On Tue, Dec 1, 2009 at 10:28 AM, Aaron Mason <simplersolut...@gmail.com> wrote: > Hi all, > > I've been looking to mess around with IPSec for quite some time now, > and sadly all I've had is perpetual failure. > > I found this guide - http://www.securityfocus.com/infocus/1859 - and > followed it apart from the NAT bits. When the two endpoints try to > talk, they fall over in a heap. > > The systems in use are both VMware VMs with three host-only networks - > one each for the "local" network and one for both to use as an > "external" network. > > What I hope to achieve is this: > > Host-only > (192.168.120.0/24) > /|\ > | > \|/ > obsd-ipsec-left > (192.168.120.130/ > 10.255.255.5) > /|\ > | > \|/ > 10.255.255.0/30 > /|\ > | > \|/ > obsd-ipsec-right > (192.168.33.7/ > 10.255.255.6) > /|\ > | > \|/ > Host-only > (192.168.33.0/24) > > After I ran isakmpd -K -d and used ipsecctl to set the config up, I > got these messages: > > <snip> > > The listing of ipsec.conf is as follows: > > obsd-ipsec-left: > ike esp from 192.168.120.0/24 to 192.168.33.0/24 peer 10.255.255.6 > ike esp from 10.255.255.5 to 192.168.33.0/24 peer 10.255.255.6 > ike esp from 10.255.255.5 to 10.255.255.6 > > obsd-ipsec-right: > ike esp from 192.168.33.0/24 to 192.168.120.0/24 peer 10.255.255.5 > ike esp from 10.255.255.6 to 192.168.120.0/24 peer 10.255.255.5 > ike esp from 10.255.255.6 to 10.255.255.5 > > ifconfig on each side: > > obsd-ipsec-left# ifconfig > lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33200 > priority: 0 > groups: lo > inet 127.0.0.1 netmask 0xff000000 > inet6 ::1 prefixlen 128 > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 > vic0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > lladdr 00:0c:29:f6:20:76 > priority: 0 > media: Ethernet autoselect > status: active > inet6 fe80::20c:29ff:fef6:2076%vic0 prefixlen 64 scopeid 0x1 > inet 192.168.120.130 netmask 0xffffff00 broadcast 192.168.120.255 > vic1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > lladdr 00:0c:29:f6:20:80 > priority: 0 > media: Ethernet autoselect > status: active > inet 10.255.255.5 netmask 0xfffffffc broadcast 10.255.255.7 > inet6 fe80::20c:29ff:fef6:2080%vic1 prefixlen 64 scopeid 0x2 > enc0: flags=0<> mtu 1536 > priority: 0 > pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33200 > priority: 0 > groups: pflog > > obsd-ipsec-right# ifconfig > lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33200 > priority: 0 > groups: lo > inet 127.0.0.1 netmask 0xff000000 > inet6 ::1 prefixlen 128 > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 > vic0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > lladdr 00:0c:29:e1:29:22 > priority: 0 > media: Ethernet autoselect > status: active > inet6 fe80::20c:29ff:fee1:2922%vic0 prefixlen 64 scopeid 0x1 > inet 192.168.33.7 netmask 0xffffff00 broadcast 192.168.33.255 > vic1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > lladdr 00:0c:29:e1:29:2c > priority: 0 > media: Ethernet autoselect > status: active > inet 10.255.255.6 netmask 0xfffffffc broadcast 10.255.255.7 > inet6 fe80::20c:29ff:fee1:292c%vic1 prefixlen 64 scopeid 0x2 > enc0: flags=0<> mtu 1536 > priority: 0 > pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33200 > priority: 0 > groups: pflog > > > pf.conf is the standard one on both sides. > > Any ideas? Both sides run OpenBSD 4.6 release and this was done on a > fresh install with only bsd{,.rd}, base and etc. > > -- > Aaron Mason - Programmer, open source addict > I've taken my software vows - for beta or for worse >
Ok, I just reread the setup and realised that I set up both sides in active mode... I'll reopen this thread when I get my head together -.- -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
