tech-net: Re: IPsec wireless tunnel

Subject: Re: IPsec wireless tunnel
To: None <tech-net@netbsd.org>
From: Hendra Widarta <hwidarta@yahoo.com>
List: tech-net
Date: 01/04/2003 03:58:47
Hi,

<snip>

Internet <------>if1 Desktop if2<------> Hub <-----> 2nd Desktop
                                          |
                                          |
                        Lapdog )))   ((( WAP


if1 has the external IP from my ISP.
if2 has 10.0.0.1, the 2nd Desktop has 10.0.0.10

The WAP has 10.0.0.2 and 192.168.253.1.
Lapdog get's a dynamic IP, say 192.168.253.2.


##########
YOU want to make a tunnel between if2 <=&=> Lapdog, right?
MAYBE you can try this conf...
[desktop's if2]
spdadd 192.168.253.2/32 0.0.0.0/0 any -P in ipsec \
	esp/tunnel/192.168.253.2-10.0.0.1/require;
spdadd 0.0.0.0/0 192.168.253.2/32 any -P out ipsec \
	esp/tunnel/10.0.0.1-192.168.253.2/require;
psk.txt 192.168.253.2 <secret key>

[Lapdog]
spdadd 192.168.253.2/32 0.0.0.0/0 any -P out ipsec \
	esp/tunnel/192.168.253.2-10.0.0.1/require;
spdadd 0.0.0.0/0 192.168.253.2/32 any -P in ipsec \
	esp/tunnel/10.0.0.1-192.168.253.2/require;
psk.txt 10.0.0.1 <secret key>
##########

On the desktop, I have the following in my /etc/ipsec.conf:

spdadd 192.168.253.2/32 0.0.0.0/0 any -P in ipsec \
	esp/tunnel/192.168.253.2-10.0.0.2/require;
spdadd 0.0.0.0/0 192.168.253.2/32 any -P out ipsec \
	esp/tunnel/10.0.0.2-192.168.253.2/use;

and /etc/racoon/psk.txt has
10.0.0.2 <secret key>

On the Lapdog I have the following in my /etc/ipsec.conf:

spdadd 192.168.253.2/32 0.0.0.0/0 any -P out ipsec \
	esp/tunnel/192.168.253.2-10.0.0.2/use;
spdadd 0.0.0.0/0 192.168.253.2/32 any -P in ipsec \
	esp/tunnel/10.0.0.1-192.168.253.2/require;

and /etc/racoon/psk.txt has
10.0.0.1 <secret key>


Now if I start ipsec and racoon on both Desktop and Lapdog, I get the
following:

,----[ on desktop ]
<snip>
| Dec 21 13:06:59 www racoon: INFO: isakmp.c:2409:log_ph1established():
| ISAKMP-SA established 10.0.0.1[500]-10.0.0.2[500]

#####
Why 10.0.0.1 <-> 10.0.0.2 ?
Your lapdog has SA 192.168.253.2[500]-10.0.0.1[500].
#####

Similarly on the lapdog, with
ISAKMP-SA established 192.168.253.2[500]-10.0.0.1[500]
and eventual timeout error messages.
Can somebody point out the obvious (or the hidden tricky part) and tell
me what I did wrong?

Thanks!
-Jan

Cheers,
Hendra


__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com