salut sylvain,
to do your vpn, you'll need a little bit more policy (if you want to set
your policy manually). here's an example shell script to set policy:
#!/sbin/setkey -f
flush;
spdflush;
# ======ESP======
# | |
#Network Left --- Gateway Left --- Gateway Right --- Network Right
# ----- Gateway Left
#spdadd left_net/nn right_net/nn any -P out ipsec
# esp/tunnel/left_gateway_ip-right_gateway_ip/require;
#spdadd right_net/nn left_net/nn any -P in ipsec
# esp/tunnel/right_gateway_ip-left_gateway_ip/require;
#spdadd right_net/nn left_net/nn any -P fwd ipsec
# esp/tunnel/right_gateway_ip-left_gateway_ip/require;
# ----- Gateway Right
#spdadd right_net/nn left_net/nn any -P out ipsec
# esp/tunnel/right_gateway_ip-left_gateway_ip/require;
#spdadd left_net/nn right_net/nn any -P in ipsec
# esp/tunnel/left_gateway_ip-right_gateway_ip/require;
#spdadd left_net/nn right_net/nn any -P fwd ipsec
# esp/tunnel/left_gateway_ip-right_gateway_ip/require;
# left side is then:
spdadd 192.168.1.0/24 192.168.0.0/24 any -P out ipsec
esp/tunnel/62.212.109.16-82.234.240.117/require;
spdadd 192.168.0.0/24 192.168.1.0/24 any -P in ipsec
esp/tunnel/82.234.240.117-62.212.109.16/require;
spdadd 192.168.0.0/24 192.168.1.0/24 any -P in ipsec
esp/tunnel/82.234.240.117-62.212.109.16/require;
#EOF
check "man racoon.conf" and look at "generate_policy" and "passive"
these options allow you to have one side of your vpn set as passive and
will build its policy based on the other side's request.
cheers
charles shick
On Wed, 2005-04-27 at 16:29 +0200, Sylvain BERTRAND wrote:
> Hi everyone,
>
> First of all, this is my first post in this ML, so I'm not sure that this
> is the right place for my question (please don't shoot me down ;)). For
> the record, I've been reading and using LARTC for almost 3 years now, and
> it's a great help for anyone who wants to learn linux networking.
>
> My problem:
>
> I want to setup a tunnel for the following networks (tunnel esp 3des):
>
>
> 192.168.1.0/24 -|A|- 62.212.109.16 <--- INTERNET ---> 82.234.240.117 -|B|-
> 192.168.0.0/24
>
>
> On "B", setkey -DP gives the following:
>
> 192.168.0.0/24[any] 192.168.1.0/24[any] any
> out ipsec
> esp/tunnel/82.234.240.117-62.212.109.16/require
> created: Apr 27 12:18:35 2005 lastused:
> lifetime: 0(s) validtime: 0(s)
> spid=313 seq=5 pid=5812
> refcnt=1
>
> When I try to ping the A router from the B router (using 192.168.
> addresses of course), packets are sent unencrypted. And I can't figure out
> why.
>
> Does anyone have an idea?
>
> I've already set up such tunnels in the past (successfully), but before
> the 26sec was modified, and with ipsec-tools prior to 0.5.
>
>
> Thanks for your help.
>
>
> Sylvain
>
> _______________________________________________
> LARTC mailing list
> LARTC@xxxxxxxxxxxxxxx
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>
>
_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
