Maybe I'm approaching the solution wrong or maybe not..
My goal is to get two NetBSD hosts, each behind a NAT gateway
to talk to each other using IPsec using NAT-T.
This should work, shouldn't it?
Darren
From gateway 1, ipsec.conf:
spdadd 10.0.0.254/32 10.1.2.0/24 icmp
-P out ipsec esp/tunnel/10.0.0.254-64.33.101.23/require;
spdadd 10.1.2.0/24 10.0.0.254/32 icmp
-P in ipsec esp/tunnel/64.33.101.23-10.0.0.254/require;
spdadd 64.33.101.23/32 10.1.1.0/24 icmp
-P in ipsec esp/tunnel/64.33.101.23-10.0.0.254/require;
spdadd 10.1.1.0/24 64.33.101.23/32 icmp
-P out ipsec esp/tunnel/10.0.0.254-64.33.101.23/require;
spdadd 10.1.2.0/24 10.1.1.0/24 icmp
-P in ipsec esp/tunnel/64.33.101.23[4500]-10.0.0.254[4500]/require;
spdadd 10.1.1.0/24 10.1.2.0/24 icmp
-P out ipsec esp/tunnel/10.0.0.254[4500]-64.33.101.23[4500]/require;
and racoon.conf:
path pre_shared_key "/etc/ipsec-key.txt";
listen {
isakmp_natt 10.0.0.254 [4500];
isakmp 10.0.0.254 [500];
strict_address;
}
remote anonymous
{
exchange_mode main;
lifetime time 24 hour;
my_identifier address 10.0.0.254;
peers_identifier address 64.33.101.23;
ike_frag on;
esp_frag 1440;
initial_contact on;
proposal_check claim;
support_proxy on;
nat_traversal force;
proposal {
encryption_algorithm aes;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group modp2048;
lifetime time 30 hours;
dh_group 2;
}
proposal_check obey;
}
sainfo anonymous
{
pfs_group 2;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
log debug;
mode_cfg {
auth_source system;
conf_source local;
accounting none;
}
From gateway 2, ipsec.conf:
spdadd 10.0.0.254/32 10.1.2.0/24 icmp
-P out ipsec esp/tunnel/10.0.0.254-177.3.11.43/require;
spdadd 10.1.2.0/24 10.0.0.254/32 icmp
-P in ipsec esp/tunnel/177.3.11.43-10.0.0.254/require;
spdadd 177.3.11.43/32 10.1.1.0/24 icmp
-P in ipsec esp/tunnel/177.3.11.43-10.0.0.254/require;
spdadd 10.1.1.0/24 177.3.11.43/32 icmp
-P out ipsec esp/tunnel/10.0.0.254-177.3.11.43/require;
spdadd 10.1.2.0/24 10.1.1.0/24 icmp
-P in ipsec esp/tunnel/177.3.11.43[4500]-10.0.0.254[4500]/require;
spdadd 10.1.1.0/24 10.1.2.0/24 icmp
-P out ipsec esp/tunnel/10.0.0.254[4500]-177.3.11.43[4500]/require;
and racoon.conf:
path pre_shared_key "/etc/ipsec-key.txt";
listen {
isakmp_natt 10.0.0.254 [4500];
isakmp 10.0.0.254 [500];
strict_address;
}
remote anonymous
{
exchange_mode main;
lifetime time 24 hour;
my_identifier address 10.0.0.254;
peers_identifier address 177.3.11.43;
ike_frag on;
esp_frag 1440;
initial_contact on;
proposal_check claim;
support_proxy on;
nat_traversal force;
proposal {
encryption_algorithm aes;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group modp2048;
lifetime time 30 hours;
dh_group 2;
}
proposal_check obey;
}
sainfo anonymous
{
pfs_group 2;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
log debug;
mode_cfg {
auth_source system;
conf_source local;
accounting none;
}