[BSD] VPN (racoon+sl2tps/win2k-xp)

Bölkény Akos Gergely akos at bolkeny.hu
2007. Feb. 7., Sze, 09:43:31 CET 

Szia

Transport mode szerintem nem tud mukodni mert a NAT miatt az AH
checksum nem stimmel.

Tunnel mode ban kellene szerintem.

http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html



On 2/6/2007 9:59 PM, Kollar Csaba wrote:
> Sziasztok!
> 
> (hosszu lesz :)
> 
> Win2k/XP beepitett "l2tp over ipsec" kliensekkel mukodo vpn
> szervert szeretnek csinalni freebsd alapokon, roadwarrior usereknek. 
> 
> Rovid olvasgatas utan arra jutottam hogy racoon es sl2tps lesz a 
> baratom. Eleg konnyen osszejott a dolog, de sajnos a szivasok akkor 
> jottek amikor NAT mogott levo win -el probaltam csatlakozni (ami ugye 
> eleg gyakori). Mar itt megkerdezem hogy tud e valaki egyeb
> megoldast (fontos hogy mukodjon mindenfele 3rd party sw
> nelkul, mert amugy tudom hogy jo dolog az openvpn, meg a cisco
> pix, stb...). Ha igen, ne is olvasson tovabb, hanem irja meg :)
> 
> Szoval, megjobban beleastam magam a racoon -ba, es talaltam egy
> patch -et (ipsec/nat traversal for freebsd6). A racoon -os sracok
> csinaltak, az ipsec-tools portnal (abban van a racoon) make
> install utan irjak is mint informaciot. Feltettem, es ezen plusz 
> opciokkal forditottam egy uj kernelt:
> 
> options         IPSEC
> options         IPSEC_ESP
> options         IPSEC_NAT_T
> 
> Aztan csinaltam meg ilyet is:
> 
> /etc/ipsec.conf:
> spdadd VPN_SERVER_IP[1701] 0.0.0.0/0 any -P out ipsec esp/transport//require;
> spdadd 0.0.0.0/0 VPN_SERVER_IP[1701] any -P in ipsec esp/transport//require;
> 
> /etc/rc.conf:
> ipsec_enable="YES"
> ipsec_file="/etc/ipsec.conf"
> 
> Elvileg a NAT_T patch lenne hivatott megoldani a problemat,
> illetve a patcheles utan hasznalhato "nat_traversal on" racoon
> config opcio. Ennek ellenere tovabbra sem mukodik a dolog.
> 
> Connection log:
> 
> 2007-02-06 21:27:57: INFO: VPN_SERVER_IP[4500] used as isakmp port (fd=5)
> 2007-02-06 21:27:57: INFO: VPN_SERVER_IP[4500] used for NAT-T
> 2007-02-06 21:27:57: INFO: VPN_SERVER_IP[500] used as isakmp port (fd=6)
> 2007-02-06 21:27:57: INFO: VPN_SERVER_IP[500] used for NAT-T
> 2007-02-06 21:28:05: INFO: respond new phase 1 negotiation: VPN_SERVER_IP[500]<=>CLIENT_PUBLIC_IP[500]
> 2007-02-06 21:28:05: INFO: begin Identity Protection mode.
> 2007-02-06 21:28:05: INFO: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY
> 2007-02-06 21:28:05: INFO: received Vendor ID: FRAGMENTATION
> 2007-02-06 21:28:05: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
> 2007-02-06 21:28:05: INFO: Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02
> 2007-02-06 21:28:05: INFO: Hashing VPN_SERVER_IP[500] with algo #1
> 2007-02-06 21:28:05: INFO: NAT-D payload #0 verified
> 2007-02-06 21:28:05: INFO: Hashing CLIENT_PUBLIC_IP[500] with algo #1
> 2007-02-06 21:28:05: INFO: NAT-D payload #1 doesn't match
> 2007-02-06 21:28:05: INFO: NAT detected: PEER
> 2007-02-06 21:28:05: INFO: Hashing CLIENT_PUBLIC_IP[500] with algo #1
> 2007-02-06 21:28:05: INFO: Hashing VPN_SERVER_IP[500] with algo #1
> 2007-02-06 21:28:05: INFO: Adding remote and local NAT-D payloads.
> 2007-02-06 21:28:05: INFO: NAT-T: ports changed to: CLIENT_PUBLIC_IP[4500]<->VPN_SERVER_IP[4500]
> 2007-02-06 21:28:05: INFO: KA list add: VPN_SERVER_IP[4500]->CLIENT_PUBLIC_IP[4500]
> 2007-02-06 21:28:05: ERROR: Expecting IP address type in main mode, but FQDN.
> 2007-02-06 21:28:05: ERROR: invalid ID payload.
> 2007-02-06 21:28:06: ERROR: Expecting IP address type in main mode, but FQDN.
> 2007-02-06 21:28:06: ERROR: invalid ID payload.
> .....
> 
> A vege ismetlodik parszor, aztan a kliens timeout miatt bont.
> Viszont NAT -olt kliens nelkul tokeletesen mukodik.
> Gyanura ad okot termeszetesen "NAT-D payload #1 doesn't match"
> meg a vegen az ERROR -ok, viszont nem talaltam ezekkel
> kapcsolatban hasznalhato infot.
> 
> A racoon.conf igy nez ki:
> 
> #########################################################
> 
> path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
> 
> log notify;
> 
> padding
> {
>     maximum_length 20;
>     randomize off;
>     strict_check off;
>     exclusive_tail off;
> }
> 
> listen
> {
>      isakmp VPN_SERVER_IP [500];
>      isakmp_natt VPN_SERVER_IP [4500];
> }
> 
> remote anonymous {
>     exchange_mode main;
>     generate_policy off;
>     nat_traversal on;
>     proposal_check obey;
>     proposal {
>         encryption_algorithm 3des;
>         hash_algorithm md5;
>         authentication_method pre_shared_key;
>         dh_group modp1024;
>         }
> }
> 
> sainfo anonymous {
>     pfs_group modp1024;
>     encryption_algorithm aes,blowfish,cast128,3des;
>     authentication_algorithm hmac_sha256,hmac_sha1,hmac_md5;
>     compression_algorithm deflate;
> }
> 
> Az sl2tps -el nem akarok farasztani senkit, az biztosan mukodik,
> az ipsec -nel akad el a dolog ugy tunik :(
> 

-- 
Bölkény Ákos Gergely
+36 (30) 205-39-46

További információk a(z) BSD levelezőlistáról