hi sylvain, what does "setkey -D" say? cheers charles On Thu, 2005-04-28 at 10:16 +0200, Sylvain BERTRAND wrote: > On Jeu 28 avril 2005 9:50, lartc a écrit : > > salut sylvain, > > > > to do your vpn, you'll need a little bit more policy (if you want to set > > your policy manually). here's an example shell script to set policy: > > > > > > > > #!/sbin/setkey -f > > flush; > > spdflush; > > > > # ======ESP====== > > # | | > > #Network Left --- Gateway Left --- Gateway Right --- Network Right > > > > > > # ----- Gateway Left > > > > #spdadd left_net/nn right_net/nn any -P out ipsec > > # esp/tunnel/left_gateway_ip-right_gateway_ip/require; > > > > #spdadd right_net/nn left_net/nn any -P in ipsec > > # esp/tunnel/right_gateway_ip-left_gateway_ip/require; > > > > #spdadd right_net/nn left_net/nn any -P fwd ipsec > > # esp/tunnel/right_gateway_ip-left_gateway_ip/require; > > > > # ----- Gateway Right > > > > #spdadd right_net/nn left_net/nn any -P out ipsec > > # esp/tunnel/right_gateway_ip-left_gateway_ip/require; > > > > #spdadd left_net/nn right_net/nn any -P in ipsec > > # esp/tunnel/left_gateway_ip-right_gateway_ip/require; > > > > #spdadd left_net/nn right_net/nn any -P fwd ipsec > > # esp/tunnel/left_gateway_ip-right_gateway_ip/require; > > > > > > # left side is then: > > > > spdadd 192.168.1.0/24 192.168.0.0/24 any -P out ipsec > > esp/tunnel/62.212.109.16-82.234.240.117/require; > > > > spdadd 192.168.0.0/24 192.168.1.0/24 any -P in ipsec > > esp/tunnel/82.234.240.117-62.212.109.16/require; > > > > spdadd 192.168.0.0/24 192.168.1.0/24 any -P in ipsec > > esp/tunnel/82.234.240.117-62.212.109.16/require; > > > > #EOF > > > > check "man racoon.conf" and look at "generate_policy" and "passive" > > > > these options allow you to have one side of your vpn set as passive and > > will build its policy based on the other side's request. > > > > cheers > > > > charles shick > > > > > > This is exactly what I did (except for the spdadd fw which is done > automatically). I did not include the whole script in my original mail, > but this really is what I did (below is my /etc/ipsec.conf file on > 192.168.0.95). > > I just don't get why packets leave unencrypted... > > Regards, > > Sylvain > > > > > #!/usr/bin/setkey -f > > # ipsec.conf > > > flush; > spdflush; > > add 62.212.109.16 82.234.240.117 esp 0x201 -m tunnel -E 3des-cbc\ > 0x**** -A hmac-md5 0x****; > > add 82.234.240.117 62.212.109.16 esp 0x301 -m tunnel -E 3des-cbc\ > 0x**** -A hmac-md5\ 0x****; > > spdadd 192.168.1.0/24 192.168.0.0/24 any -P in ipsec\ > esp/tunnel/62.212.109.16-82.234.240.117/require; > > spdadd 192.168.0.0/24 192.168.1.0/24 any -P out ipsec\ > esp/tunnel/82.234.240.117-62.212.109.16/require; > > > > _______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
