# Path Specifications
#
path pre_shared_key "/usr/local/etc/racoon/psk.txt";
log notify;
#
# Listen Section
#
listen
{
isakmp 192.168.1.21 [500];
isakmp_natt 192.168.1.21 [4500];
}
#
# Timer Section
#
timer
{
natt_keepalive 15 seconds;
}
#
# Remote Section
#
remote anonymous
{
exchange_mode aggressive;
generate_policy unique;
# generate_policy on;
ike_frag on;
nat_traversal on;
dpd_delay 30;
proposal_check claim;
lifetime time 86400 secs;
proposal
{
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group 5;
}
proposal
{
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method xauth_psk_server;
dh_group 5;
}
}
#
# Mode Config Section
#
mode_cfg
{
network4 192.168.254.1;
pool_size 253;
netmask4 255.255.255.0;
auth_source system;
auth_groups "vpn-user";
group_source system;
conf_source local;
}
#
# SA Info Section
#
sainfo anonymous
{
lifetime time 3600 seconds;
encryption_algorithm aes, 3des;
authentication_algorithm hmac_sha1, hmac_md5;
compression_algorithm deflate;
}
###### BSD Router Project Base Configuration ########
# /etc/rc.conf: This file, put your configuration here
# /etc/rc.conf.misc: Special BSDRP configuration parameters (polling, somes sysctl tunning)
# /etc/default/rc.conf: Default FreeBSD value and some examples (Do not edit this file!)
# Hostname
# Enable SSHd
sshd_enable="YES"
# Enable routing
gateway_enable="YES"
ipv6_gateway_enable="YES"
# Enable IPv6
ipv6_activate_all_interfaces="YES"
# Enable Router Advertisment:
rtadvd_enable="NO"
rtadvd_interfaces="em0"
# Enable RFC1323 extensions
tcp_extensions="YES"
#Waiting for a default route
defaultroute_delay="5"
# Start Quagga and all its routing daemon
quagga_enable="YES"
quagga_flags="-d -A 127.0.0.1"
quagga_daemons="zebra ripd ripngd ospfd ospf6d bgpd isisd"
racoon_enable="YES"
racoon_flags="-l /var/log/racoon.log"
ipsec_enable="YES"
ipsec_file="/usr/local/etc/racoon/setkey.conf"
ifconfig_de0="inet 192.168.1.21 netmask 255.255.255.0"
defaultrouter="192.168.1.1"
Daca vreti sa va jucati va pot da si setarile pt shorewall , insa sunt curios de ce nu merge , mai ales ca tcpdumpul imi arata ca ping requesturile ajung in router dar nu sunt forwardate mai departe catre statia de pe reteaua interna:
[root@router]~# tcpdump -pni de0 dst 192.168.1.6
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on de0, link-type EN10MB (Ethernet), capture size 65535 bytes
15:59:34.798993 ARP, Request who-has 192.168.1.6 tell 192.168.1.21, length 28
15:59:34.800897 IP 192.168.254.1 >
192.168.1.6: ICMP echo request, id 568, seq 6773, length 40
15:59:34.802920 ARP, Reply 192.168.1.21 is-at 00:15:5d:01:f0:14, length 28
15:59:39.743145 IP 192.168.254.1 >
192.168.1.6: ICMP echo request, id 568, seq 6775, length 40
15:59:44.755323 IP 192.168.254.1 >
192.168.1.6: ICMP echo request, id 568, seq 6777, length 40
15:59:49.743558 IP 192.168.254.1 >
192.168.1.6: ICMP echo request, id 568, seq 6779, length 40
Any ideeas?