hello.
i've set up vpn connection using PGP VPN client 7.1.1 against OpenBSD
3.0 stable (isakmpd-current) as VPN gateway. PGP VPN client has network
172.16.0.0/24 behind the gateway configured. everythigs comes up, green
lights, netstat -rn -f encap shows:
Routing tables
Encap:
Source Port Destination Port Proto
SA(Address/Proto/Type/Direction)
172.16.1.1/32 0 172.16.0/24 0 0 192.168.105.50/50/use/in
172.16.0/24 0 172.16.1.1/32 0 0
192.168.105.50/50/require/out
which looks as i expected. the gateway has also 172.16.0.1/24 address
configured and another host in the LAN has 172.16.0.2/24 address
configured with route for 172.16.1.0/24 throught 172.16.0.1 (the
gateway). when i ping 172.16.0.2 from "VPN client", pings go through the
ESP pipe, and reach the target host, however answers get host
unreachable:
tcpdump: listening on de0
08:44:42.401340 172.16.1.1 > 172.16.0.2: icmp: echo request
08:44:42.403122 172.16.0.2 > 172.16.1.1: icmp: echo reply
08:44:42.406979 172.16.0.1 > 172.16.0.2: icmp: host 172.16.1.1 unreachable
08:44:42.698714 172.16.1.1 > 172.16.0.2: icmp: echo request
08:44:42.699086 172.16.0.2 > 172.16.1.1: icmp: echo reply
08:44:42.699302 172.16.0.1 > 172.16.0.2: icmp: host 172.16.1.1 unreachable
08:44:43.701817 172.16.1.1 > 172.16.0.2: icmp: echo request
08:44:43.703162 172.16.0.2 > 172.16.1.1: icmp: echo reply
08:44:43.703381 172.16.0.1 > 172.16.0.2: icmp: host 172.16.1.1 unreachable
08:44:44.703474 172.16.1.1 > 172.16.0.2: icmp: echo request
08:44:44.707566 172.16.0.2 > 172.16.1.1: icmp: echo reply
08:44:44.719356 172.16.0.1 > 172.16.0.2: icmp: host 172.16.1.1 unreachable
i think i'm missing something essential here, so it doesn't work. may be
some kind soul could help me? :-) any info one would need will be
provided, i just can't imagine what info would be needed.
thanks!
--
Denis A. Doroshenko, GPRS engineer
Omnitel Ltd., T. Sevcenkos st. 25, Vilnius, Lithuania
d.doroshenko@omnitel.net, +370 2 262188
# isakmpd.conf
[General]
Listen-on= 192.168.166.114
[Phase 1]
Default= ISAKMP-clients
[Phase 2]
Passive-connections= IPsec-clients
# Phase 1 peer sections
########################################################################
[ISAKMP-clients]
Phase= 1
Transport= udp
Local-address= 192.168.166.114
Port= isakmp
Configuration= default-aggressive-mode
Authentication= 21stcenturysschizoidman
# Phase 2 sections
########################################################################
[IPsec-clients]
Phase= 2
Configuration= default-quick-mode
Local-ID= default-route
Remote-ID= dummy-remote
# Client ID sections
########################################################################
[default-route]
ID-type= IPV4_ADDR_SUBNET
Network= 0.0.0.0
Netmask= 0.0.0.0
[dummy-remote]
ID-type= IPV4_ADDR
Address= 0.0.0.0
# Virtual Addresses for remote users
####################################
# In order to get this to work you need to add one [ufqdn/email_address]
# section per user that needs a virtual address.
[ufqdn/d.doroshenko@omnitel.net]
Address= 172.16.1.1
Netmask= 255.255.255.0
Nameserver= 172.16.0.1
#WINS-server= 172.0.1.2
# Main and Quick Mode descriptions (as used by peers and connections)
########################################################################
[default-aggressive-mode]
DOI= IPSEC
EXCHANGE_TYPE= AGGRESSIVE
Transforms= CAST-SHA,BLOWFISH-SHA
[default-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-3DES-SHA-PFS-SUITE
# Main mode transforms
########################################################################
[CAST-SHA]
ENCRYPTION_ALGORITHM= CAST_CBC
HASH_ALGORITHM= SHA
AUTHENTICATION_METHOD= PRE_SHARED
GROUP_DESCRIPTION= MODP_1536
Life= LIFE_1_DAY
[BLOWFISH-SHA]
ENCRYPTION_ALGORITHM= BLOWFISH_CBC
KEY_LENGTH= 128,96:192
HASH_ALGORITHM= SHA
AUTHENTICATION_METHOD= PRE_SHARED
GROUP_DESCRIPTION= MODP_1536
Life= LIFE_1_DAY
# Lifetimes
###########
[LIFE_1_DAY]
LIFE_TYPE= SECONDS
LIFE_DURATION= 86400,3600:93600
|