Connecting debian and windows via IPsec VPN with Racoon and ipsec-tools
- by Michi Qne
I've some trouble with the IPsec configuration on my debian server (6 squeeze). This server should connect via IPsec VPN to an windows server, which is protected by an firewall.
I've used racoon and ipsec-tools and this tutorial http://wiki.debian.org/IPsec.
However, I am not quite sure, if this tutorial fits to my purpose, because of some differences:
my Host and my gateway are the same server. So I don't have two different ip addresses. I guess, that's not a problem
the other server is an windows system behind a firewall. Hopefully, not a problem
the subnet of the windows system is /32 not /24. So I change it to /32.
I worked through the tutorial step by step, but I wasn't able to route the ip.
The following command didn't work for me:
ip route add to 172.16.128.100/32 via XXX.XXX.XXX.XXX src XXX.XXX.XXX.XXX
So I tried the following instead:
ip route add to 172.16.128.100
.., which obviously not solved the problem.
The next problem is the compression. The windows doesn't use a compression, but 'compression_algorithm none;' doesn't work with my racoon. So the current value is 'compression_algorithm deflate;'
So my current result looks like this:
When I am trying to ping the windows host (ping 172.16.128.100), I receive the following error message from ping:
ping: sendmsg: Operation not permitted
And racoon logs:
racoon: ERROR: failed to get sainfo.
After googling for a while I came to no conclusion, what's the solution.
Does this error message mean that the first phase of IPsec works?
I am thankful for any advice.
I guess my configs might be helpful.
My racoon.conf looks like this:
path pre_shared_key "/etc/racoon/psk.txt";
remote YYY.YYY.YYY.YYY {
exchange_mode main;
proposal {
lifetime time 8 hour;
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo address XXX.XXX.XXX.XXX/32 any address 172.16.128.100/32 any {
pfs_group 2;
lifetime time 8 hour;
encryption_algorithm aes 256;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
And my ipsec-tools.conf looks like this:
flush;
spdflush;
spdadd XXX.XXX.XXX.XXX/32 172.16.128.100/32 any -P out ipsec
esp/tunnel/XXX.XXX.XXX.XXX-YYY.YYY.YYY.YYY/require;
spdadd 172.16.128.100/32 XXX.XXX.XXX.XXX/32 any -P in ipsec
esp/tunnel/YYY.YYY.YYY.YYY-XXX.XXX.XXX.XXX/require;
If anyone has an advice, that would be awesome.
Thanks in Advance.
Greets, Michael
It was a simple copy-and-paste error in an ip address.
