On Thu, Nov 6, 2008 at 9:39 AM, Louis Opter <[EMAIL PROTECTED]> wrote:
> Hello,
>
> I am trying to set up an ipsec vpn between two networks. But, I can't
> figure out why it doesn't work.
>
> I get some errors like (here on the "malenfant gate", see network map
> below) :
> Plcy 30 keynote_cert_obtain: failed to open
> "/etc/isakmpd/keynote//192.168.1.159/credentials"
> Default rsa_sig_decode_hash: no public key found
> Default dropped message from $dugny_addr port 4500 due to notification
> type INVALID_ID_INFORMATION
These messages typically mean that the identifiers used by the peers
do not match. Try adding "srcid foo" and "dstid bar" on your ike esp
tunnel lines:
- on nemoto :
st_cyr_net="192.168.2.0/24"
dugny_net="192.168.3.0/24"
st_cyr_addr="xx.xx.xx.xx"
ike esp tunnel from $dugny_net to $st_cyr_net peer $st_cyr_addr srcid
nemoto dstid malenfant
- on malenfant :
st_cyr_net="192.168.2.0/24"
dugny_net="192.168.3.0/24"
dugny_addr="yy.yy.yy.yy"
ike esp tunnel from $st_cyr_net to $dugny_net peer $dugny_addr srcid
malenfant dsitd nemoto
Also, if your machine is multi-homed, you will probably want to
specify "local" to remove any ambiguity with respect the source IP
address that will be used in the outer (encapsulating) IP datagram.
> I don't understand why I have messages about keynote, because isakmpd is
> launched with the -K flag (and why 192.168.1.159 instead of
> $dugny_addr ?).
>
> And, I don't understand why it doesn't find the public key. I have
> correctly copied for each gate /etc/isakmpd/local.pub to the other gate
> at /etc/isakmpd/pubkeys/ipv4/gate_ip
>
>
> Here is my network map :
>
> { st_cyr_net : 192.168.2.0/24 }
> |
> xl1 : 192.168.2.1
> [gate "malenfant"] Openbsd 4.4-current (as of 10/18) on the
> "livebox"'s DMZ
> xl0 : 192.168.1.183
> |
> 192.168.1.1
> [adsl router/modem "livebox"]
> $st_cyr_addr
> "
> "
> @@@@@@@
> @@@@@@@@@@@ Internet
> @@@@@@@
> "
> "
> $dugny_addr
> [adsl router/modem "livebox"]
> 192.168.1.1
> |
> xl0 : 192.168.1.159
> [gate "nemoto"] Openbsd 4.4-release on the "livebox"'s DMZ
> xl1 : 192.168.3.1
> |
> { dugny_net : 192.168.3.0/24 }
>
> By DMZ I mean that all ports for tcp and udp are rediriged on the gate.
>
> I don't see why the liveboxes can be the problem, they redirect all the
> traffic. How nat on the liveboxes can cause troubles ?
>
> Because the two gates run a different version of OpenBSD ?
> I don't think so, however malenfant will be upgraded to 4.4-release
> tomorrow evening.
>
> My ipsec.confs :
> - on nemoto :
> st_cyr_net="192.168.2.0/24"
> dugny_net="192.168.3.0/24"
> st_cyr_addr="xx.xx.xx.xx"
> ike esp tunnel from $dugny_net to $st_cyr_net peer $st_cyr_addr
> - on malenfant :
> st_cyr_net="192.168.2.0/24"
> dugny_net="192.168.3.0/24"
> dugny_addr="yy.yy.yy.yy"
> ike esp tunnel from $st_cyr_net to $dugny_net peer $dugny_addr
>
> pf is correctly (I hope) configured on both gates with (here is a
> snippet from malenfant's pf.conf) :
> set skip on { lo enc0 }
> block in
> pass out
> pass in on $ext_if proto { tcp udp } \
> from $dugny_addr to ($ext_if) port ipsec-nat-t
> pass in on $ext_if proto udp to ($ext_if) port isakmp
>
> My two enc0 interfaces are up.
>
> If you find my mistake(s), have ideas, or need more informations please
> tell me. Full configuration files and isakmpd log are available at :
> http://www.kalessin.fr/stuff/openbsd_ipsec.tar.gz
>
> Best Regards, Louis Opter.
>
>
--
http://www.felipe-alfaro.org/blog/disclaimer/
