|
|||
Help with IPSEC
I have an active ipsec tunel between the company I work for and a client.
I added rules for the esp, ipencap protocol in the enc0 interface and also isakmp. I found it strange, but the client uses the network 200.185.190.0/24 and needs to access the hosts on this network through the tunnel. How do I make my network access hosts on the network 200.185.190.0/24 if I can not add route using the enc0 interface? Thanks!! |
|
||||
It is unclear what the networks look like. It is unclear if the client subnet you are asking about is completely separate from your gateway connections, such as:
Code:
[Your company gateway at IP address a.a.a.a] - { the Internet} [Your client gateway at IP address b.b.b.b] - {the Internet} [The 200.185.190/24 subnet somewhere in Brazil] - {the Internet} But, perhaps the client subnet includes the gateway? Code:
[Your company gateway at IP address a.a.a.a] - { the Internet} [Your client gateway at 200.186.190.x] - {the Internet} |
|
|||
jggimi,
I am using the configuration as this site http://www.openbsdsupport.org/vpn-ipsec.html and my tunnel is up. What's the difference between using it or a configuration in the ipsec.conf file? I'm confused... |
|
|||
jggimi,
As I had found this howto using the isakmpd.conf I went for it. But there's no problem. I'm already configuring ipsec.conf The client gave me the following pre-shared key Quote:
Quote:
Is there a limitation on characters when using the password? Last edited by ocicat; 8th December 2016 at 09:05 AM. Reason: Removed published private key. |
|
||||
It appears you have published your client's private key on the Internet. Inform your customer you have inadvertently done so and instruct your client to change this key immediately.
Strings containing special characters should be escaped. The most common way to do this is inside two double-quote characters (") such as ... psk "my string" Please note: best practice is to use pre-shared keys for testing, but not in production. For production, best practice is to use either public key authentication or certificates. Last edited by jggimi; 8th December 2016 at 12:25 AM. Reason: clarity, typos |
|
|||
christianoliberato, I have deleted reference to your client's private key, but as jggimi has already stated, you should consider it to be compromised. It should be regenerated.
Last edited by ocicat; 8th December 2016 at 09:04 AM. Reason: Clarity |
|
|||
jggimi / ocicat
The key I posted was not valid. We use it only for testing. The scenario is as follows: Tunnel Parameters Company: 200.200.10.10 Client: 200.200.20.20 Authentication algorithm: MD5 Encryption: 3DES Pre-shared key: 1q2w3e (not true) Host / network settings Client: 200.200.30.0/24 Company: 10.20.30.252/30 The configuration I'm doing in ipsec.conf is: Ike esp from 200.200.10.10 to 200.200.20.20 \ Main auth hmac-md5 enc 3des \ Quick auth hmac-md5 enc 3des \ Psk 1q2w3e This IP 10.20.30.252/30 is not mine and I understood that in my firewall will be created an interface with it after connecting And to reach 200.200.30.0/24 you will need to create a static route using the IP 10.20.30.252/30 as gateway. I questioned the client if this network was correct 200.200.30.0/24 and said that it is right. I have never set up ipsec and would like to know if this is the case. |
|
||||
For clarity, I will recreate your ipsec.conf configuration file wrapped in [code] and [/code] tags.
Code:
ike esp from 200.200.10.10 to 200.200.20.20 \ main auth hmac-md5 enc 3des \ quick auth hmac-md5 enc 3des \ psk 1q2w3e Code:
{10.1.1.0/24} - [IPSec gateway] - 1.2.3.4 {internet} {internet} - 5.6.7.8 [IPSec gateway] - {10.2.2.0/24} Code:
ike esp from 10.1.1.0/24 to 10.2.2.0/24 peer 5.6.7.8 ike esp from 1.2.3.4 to 10.2.2.0/24 peer 5.6.7.8 ike esp from 1.2.3.4 to 5.6.7.8
Last edited by jggimi; 11th December 2016 at 05:05 PM. Reason: typos, clarity |
|
|||
Hi jggimi,
I did not continue this post because this access would no longer be necessary. But now I need to close the tunnel with another client. The data sent by it (I changed the IP and password) are: Quote:
How would this configuration be? Thanks!! Last edited by roggy; 24th April 2017 at 06:41 PM. |
|
|||
jggimi,
I made the settings like this Quote:
Quote:
|
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Some help with IPSEC / VPN | Daffy | OpenBSD Security | 1 | 9th November 2013 12:45 PM |
IPSec VPN configuration? | polken | OpenBSD Security | 8 | 29th May 2012 08:48 PM |
IPsec/pf setup | denta | OpenBSD Security | 1 | 25th May 2012 09:08 PM |
isakmp to ipsec | badguy | OpenBSD Security | 3 | 17th November 2010 10:52 PM |
Need Help Please About IPsec | wong_baru | FreeBSD Security | 2 | 21st June 2010 08:00 AM |