Re: Cisco IOS and racoon
From: Nickolay A. Kritsky (nkritsky_at_internethelp.ru)
Date: 07/29/04
- Previous message: Nigel Houghton: "Re: Ipfw config"
- In reply to: Lewey Taylor: "Cisco IOS and racoon"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 29 Jul 2004 04:44:01 +0400 To: Lewey Taylor <admin@triparish.net>
Hello Lewey,
<disclaimer>
First, I am really new to IPSEC, so may be my advices will be no use
to you.
Second, I have once succeded in setting up FreeBSD<->Cisco IPSec
link, so may be my advices will be of some use to you.
</disclaimer>
Tuesday, July 27, 2004, 5:34:58 AM, you wrote:
<skip some configs>
LT> <spdadd>
LT> #! /bin/sh
LT> #spdadd 1.1.1.1/32[500] 2.2.2.2/32[500] udp -P out none;
LT> #spdadd 1.1.1.1/32[500] 2.2.2.2/32[500] udp -P out none;
LT> case "$1" in
LT> start)
LT> setkey -F
LT> setkey -FP
LT> setkey -c <<EOF
LT> spdadd 10.0.10.0/24 10.0.3.0/24 ipencap -P out ipsec
LT> esp/tunnel/1.1.1.1-2.2.2.2/require;
LT> spdadd 10.0.3.0/24 10.0.1.0/24 ipencap -P in ipsec
LT> esp/tunnel/2.2.2.2-1.1.1.1/require;
LT> EOF
LT> ;;
LT> stop)
LT> setkey -F
LT> setkey -FP
LT> ;;
LT> *)
LT> echo "Usage: `basename $0` {start|stop}" >&2
LT> ;;
LT> esac
LT> exit 0
LT> </spdadd>
First advice: change `ipencap' to `any' in your spdadd config. If i am
right, you don't need ipencap here since you don't use ipinip on
cisco. If i am wrong, `any' should work anyway.
<skip all logs>
Second advice: do not try to understand racoon's logs. This is the
last thing to do. Only if nothing else helps, you can try it. And
the best way to do it is to build racoon from sources, to have the
ability to put there some human-readable debugprintfs.
Third advice - what really helps: Make some errors. Change the config
file of racoon in strictly wrong way. Use wrong algorithms for
encryption and signing, non-matching psk, play with padding, change
some weird options like `proposal_check', `situation', `doi', etc...
Do the wrong things. _ONE_CHANGE_FOR_ONE_RUN_ . Then take a quick look
in the log. If setting psk from <correctpsk> to <ComeToMeBigFatMama>
produces no change in logs - ie, everything stops on the same error,
then, _maybe_ your <correctpsk> is not correct at all. _But_ , _maybe_
things just become broken before anybody cares about your psk. You
will need to use your brain. I am sorry, but I don't know about silver
bullets on IPSec debugging. Using intentional errors can help you to
narrow your search to some specific sections of racoon.conf, and to
some specific files/functions in src tree. Otherwise you will be lost
in the sea of even possibilities. The most ugly problem I ran into,
was that IPSec uses about 50 different parameters that should match on
each sides of tunnel, and
1. Most of them are named differently in racoon and cisco (that's
called synonym - sounds different, means the same)
2. Some of them can be named the same but mean different (that's called
homonym ;) )
3. Some of them can be hardwired into the system. Different ones on
racoon and cisco.
Well, I hope that will help you.
Good luck!
;-------------------------------------------
; NKritsky
; mailto:nkritsky@internethelp.ru
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
- Previous message: Nigel Houghton: "Re: Ipfw config"
- In reply to: Lewey Taylor: "Cisco IOS and racoon"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
