Connecting debian and windows via IPsec VPN with Racoon and ipsec-tools

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Posted by Michi Qne on Server Fault See other posts from Server Fault or by Michi Qne
Published on 2012-07-19T19:47:48Z Indexed on 2012/11/18 23:07 UTC
Read the original article Hit count: 657

Filed under:
|
|
|
|

I've some trouble with the IPsec configuration on my debian server (6 squeeze). This server should connect via IPsec VPN to an windows server, which is protected by an firewall. I've used racoon and ipsec-tools and this tutorial http://wiki.debian.org/IPsec.

However, I am not quite sure, if this tutorial fits to my purpose, because of some differences:

  • my Host and my gateway are the same server. So I don't have two different ip addresses. I guess, that's not a problem
  • the other server is an windows system behind a firewall. Hopefully, not a problem
  • the subnet of the windows system is /32 not /24. So I change it to /32.

I worked through the tutorial step by step, but I wasn't able to route the ip. The following command didn't work for me:

ip route add to 172.16.128.100/32 via XXX.XXX.XXX.XXX src XXX.XXX.XXX.XXX

So I tried the following instead:

ip route add to 172.16.128.100 .., which obviously not solved the problem.

The next problem is the compression. The windows doesn't use a compression, but 'compression_algorithm none;' doesn't work with my racoon. So the current value is 'compression_algorithm deflate;'

So my current result looks like this:

When I am trying to ping the windows host (ping 172.16.128.100), I receive the following error message from ping:

ping: sendmsg: Operation not permitted

And racoon logs:

racoon: ERROR: failed to get sainfo.

After googling for a while I came to no conclusion, what's the solution. Does this error message mean that the first phase of IPsec works?

I am thankful for any advice.

I guess my configs might be helpful.

My racoon.conf looks like this:

path pre_shared_key "/etc/racoon/psk.txt";

remote YYY.YYY.YYY.YYY {

    exchange_mode main;
    proposal {
            lifetime time 8 hour;
            encryption_algorithm 3des;
            hash_algorithm sha1;
            authentication_method pre_shared_key;
            dh_group 2;
    }

}

sainfo address XXX.XXX.XXX.XXX/32 any address 172.16.128.100/32 any {

    pfs_group 2;
    lifetime time 8 hour;
    encryption_algorithm aes 256;
    authentication_algorithm hmac_sha1;
    compression_algorithm deflate;

}

And my ipsec-tools.conf looks like this:

flush;

spdflush;

spdadd XXX.XXX.XXX.XXX/32 172.16.128.100/32 any -P out ipsec esp/tunnel/XXX.XXX.XXX.XXX-YYY.YYY.YYY.YYY/require;

spdadd 172.16.128.100/32 XXX.XXX.XXX.XXX/32 any -P in ipsec esp/tunnel/YYY.YYY.YYY.YYY-XXX.XXX.XXX.XXX/require;

If anyone has an advice, that would be awesome.

Thanks in Advance.

Greets, Michael

It was a simple copy-and-paste error in an ip address.

© Server Fault or respective owner

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Related posts about linux

Related posts about debian

Categories cloud

.NET ASP.NET iphone linux python Windows mysql android sql windows-7 html c ruby-on-rails css objective-c ubuntu networking sql-server wpf asp.net-mvc ruby database Xml apache AJAX osx security regex django Performance 12.04 windows-xp mac web-development iphone-sdk vb.net Silverlight apache2 flash server perl best-practices email installation eclipse visual-studio algorithm windows-server-2008 winforms wcf firefox bash dns /Oracle