RE: IPSEC VPN racoon

Tue, 01 Jul 2008 03:15:41 -0700 

Dobry den,
Mame zakaznika, který ma podobne na Vigorech  pobocky a jako VPN koncentrator 
se pouziva PfSense a s DRAYTEK Vigor 2820n se to chovalo velmi podobne. Vigor 
se restarnul vždy po navazani VPN asi po 5-15 minutach,bez ni bezel v poho. 
Museli jsme ho vymenit za starsi shodou okolnosti 2700G s fw 2.7.3.3_1401302, 
kde to ale funguje. Bohuzel Vam nyní nemuzu poslat konfiguraci,az pristi tyden 
:(


Zdravi,

        Jan Koukal


P.s: Myslim,ze Draytekuv IPSec nebude z nejlepsich.....



-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stefan Valko
Sent: Tuesday, July 01, 2008 11:17 AM
To: users-l@freebsd.cz
Subject: IPSEC VPN racoon

Zdravim riesim nasledujuci problem. Mam IPSEC VPN server (racoon) ktory spaja
22 pobociek LAN - LAN (FreeBSD - Vigor 2700) na Vigore je posledny fw 2.7.3 od 
T-COMu (kedze zo starsimi,robilo problem to ze po vytoceni VPNky sa resetol na 
tvrdo VIGOR) , problem mam ten ze niekedy padne VPNka medzi BSD a Vigorom a 
niektore Vigori vytocia si VPN spojenie ktore je v poriadku prechadzaju hned 
data a je to ok, ale niektore si vytvoria VPN spojenie ale nepretecie cez 
tunnel nic :( len sa tvari ze VPN je vytvorena. Potom pomoze len to ze racoon 
restartnem a potom sa tie VPNky ktore mali tz. neuplny tunnel pripoja uplne bez 
problemov !!! Neriesil niekto nieco podobne? V logoch racoonu som nic 
mimoriadne nevsimol a na google som nic normalne nenasiel :( Vychadza mi to na 
problem Vigorov ale pre istotu sa tu pytam ze ci nahodou ma niekto nevie 
nakopnut a nejako to doladit. Tyka sa to cca 3 - 4 Vigorov z 22. PS. Pred tym 
to na CISCO slo ok..... (nechcel som meni) aj zo starym firmware 

ipsec.conf

flush;
spdflush;
spdadd LAN_BSD/24 LAN_VIGOR/24 any -P out ipsec 
esp/tunnel/WAN_BSD-WAN_VIGOR/require;
spdadd LAN_VIGOR/24 LAN_BSD/24 any -P in ipsec 
esp/tunnel/WAN_VIGOR-WAN_BSD/require;

racoon.conf

remote WAN_VIGOR
{
        #exchange_mode main,aggressive,base;
        exchange_mode main;

        my_identifier address WAN_BSD;
        peers_identifier address WAN_VIGOR;
        verify_identifier on;
        nonce_size 16;
        lifetime time 86400 sec ;       # sec,min,hour
        proposal_check obey;

        # phase 1 proposal (for ISAKMP SA)
        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group 2;
        }
}

sainfo address LAN_BSD/24 any address LAN_VIGOR/24 any {
        pfs_group 1;
        lifetime time 86400 sec;
        encryption_algorithm 3des;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate;
}

                                                                                
                    
Stefan Valko

 
--
FreeBSD mailing list (users-l@freebsd.cz) 
http://www.freebsd.cz/listserv/listinfo/users-l
-- 
FreeBSD mailing list (users-l@freebsd.cz)
http://www.freebsd.cz/listserv/listinfo/users-l

Odpovedet emailem