Subject: IPsec wireless tunnel
To: None <tech-net@netbsd.org>
From: Jan Schaumann <jschauma@netmeister.org>
List: tech-net
Date: 12/21/2002 13:11:25
Hi all,
I've finally decided to put away with WEP and use IPsec to encrypt my
wireless traffic at home. But I've note yet come up with the correct
configuration.
Here's my setup:
Internet <------>if1 Desktop if2<------> Hub <-----> 2nd Desktop
|
|
Lapdog ))) ((( WAP
if1 has the external IP from my ISP.
if2 has 10.0.0.1, the 2nd Desktop has 10.0.0.10
The WAP has 10.0.0.2 and 192.168.253.1.
Lapdog get's a dynamic IP, say 192.168.253.2.
On the desktop, I have the following in my /etc/ipsec.conf:
spdadd 192.168.253.2/32 0.0.0.0/0 any -P in ipsec \
esp/tunnel/192.168.253.2-10.0.0.2/require;
spdadd 0.0.0.0/0 192.168.253.2/32 any -P out ipsec \
esp/tunnel/10.0.0.2-192.168.253.2/use;
and /etc/racoon/psk.txt has
10.0.0.2 <secret key>
On the Lapdog I have the following in my /etc/ipsec.conf:
spdadd 192.168.253.2/32 0.0.0.0/0 any -P out ipsec \
esp/tunnel/192.168.253.2-10.0.0.2/use;
spdadd 0.0.0.0/0 192.168.253.2/32 any -P in ipsec \
esp/tunnel/10.0.0.1-192.168.253.2/require;
and /etc/racoon/psk.txt has
10.0.0.1 <secret key>
Now if I start ipsec and racoon on both Desktop and Lapdog, I get the
following:
,----[ on desktop ]
|
| Dec 21 13:06:17 www racoon: INFO: main.c:168:main(): @(#)package version
| netbsd-20020507
| Dec 21 13:06:17 www racoon: INFO: main.c:170:main(): @(#)internal
| version 20001216 sakane@kame.net
| Dec 21 13:06:17 www racoon: INFO: main.c:171:main(): @(#)This product
| linked OpenSSL 0.9.6g 9 Aug 2002 (http://www.openssl.org/)
| Dec 21 13:06:17 www racoon: INFO: isakmp.c:1357:isakmp_open():
| 127.0.0.1[500] used as isakmp port (fd=7)
| Dec 21 13:06:17 www racoon: INFO: isakmp.c:1357:isakmp_open():
| 64.81.200.34[500] used as isakmp port (fd=8)
| Dec 21 13:06:17 www racoon: INFO: isakmp.c:1357:isakmp_open():
| 10.0.0.1[500] used as isakmp port (fd=9)
| Dec 21 13:06:23 www racoon: ERROR: isakmp.c:487:isakmp_main(): can't
| start the quick mode, there is no ISAKMP-SA,
| dd3a85ec68079baa:80b1549d28bad06c:00005a6c
| Dec 21 13:06:59 www racoon: INFO: isakmp.c:891:isakmp_ph1begin_r():
| respond new phase 1 negotiation: 10.0.0.1[500]<=>10.0.0.2[500]
| Dec 21 13:06:59 www racoon: INFO: isakmp.c:896:isakmp_ph1begin_r():
| begin Aggressive mode.
| Dec 21 13:06:59 www racoon: NOTIFY: oakley.c:2037:oakley_skeyid():
| couldn't find the proper pskey, try to get one by the peer's address.
| Dec 21 13:06:59 www racoon: INFO: isakmp.c:2409:log_ph1established():
| ISAKMP-SA established 10.0.0.1[500]-10.0.0.2[500]
| spi:30d8bba654391029:e9eb6bdc37652594
| Dec 21 13:07:00 www racoon: INFO: isakmp.c:1046:isakmp_ph2begin_r():
| respond new phase 2 negotiation: 10.0.0.1[0]<=>10.0.0.2[0]
| Dec 21 13:07:00 www racoon: ERROR:
| proposal.c:965:set_proposal_from_policy(): not supported nested SA.
| Dec 21 13:07:00 www racoon: ERROR: isakmp_quick.c:2072:get_proposal_r():
| failed to create saprop.
| Dec 21 13:07:00 www racoon: ERROR: isakmp_quick.c:1071:quick_r1recv():
| failed to get proposal for responder.
| Dec 21 13:07:00 www racoon: ERROR: isakmp.c:1060:isakmp_ph2begin_r():
| failed to pre-process packet.
| Dec 21 13:07:10 www racoon: INFO: isakmp.c:1046:isakmp_ph2begin_r():
| respond new phase 2 negotiation: 10.0.0.1[0]<=>10.0.0.2[0]
| Dec 21 13:07:10 www racoon: ERROR:
| proposal.c:965:set_proposal_from_policy(): not supported nested SA.
| Dec 21 13:07:10 www racoon: ERROR: isakmp_quick.c:2072:get_proposal_r():
| failed to create saprop.
| Dec 21 13:07:10 www racoon: ERROR: isakmp_quick.c:1071:quick_r1recv():
| failed to get proposal for responder.
| Dec 21 13:07:10 www racoon: ERROR: isakmp.c:1060:isakmp_ph2begin_r():
| failed to pre-process packet.
|
`----
Similarly on the lapdog, with
ISAKMP-SA established 192.168.253.2[500]-10.0.0.1[500]
and eventual timeout error messages.
Can somebody point out the obvious (or the hidden tricky part) and tell
me what I did wrong?
Thanks!
-Jan
--
Life," said Marvin, "don't talk to me about life."