Connecting debian and windows via IPsec VPN with Racoon and ipsec-tools

Posted by Michi Qne on Server Fault See other posts from Server Fault or by Michi Qne
Published on 2012-07-19T19:47:48Z Indexed on 2012/11/18 23:07 UTC
Read the original article Hit count: 709

Filed under:
|
|
|
|

I've some trouble with the IPsec configuration on my debian server (6 squeeze). This server should connect via IPsec VPN to an windows server, which is protected by an firewall. I've used racoon and ipsec-tools and this tutorial http://wiki.debian.org/IPsec.

However, I am not quite sure, if this tutorial fits to my purpose, because of some differences:

  • my Host and my gateway are the same server. So I don't have two different ip addresses. I guess, that's not a problem
  • the other server is an windows system behind a firewall. Hopefully, not a problem
  • the subnet of the windows system is /32 not /24. So I change it to /32.

I worked through the tutorial step by step, but I wasn't able to route the ip. The following command didn't work for me:

ip route add to 172.16.128.100/32 via XXX.XXX.XXX.XXX src XXX.XXX.XXX.XXX

So I tried the following instead:

ip route add to 172.16.128.100 .., which obviously not solved the problem.

The next problem is the compression. The windows doesn't use a compression, but 'compression_algorithm none;' doesn't work with my racoon. So the current value is 'compression_algorithm deflate;'

So my current result looks like this:

When I am trying to ping the windows host (ping 172.16.128.100), I receive the following error message from ping:

ping: sendmsg: Operation not permitted

And racoon logs:

racoon: ERROR: failed to get sainfo.

After googling for a while I came to no conclusion, what's the solution. Does this error message mean that the first phase of IPsec works?

I am thankful for any advice.

I guess my configs might be helpful.

My racoon.conf looks like this:

path pre_shared_key "/etc/racoon/psk.txt";

remote YYY.YYY.YYY.YYY {

    exchange_mode main;
    proposal {
            lifetime time 8 hour;
            encryption_algorithm 3des;
            hash_algorithm sha1;
            authentication_method pre_shared_key;
            dh_group 2;
    }

}

sainfo address XXX.XXX.XXX.XXX/32 any address 172.16.128.100/32 any {

    pfs_group 2;
    lifetime time 8 hour;
    encryption_algorithm aes 256;
    authentication_algorithm hmac_sha1;
    compression_algorithm deflate;

}

And my ipsec-tools.conf looks like this:

flush;

spdflush;

spdadd XXX.XXX.XXX.XXX/32 172.16.128.100/32 any -P out ipsec esp/tunnel/XXX.XXX.XXX.XXX-YYY.YYY.YYY.YYY/require;

spdadd 172.16.128.100/32 XXX.XXX.XXX.XXX/32 any -P in ipsec esp/tunnel/YYY.YYY.YYY.YYY-XXX.XXX.XXX.XXX/require;

If anyone has an advice, that would be awesome.

Thanks in Advance.

Greets, Michael


It was a simple copy-and-paste error in an ip address.

© Server Fault or respective owner

Related posts about linux

Related posts about debian