I am trying to setup a client(s)->server IPsec VPN using Racoon (from security/ipsec-tools). I compiled my kernel with IPSEC, IPSEC_NAT_T, and crypto per the FreeBSD Handbook.
My /usr/local/etc/racoon/racoon.conf file looks like this:
And my /usr/local/etc/racoon/setkey.conf
And lastly, the relevant portions of my /etc/rc.conf
I have my re0 interface configured with an alias address of 10.120.100.254.
I have enabled the following in my /etc/sysctl.conf and rebooted:
I am using the built-in Cisco IPsec client in Mac OSX to do my testing. I can connect to the server fine. I get prompted for my credentials (which I enter) and it associates and hands me an IP address out of the pool (10.120.100.1-10.120.100.200) that I configured in my racoon.conf.
So here is the problem:
I cannot ping 10.120.100.254 from my client (10.120.100.1). tcpdump shows me the ESP packets coming in from the remote host, but I do not believe they are being processed by the system and decoded. It's interesting because the same setup & configuration on Debian Linux (minus the RADIUS authentication) works just fine. Can anyone help me understand what might be going on here? Thanks in advance!
My /usr/local/etc/racoon/racoon.conf file looks like this:
Code:
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
log debug;
remote anonymous
{
exchange_mode aggressive,main,base;
lifetime time 24 hour;
mode_cfg on;
proposal {
encryption_algorithm aes;
hash_algorithm md5;
authentication_method xauth_psk_server;
dh_group 2;
}
verify_identifier off;
generate_policy on;
}
sainfo anonymous
{
pfs_group 2;
lifetime time 12 hour ;
encryption_algorithm 3des, blowfish 448 ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}
mode_cfg {
auth_source radius;
accounting radius;
network4 10.120.100.1;
netmask4 255.255.255.0;
pool_size 200;
split_network include 10.120.100.0/24;
save_passwd on;
banner "/etc/racoon/banner";
pfs_group 1;
}
radiuscfg {
auth "MYAUTHSERVERGOESHERE" 1812 "MYSECRETGOESHERE";
acct "MYAUTHSERVERGOESHERE" 1813 "MYSECRETGOESHERE";
}
And my /usr/local/etc/racoon/setkey.conf
Code:
#!/usr/local/sbin/setkey -f
flush;
spdflush;
spdadd 10.120.100.254 0.0.0.0 any -P out ipsec
esp/tunnel/IPv4_OF_THE_SERVER-0.0.0.0/require;
spdadd 0.0.0.0 10.120.100.0/24 any -P in ipsec
esp/tunnel/0.0.0.0-IPv4_OF_THE_SERVER/require;
And lastly, the relevant portions of my /etc/rc.conf
Code:
ipsec_enable="YES"
ipsec_file="/usr/local/etc/racoon/setkey.conf"
static_routes="vpn"
route_vpn="-net 10.120.100.0/24 IPv4_OF_THE_SERVER"
I have my re0 interface configured with an alias address of 10.120.100.254.
I have enabled the following in my /etc/sysctl.conf and rebooted:
Code:
net.inet.ip.forwarding=1
net.inet6.ip6.forwarding=1
I am using the built-in Cisco IPsec client in Mac OSX to do my testing. I can connect to the server fine. I get prompted for my credentials (which I enter) and it associates and hands me an IP address out of the pool (10.120.100.1-10.120.100.200) that I configured in my racoon.conf.
So here is the problem:
I cannot ping 10.120.100.254 from my client (10.120.100.1). tcpdump shows me the ESP packets coming in from the remote host, but I do not believe they are being processed by the system and decoded. It's interesting because the same setup & configuration on Debian Linux (minus the RADIUS authentication) works just fine. Can anyone help me understand what might be going on here? Thanks in advance!