hi sylvain, yea -- i'm a little lost here as well. it appears that you have a tunnel and policy, therefore, i too am a bit confused. counters reflect 0 in setkey -D ... traffic is not using the tunnel. if i were you, i would start with a simple tunnel (psk) and watch what happens on each side with racoon -F -d -- make small changes each time and work back towards your current config. you could also post to ralf spenneberg's site -- he's quite the whiz http://www.spenneberg.com cheers & bonne chance charles On Thu, 2005-04-28 at 15:55 +0200, Sylvain BERTRAND wrote: > Here's the output: > > black:~# setkey -D > 62.212.109.16 82.234.240.117 > esp mode=tunnel spi=513(0x00000201) reqid=0(0x00000000) > E: 3des-cbc ******** ******** ******** ******** ******** ******** > A: hmac-md5 ******** ******** ******** ******** > seq=0x00000000 replay=0 flags=0x00000000 state=mature > created: Apr 28 14:14:23 2005 current: Apr 28 15:53:54 2005 > diff: 5971(s) hard: 0(s) soft: 0(s) > last: hard: 0(s) soft: 0(s) > current: 0(bytes) hard: 0(bytes) soft: 0(bytes) > allocated: 0 hard: 0 soft: 0 > sadb_seq=1 pid=8747 refcnt=0 > 82.234.240.117 62.212.109.16 > esp mode=tunnel spi=769(0x00000301) reqid=0(0x00000000) > E: 3des-cbc ******** ******** ******** ******** ******** ******** > A: hmac-md5 ******** ******** ******** ******** > seq=0x00000000 replay=0 flags=0x00000000 state=mature > created: Apr 28 14:14:23 2005 current: Apr 28 15:53:54 2005 > diff: 5971(s) hard: 0(s) soft: 0(s) > last: hard: 0(s) soft: 0(s) > current: 0(bytes) hard: 0(bytes) soft: 0(bytes) > allocated: 0 hard: 0 soft: 0 > sadb_seq=0 pid=8747 refcnt=0 > black:~# > > > > Thank you for your help > > Sylvain > > > On Jeu 28 avril 2005 15:44, lartc a écrit : > > hi sylvain, > > > > what does "setkey -D" say? > > > > cheers > > > > charles > > > > On Thu, 2005-04-28 at 10:16 +0200, Sylvain BERTRAND wrote: > >> On Jeu 28 avril 2005 9:50, lartc a écrit : > >> > salut sylvain, > >> > > >> > to do your vpn, you'll need a little bit more policy (if you want to > >> set > >> > your policy manually). here's an example shell script to set policy: > >> > > >> > > >> > > >> > #!/sbin/setkey -f > >> > flush; > >> > spdflush; > >> > > >> > # ======ESP====== > >> > # | | > >> > #Network Left --- Gateway Left --- Gateway Right --- Network Right > >> > > >> > > >> > # ----- Gateway Left > >> > > >> > #spdadd left_net/nn right_net/nn any -P out ipsec > >> > # esp/tunnel/left_gateway_ip-right_gateway_ip/require; > >> > > >> > #spdadd right_net/nn left_net/nn any -P in ipsec > >> > # esp/tunnel/right_gateway_ip-left_gateway_ip/require; > >> > > >> > #spdadd right_net/nn left_net/nn any -P fwd ipsec > >> > # esp/tunnel/right_gateway_ip-left_gateway_ip/require; > >> > > >> > # ----- Gateway Right > >> > > >> > #spdadd right_net/nn left_net/nn any -P out ipsec > >> > # esp/tunnel/right_gateway_ip-left_gateway_ip/require; > >> > > >> > #spdadd left_net/nn right_net/nn any -P in ipsec > >> > # esp/tunnel/left_gateway_ip-right_gateway_ip/require; > >> > > >> > #spdadd left_net/nn right_net/nn any -P fwd ipsec > >> > # esp/tunnel/left_gateway_ip-right_gateway_ip/require; > >> > > >> > > >> > # left side is then: > >> > > >> > spdadd 192.168.1.0/24 192.168.0.0/24 any -P out ipsec > >> > esp/tunnel/62.212.109.16-82.234.240.117/require; > >> > > >> > spdadd 192.168.0.0/24 192.168.1.0/24 any -P in ipsec > >> > esp/tunnel/82.234.240.117-62.212.109.16/require; > >> > > >> > spdadd 192.168.0.0/24 192.168.1.0/24 any -P in ipsec > >> > esp/tunnel/82.234.240.117-62.212.109.16/require; > >> > > >> > #EOF > >> > > >> > check "man racoon.conf" and look at "generate_policy" and "passive" > >> > > >> > these options allow you to have one side of your vpn set as passive > >> and > >> > will build its policy based on the other side's request. > >> > > >> > cheers > >> > > >> > charles shick > >> > > >> > >> > >> > >> This is exactly what I did (except for the spdadd fw which is done > >> automatically). I did not include the whole script in my original mail, > >> but this really is what I did (below is my /etc/ipsec.conf file on > >> 192.168.0.95). > >> > >> I just don't get why packets leave unencrypted... > >> > >> Regards, > >> > >> Sylvain > >> > >> > >> > >> > >> #!/usr/bin/setkey -f > >> > >> # ipsec.conf > >> > >> > >> flush; > >> spdflush; > >> > >> add 62.212.109.16 82.234.240.117 esp 0x201 -m tunnel -E 3des-cbc\ > >> 0x**** -A hmac-md5 0x****; > >> > >> add 82.234.240.117 62.212.109.16 esp 0x301 -m tunnel -E 3des-cbc\ > >> 0x**** -A hmac-md5\ 0x****; > >> > >> spdadd 192.168.1.0/24 192.168.0.0/24 any -P in ipsec\ > >> esp/tunnel/62.212.109.16-82.234.240.117/require; > >> > >> spdadd 192.168.0.0/24 192.168.1.0/24 any -P out ipsec\ > >> esp/tunnel/82.234.240.117-62.212.109.16/require; > >> > >> > >> > >> > > > > > > > > _______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
