Many thanks for the answers. I should certainly thank Daniel with a full heart since he really made my day. Many thanks.
On Tue, Mar 30, 2010 at 6:32 PM, Stuart Henderson <s...@spacehopper.org> wrote: >> I am able to create SAs using automatic keying with isakmpd and 1 line >> in ipsec.conf. > > If you describe your configuration, the output from the relevant > commands (e.g. sudo ipsecctl -sa, netstat -n), what if any changes > you've made to PF rules to accommodate the vpn, how you're testing, > etc, perhaps someone can help. I always thought that pf should have nothing to do with IPsec VPN at least till we get the basic traffic going. And that is what I did. I shall add pf now. >> But I am unable to connect two private networks. How to achieve that? > > the simplest way is basically: setup automatic keying, add an > ike esp... line to ipsec.conf, turn on IP forwarding, make sure > the firewall is setup correctly, and that's about it. Well I want IPsec to do the tunnel encapsulation and routing for me first. Crypto as well of course. ;) I checked with the command given in the enc man page. # tcpdump -envps 1500 -i enc0 -l I shall write a webpage about this since others might lose sleep over this. Rather disappointing that such a basic crypto setup is poorly documented. For now, I shall give my two cents worth tips for the archives. (This is without NAT or any firewall in between and no pf on either tunnel endpoints. pfctl -d ;) host A IP : 192.168.11.3 host A private net: 10.1.1.0/24 host B IP: 192.168.11.4 host B private net: 10.2.2.0/24 In case it is not clear, I am trying to access 10.2.2.0/24 machines from 10.1.1.0/24 machines using host A and host B as tunnel endpoints. IPsec is only between host A and B. Hope I don't confuse. Obviously things will work in reverse too. Here is the sequence of commands I run on host A. Before we start, here is the Zeroth step. We need to have the public key of one IP available on the other side. On host B(192.168.11.4) #scp /etc/isakmpd/local.pub 192.168.11.3:/etc/isakmpd/pubkeys/ipv4/192.168.11.4 Ditto on host A. #scp /etc/isakmpd/local.pub 192.168.11.4:/etc/isakmpd/pubkeys/ipv4/192.168.11.3 Now the game starts. # pfctl -d # isakmpd -K # cat /etc/ipsec.cont localip = "192.168.11.3" remoteip = "192.168.11.4" local_net = "10.1.1.0/24" remote_net = "10.2.2.0/24" ike esp from $local_net to $remote_net peer $remoteip ike esp from $localip to $remote_net peer $remoteip ike esp from $localip to $remoteip (this is what the file contains) # ipsecctl -n -f /etc/ipsec.conf (Things are fine) Now start things up. # ipsecctl -f /etc/ipsec.conf --------------------------------------------------------------------- On to host B now. # pfctl -d # isakmpd -K # cat /etc/ipsec.conf localip = "192.168.11.4" remoteip = "192.168.11.3" local_net = "10.2.2.0/24" remote_net = "10.1.1.0/24" ike passive esp from $local_net to $remote_net peer $remoteip ike passive esp from $localip to $remote_net peer $remoteip ike passive esp from $localip to $remoteip #ipsecctl -f /etc/ipsec.conf ------------------------------------------------------------------------------- Now we are all set. No more configuration necessary. Now I come to the part that hurt me the most. How to test that we are doing things correctly? # ipsecctl -F will flush all SAs. # ipsecctl -sa should give an output like this. FLOWS: flow esp in from 192.168.11.3 to 192.168.11.4 peer 192.168.11.3 srcid 192.168.11.4/32 dstid 192.168.11.3/32 type use flow esp out from 192.168.11.4 to 192.168.11.3 peer 192.168.11.3 srcid 192.168.11.4/32 dstid 192.168.11.3/32 type require flow esp in from 10.1.1.0/24 to 10.2.2.0/24 peer 192.168.11.3 srcid 192.168.11.4/32 dstid 192.168.11.3/32 type use flow esp out from 10.2.2.0/24 to 10.1.1.0/24 peer 192.168.11.3 srcid 192.168.11.4/32 dstid 192.168.11.3/32 type require flow esp in from 192.168.11.3 to 10.2.2.0/24 peer 192.168.11.3 srcid 192.168.11.4/32 dstid 192.168.11.3/32 type use flow esp out from 10.2.2.0/24 to 192.168.11.3 peer 192.168.11.3 srcid 192.168.11.4/32 dstid 192.168.11.3/32 type require SAD: esp tunnel from 192.168.11.4 to 192.168.11.3 spi 0x2c37b55e auth hmac-sha2-256 enc aes esp tunnel from 192.168.11.3 to 192.168.11.4 spi 0x5d7e114e auth hmac-sha2-256 enc aes esp tunnel from 192.168.11.4 to 192.168.11.3 spi 0x70420aad auth hmac-sha2-256 enc aes esp tunnel from 192.168.11.3 to 192.168.11.4 spi 0xa0b67b12 auth hmac-sha2-256 enc aes esp tunnel from 192.168.11.4 to 192.168.11.3 spi 0xa84c08c3 auth hmac-sha2-256 enc aes esp tunnel from 192.168.11.3 to 192.168.11.4 spi 0xf517c42c auth hmac-sha2-256 enc aes Don't worry. I am not revealing any secret information. We are using automatic keying here. Since I have only two machines I have to simulate private networks. Here is a very useful tip. Interface aliasing saves the day. I run this on host A to simulate the 10.1.1.0/24 network. I only need one IP. # ifconfig rl0 alias 10.1.1.1 netmask 255.255.255.0 If you type ifconfig, you won't see it. Type ifconfig -a. Simulate the private IP on the other side (host B). # ifconfig rl0 alias 10.2.2.1 netmask 255.255.255.0 My network card is Realktek. ;) Now is the acid test. >From host B(192.168.11.4), ping 10.1.1.1 assigned on host A. $ ping 10.1.1.1 Works? Cool. If you want you can test the other way round too. It is not quite enough if ping works. ;) We need to know if IPsec is happening. On host A or B, run this. # tcpdump -envps 1500 -i enc0 -l Phew. That is it. -Girish -- Gayatri Hitech web: http://gayatri-hitech.com SpamCheetah Spam filter: http://spam-cheetah.com
