First time setting up ISAKMPD

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

First time setting up ISAKMPD

Talmage-3
I've read through the manpages and googled through lots of tutorials,  
but can't seem to get a very simple VPN (isakmpd) gateway working  
with racoon (mobile OS X Tiger clients).  After trying to connect, I  
am not able to ping the internal network from the mobile VPN client.  
I can post the full logs, but first please take a look at my conf  
files to see if I'm missing something.

My simple VPN should work like this:

[mobile clients]====internet====[OPENBSD GATEWAY]----[192.168.0.0/24  
internal network]

mobile clients are to join the 192.168.0.0/24 network, with a  
manually assigned 192.168.0.X address.

  I've even gone to the point of over simplifying my pf.conf and  
isakmpd settings to avoid problems caused by other settings.  This is  
my first time setting up a VPN with isakmpd so please understand if  
I'm missing something very obvious, and if you see something wrong  
with the settings I'd appreciate it if you can point me to the right  
direction.

Here are my conf files>

--------------pf.conf--------------

####################
###   MACROS
####################

###---INTERFACES---###
ext_if="em0"
int_if="em4"
#brg_if1="em2"
#brg_if2="em3"
brg_if="em1"
vpn_if="enc0"

###---NETWORKS/ADDRESSES---###
ext_add="219.XXX.XXX.82"
int_gw="192.168.0.1"
int_net="192.168.0.0/24"

####################
###   SCRUB
####################

scrub in all

####################
###   NAT
####################

nat on $ext_if inet from $int_if:network to any -> $ext_add

####################
###   RULES
####################

### vpn part
pass in quick on $ext_if inet proto udp from any to ($ext_if) port  
isakmp keep state
pass out quick on $ext_if inet proto udp from ($ext_if) to any port  
isakmp keep state

### esp traffic
pass in quick on $ext_if inet proto esp from any to ($ext_if)
pass out quick on $ext_if inet proto esp from ($ext_if) to any
pass in quick on $vpn_if proto ipencap all
pass out quick on $vpn_if all
pass in  quick on $vpn_if all
Authorizer: "POLICY"
Conditions: app_domain == "IPsec policy" &&
             esp_present == "yes" &&
             esp_enc_alg == "3des" &&
             esp_enc_alg != "null" -> "true";

--------------isakmpd.conf --------------

[General]
Listen-on=219.XXX.XXX.82
Retransmits= 5
Exchange-max-time= 120

[Phase 1]
Default= ISAKMP-Clients

[Phase 2]
Passive-Connections= IPSec-clients

[ISAKMP-Clients]
Phase= 1
Transport= udp
Configuration= Default-main-mode
Authentication= somesecretpassword

[IPSec-Clients]
Phase= 2
Configuration= Default-quick-mode
Local-ID= default-route
Remote-ID= dummy-remote

[default-route]
ID-type= IPV4_ADDR_SUBNET
Network= 0.0.0.0
Netmask= 0.0.0.0

[dummy-remote]
ID-type= IPV4_ADDR_SUBNET
Network= 0.0.0.0
Netmask= 0.0.0.0

[Default-main-mode]
EXCHANGE_TYPE= ID_PROT
Transforms= 3DES-SHA-GRP2

[Default-quick-mode]
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-3DES-SHA-GRP2-SUITE

--------------------
Kory T

Reply | Threaded
Open this post in threaded view
|

Re: First time setting up ISAKMPD

Mathieu Sauve-Frankel-2
> [IPSec-Clients]
> Phase= 2
> Configuration= Default-quick-mode
> Local-ID= default-route
> Remote-ID= dummy-remote

Remove Remote-ID

--
Mathieu Sauve-Frankel