp
Local-address=  external_ip_address_of_wg
Address=        external_ip_address_of_sygroup

[IPsec-wg-sygroup]
Phase=          2
ISAKMP-peer=    ISAKMP-peer-sygroup
Configuration=  Default-quick-mode
Local-ID=       Net-wg
Remote-ID=      Net-sygroup

[Net-wg]
ID-type=        IPV4_ADDR_SUBNET
Network=        10.16.0.0
Netmask=        255.255.0.0

[Net-sygroup]
ID-type=        IPV4_ADDR_SUBNET
Network=        10.1.0.0
Netmask=        255.255.0.0

# Quick mode description
[Default-quick-mode]
EXCHANGE_TYPE=  QUICK_MODE
Suites=         QM-ESP-TWOFISH-SHA-PFS-SUITE


[EMAIL PROTECTED] cat /etc/isakmpd/isakmpd.conf
[General]
Default-phase-1-lifetime= 120,60:3600
Default-phase-2-lifetime= 120,60:3600
Retransmits= 5
Check-interval= 5
Exchange-max-time= 120
Listen-on= external_ip_of_sygroup
Policy-File= /etc/isakmpd/isakmpd.policy

[Phase 1]
external_ip_of_wg= ISAKMP-peer-wg

[Phase 2]
Connections= IPsec-sygroup-wg

[ISAKMP-peer-wg]
Phase=          1
Transport=      udp
Local-address=  external_ip_of_sygroup
Address=        external_ip_of_wg

[IPsec-sygroup-wg]
Phase=          2
ISAKMP-peer=    ISAKMP-peer-wg
Configuration=  Default-quick-mode
Local-ID=       Net-sygroup
Remote-ID=      Net-wg

[Net-wg]
ID-type=        IPV4_ADDR_SUBNET
Network=        10.16.0.0
Netmask=        255.255.0.0

[Net-sygroup]
ID-type=        IPV4_ADDR_SUBNET
Network=        10.1.0.0
Netmask=        255.255.0.0

# Quick mode description
[Default-quick-mode]
EXCHANGE_TYPE=  QUICK_MODE
Suites=         QM-ESP-BLF-SHA-PFS-SUITE

(This is the config where the clients can actually connect to each
other. If I replace the Network= with Address= and set ID-type to
IPV4_ADDR, the two routers still can't connect to each others, but
neither can the clients.)

The point of the whole "exercise" is that I have a lot of IPsec nodes
and should propagate their routes using some routing protocol. Any ideas
on how to make the two routers talk to each other?

                        Tonnerre

[demime 1.01d removed an attachment of type application/pgp-signature]

Reply via email to