1 |
Hi all, |
2 |
|
3 |
I know, it must be somewhat in all mens mouth, at least, |
4 |
I got lots of results when googling for it, however, |
5 |
I am very out of luck in getting this run. |
6 |
|
7 |
As I'm now able to setup a fake class C network on a real |
8 |
internet server, I'd now like to let this be the VPN server |
9 |
on this fake network: 192.168.42.1/24. |
10 |
|
11 |
I've been playing with ipsec-tools quite some time now, |
12 |
though, I basically know how to use it in at least its |
13 |
transport mode. |
14 |
|
15 |
However, I want dynamic-IP clients to connect via an IPsec |
16 |
VPN to this fake network I've created on the public server. |
17 |
|
18 |
For this, I've done the following on the server: |
19 |
|
20 |
THIS is the /etc/ipsec.conf file on SERVER: |
21 |
#! /usr/sbin/setkey -f |
22 |
|
23 |
flush; |
24 |
spdflush; |
25 |
|
26 |
THIS is the /etc/racoon/racoon.conf file on SERVER: |
27 |
path pre_shared_key "/etc/racoon/psk.txt"; |
28 |
|
29 |
remote anonymous { |
30 |
exchange_mode aggressive,main; |
31 |
doi ipsec_doi; |
32 |
situation identity_only; |
33 |
|
34 |
my_identifier fqdn "server.fq.dn"; |
35 |
|
36 |
generate_policy on; |
37 |
passive on; |
38 |
|
39 |
lifetime time 2 minute; # (sec,min,hour) |
40 |
initial_contact on; |
41 |
proposal_check obey; # (obey, strict, claim) |
42 |
|
43 |
proposal { |
44 |
encryption_algorithm rijndael; |
45 |
hash_algorithm sha1; |
46 |
authentication_method pre_shared_key; |
47 |
dh_group 2; |
48 |
} |
49 |
} |
50 |
|
51 |
sainfo anonymous { |
52 |
pfs_group 2; |
53 |
lifetime time 2 minute; |
54 |
encryption_algorithm rijndael, 3des, blowfish 448, twofish; |
55 |
authentication_algorithm hmac_sha1, hmac_md5; |
56 |
compression_algorithm deflate; |
57 |
} |
58 |
|
59 |
THIS is the respective /etc/racoon/psk.txt on SERVER: |
60 |
client.fq.dn "secret-X" |
61 |
|
62 |
Now I'm supposed to perform /etc/init.d/racoon start; |
63 |
|
64 |
The client side is said to be called "road warrior" because |
65 |
their public IP is subject to change on each and every time |
66 |
they dial up. |
67 |
|
68 |
There now shall be a way to setup the client (via racoon) as |
69 |
automatically as possible, however, *HOW* do I have to do this? |
70 |
|
71 |
The CLIENT at least requires the following /etc/racoon/psk.txt: |
72 |
server.fq.dn "secret-X" |
73 |
|
74 |
The /etc/ipsec.conf - I guess - shall be somewhat empty, as |
75 |
my local's public IP address is somewhat unknown, however, |
76 |
the remote's (VPN server's) public is known. |
77 |
|
78 |
So, the CLIENT's /etc/ipsec.conf *could* look like: |
79 |
|
80 |
spdadd 0.0.0.0/0 1.2.3.4 any -P out ipsec |
81 |
esp/tunnel/192.168.2.22-192.168.42.22/require |
82 |
ah/tunnel/192.168.2.22-192.168.42.22/require; |
83 |
|
84 |
spdadd 1.2.3.4 0.0.0.0/0 any -P in ipsec |
85 |
esp/tunnel/192.168.42.22-192.168.2.22/require |
86 |
ah/tunnel/192.168.42.22-192.168.2.22/require; |
87 |
|
88 |
Well, I did not found *any* tutorial showing me a tunnel example |
89 |
for ESP *and* AH - in fact, they only provided examples for |
90 |
ESP-only (but I wanna use AH - for authentification - as well). |
91 |
|
92 |
As hopefully mentioned clearly above: |
93 |
the CLIENTs LAN is 192.168.2.22/24 with the goal to have |
94 |
192.168.42.22 IP within the IPsec-ified VPN's fake network, |
95 |
and it wants the connect to the SERVER having the public IP 1.2.3.4 |
96 |
|
97 |
But when starting racoon on the client side as well, and trying to ping the |
98 |
server's fake VPN IP (192.168.42.1) I just get timeouts, and although, I'm |
99 |
not able to speak to the server's public IP either. |
100 |
|
101 |
Please, can someone help me find a way though this and/or provide me with |
102 |
useful links I *obviousely* did not found? |
103 |
|
104 |
Thanks in advance, |
105 |
Christian Parpart. |