[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: isakmpd configuration
(Cc:ed to freebsd-security@FreeBSD.ORG? Ok, whatever...)
On Tue, 8 Jan 2002, jack xiao wrote:
...
> I am going to set up two IPSec tunnels. One is 192.168.100.0/24 -
> 10.10.11.0/24, the other is 192.168.100.0/24 - 172.30.1.0/24. The
> diagram is like the following, 216.95.234.162 and 216.95.234.110 are
> two VPN gateways.
...
> I set in the isakmpd.conf as something like the following,
>
> [Phase 1]
> 216.95.234.110= VPN-11
>
> [Phase 2]
> Connections= VPN-12,VPN-22
Correct.
>
> [VPN-11]
> Phase= 1
> Transport= udp
> Local-address= 216.95.234.162
> Address= 216.95.234.110
> Configuration= Default-main-mode
> Authentication= qqqqqqqq
You need to define the [Default-main-mode] section as per the examples.
>
> [VPN-12]
> Phase= 2
> ISAKMP-peer= VPN-11
> Configuration= Default-quick-mode
> Local-ID= Net-local-01
> Remote-ID= Net-remote-01
Dito, [Default-quick-mode].
>
> [Net-local-01]
> ID-type= IPV4_ADDR_SUBNET
> Network= 192.168.100.0
> Netmask= 255.255.255.0
>
> [Net-remote-01]
> ID-type= IPV4_ADDR_SUBNET
> Network= 10.10.11.0
> Netmask= 255.255.255.0
>
> [VPN-22]
> Phase= 2
> ISAKMP-peer= VPN-11
> Configuration= Default-quick-mode
> Local-ID= Net-local-02
> Remote-ID= Net-remote-02
You can simply re-use 'Net-local-01' for Local-ID here. Even though
defining and using an identical ...
> [Net-local-02]
> ID-type= IPV4_ADDR_SUBNET
> Network= 192.168.100.0
> Netmask= 255.255.255.0
... is perfectly ok, it's not really required.
>
> [Net-remote-02]
> ID-type= IPV4_ADDR_SUBNET
> Network= 172.30.1.0
> Netmask= 255.255.255.0
>
> Is it correct? It seems not work fine. Any ideas will be appreciated.
>
The rest looks fine, AFAICT.
I'm sorry to say, however, that as usual you don't specify HOW it "seems
not to work fine". Am I supposed to guess?
/H
--
Håkan Olsson <ho@crt.se> (+46) 708 437 337 Carlstedt Research
Unix, Networking, Security (+46) 31 701 4264 & Technology AB