| 1 |
Hi all, |
| 2 |
|
| 3 |
I know, it must be somewhat in all mens mouth, at least, |
| 4 |
I got lots of results when googling for it, however, |
| 5 |
I am very out of luck in getting this run. |
| 6 |
|
| 7 |
As I'm now able to setup a fake class C network on a real |
| 8 |
internet server, I'd now like to let this be the VPN server |
| 9 |
on this fake network: 192.168.42.1/24. |
| 10 |
|
| 11 |
I've been playing with ipsec-tools quite some time now, |
| 12 |
though, I basically know how to use it in at least its |
| 13 |
transport mode. |
| 14 |
|
| 15 |
However, I want dynamic-IP clients to connect via an IPsec |
| 16 |
VPN to this fake network I've created on the public server. |
| 17 |
|
| 18 |
For this, I've done the following on the server: |
| 19 |
|
| 20 |
THIS is the /etc/ipsec.conf file on SERVER: |
| 21 |
#! /usr/sbin/setkey -f |
| 22 |
|
| 23 |
flush; |
| 24 |
spdflush; |
| 25 |
|
| 26 |
THIS is the /etc/racoon/racoon.conf file on SERVER: |
| 27 |
path pre_shared_key "/etc/racoon/psk.txt"; |
| 28 |
|
| 29 |
remote anonymous { |
| 30 |
exchange_mode aggressive,main; |
| 31 |
doi ipsec_doi; |
| 32 |
situation identity_only; |
| 33 |
|
| 34 |
my_identifier fqdn "server.fq.dn"; |
| 35 |
|
| 36 |
generate_policy on; |
| 37 |
passive on; |
| 38 |
|
| 39 |
lifetime time 2 minute; # (sec,min,hour) |
| 40 |
initial_contact on; |
| 41 |
proposal_check obey; # (obey, strict, claim) |
| 42 |
|
| 43 |
proposal { |
| 44 |
encryption_algorithm rijndael; |
| 45 |
hash_algorithm sha1; |
| 46 |
authentication_method pre_shared_key; |
| 47 |
dh_group 2; |
| 48 |
} |
| 49 |
} |
| 50 |
|
| 51 |
sainfo anonymous { |
| 52 |
pfs_group 2; |
| 53 |
lifetime time 2 minute; |
| 54 |
encryption_algorithm rijndael, 3des, blowfish 448, twofish; |
| 55 |
authentication_algorithm hmac_sha1, hmac_md5; |
| 56 |
compression_algorithm deflate; |
| 57 |
} |
| 58 |
|
| 59 |
THIS is the respective /etc/racoon/psk.txt on SERVER: |
| 60 |
client.fq.dn "secret-X" |
| 61 |
|
| 62 |
Now I'm supposed to perform /etc/init.d/racoon start; |
| 63 |
|
| 64 |
The client side is said to be called "road warrior" because |
| 65 |
their public IP is subject to change on each and every time |
| 66 |
they dial up. |
| 67 |
|
| 68 |
There now shall be a way to setup the client (via racoon) as |
| 69 |
automatically as possible, however, *HOW* do I have to do this? |
| 70 |
|
| 71 |
The CLIENT at least requires the following /etc/racoon/psk.txt: |
| 72 |
server.fq.dn "secret-X" |
| 73 |
|
| 74 |
The /etc/ipsec.conf - I guess - shall be somewhat empty, as |
| 75 |
my local's public IP address is somewhat unknown, however, |
| 76 |
the remote's (VPN server's) public is known. |
| 77 |
|
| 78 |
So, the CLIENT's /etc/ipsec.conf *could* look like: |
| 79 |
|
| 80 |
spdadd 0.0.0.0/0 1.2.3.4 any -P out ipsec |
| 81 |
esp/tunnel/192.168.2.22-192.168.42.22/require |
| 82 |
ah/tunnel/192.168.2.22-192.168.42.22/require; |
| 83 |
|
| 84 |
spdadd 1.2.3.4 0.0.0.0/0 any -P in ipsec |
| 85 |
esp/tunnel/192.168.42.22-192.168.2.22/require |
| 86 |
ah/tunnel/192.168.42.22-192.168.2.22/require; |
| 87 |
|
| 88 |
Well, I did not found *any* tutorial showing me a tunnel example |
| 89 |
for ESP *and* AH - in fact, they only provided examples for |
| 90 |
ESP-only (but I wanna use AH - for authentification - as well). |
| 91 |
|
| 92 |
As hopefully mentioned clearly above: |
| 93 |
the CLIENTs LAN is 192.168.2.22/24 with the goal to have |
| 94 |
192.168.42.22 IP within the IPsec-ified VPN's fake network, |
| 95 |
and it wants the connect to the SERVER having the public IP 1.2.3.4 |
| 96 |
|
| 97 |
But when starting racoon on the client side as well, and trying to ping the |
| 98 |
server's fake VPN IP (192.168.42.1) I just get timeouts, and although, I'm |
| 99 |
not able to speak to the server's public IP either. |
| 100 |
|
| 101 |
Please, can someone help me find a way though this and/or provide me with |
| 102 |
useful links I *obviousely* did not found? |
| 103 |
|
| 104 |
Thanks in advance, |
| 105 |
Christian Parpart. |
Archives