Re: IPsec Over Tunnel

As your setup is described Windows XP should be using transport for host to
host ipsec and you say it works for that. When you try to use tunnel in a
host to host scenario it does not work which does not surprise me and maybe
it has something to do with the ipsec tunnel endpoint and IP filer list
being on the same network. I think your best bet is to get the Apple
computer to work in transport mode which is how ipsec should be configured
in a host to host network. --- Steve


<Desert.Bound@xxxxxxxxx> wrote in message
news:1147908856.114201.322600@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I am trying to encrypt my wireless traffic with IPsec. My
configuration is as follows:
OpenBSD 3.8 gateway (192.168.100.20) connected to Linksys accesspoint
via crossover cable.
Macintosh OS X 10.4 (192.168.100.200) AirPort
Windows XP SP2 (192.168.100.120) Intel PRO/Wireless 2200BG

I am using isakmpd on the OpenBSD computer, racoon on OS X and ipseccmd
on Windows. If I configure transport policies the setup works
correctly. However, if I use tunnel, the Macintosh works correctly,
but the Windows computer does not.

Below are the ipseccmd commands I am using for Windows.

Transport mode:
ipseccmd -u

ipseccmd -f 192.168.100.120=192.168.100.0/255.255.255.0 -n
ESP[3DES,MD5]1800s -a cert:"C=US, S=Missouri, L=Saint Louis, O=Home
LAN" -1s 3DES-SHA-2 -1k 1800s

ipseccmd -f 192.168.100.0/255.255.255.0=192.168.100.120 -n
ESP[3DES,MD5]1800s -a cert:"C=US, S=Missouri, L=Saint Louis, O=Home
LAN" -1s 3DES-SHA-2 -1k 1800s

After executing these commands, I can ping 192.168.100.20. After
several "Negotiating IP Security" messages, I receive replies from the
remote computer. I can ping from the OpenBSD computer to the Windows
computer as well.

Tunnel mode:
ipseccmd -u

ipseccmd -f 192.168.100.120=0.0.0.0/0.0.0.0 -t 192.168.100.20 -n
ESP[3DES,SHA]1800s -a cert:"C=US, S=Missouri, L=Saint Louis, O=Home
LAN" -1s 3DES-SHA-2 -1k 1800s

ipseccmd -f 0.0.0.0/0.0.0.0=192.168.100.120 -t 192.168.100.120 -n
ESP[3DES,SHA]1800s -a cert:"C=US, S=Missouri, L=Saint Louis, O=Home
LAN" -1s 3DES-SHA-2 -1k 1800s

After executing these commands and pinging 192.168.100.20 I receive
several "Negotiating IP Security" messages again. However, instead of
receiving replies, I now get "Request timed out". If I examine the
Oakley.log file, I can see that SA is successfuly netotiated. I would
expect that if firewalls or some other ICMP block was in place, that it
would affect both transport and tunnel mode.

Any suggestions?

thanks,
Michael



.

Relevant Pages

  • Re: X over a reverse SSH tunnel
    ... Try connecting with putty from the windows box to test it. ... In the NX client on your windows box, set the host address and port to use the tunnel you have set up - and install the correct client key if you are using freenx and it should work. ...
    (Fedora)
  • Re: Quincy can wrongly enquire their gaze
    ... No minimum testy phrases will presumably host the ... windows. ... They are staging including the jail now, ...
    (sci.crypt)
  • Remote Assistance Across the Public Internet
    ... Expert host is Windows XP SP2 with latest updates, ... requestor host inviting the expert to a Remote Assistance ... In System> Remote tab, Allow Remote Assistance ...
    (microsoft.public.windowsxp.work_remotely)
  • RE: Remote Assistance Across the Public Internet
    ... Expert host is Windows XP SP2 with latest updates, ... requestor host inviting the expert to a Remote Assistance ... In System> Remote tab, Allow Remote Assistance ...
    (microsoft.public.windowsxp.work_remotely)
  • Re: how to share a host computer using "remote desktop connection"?
    ... You mentioned that standard XP cannot do this. ... "How a Remote Desktop Connection Affects Windows XP Professional ... the host site, his/her session will be terminated without his/her ... (Two remote, one console, and it is easy to share the console session with another user.) ...
    (microsoft.public.windowsxp.basics)
Loading