• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
IPSec/routing bug in 10.2?
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

IPSec/routing bug in 10.2?

  • Subject: IPSec/routing bug in 10.2?
  • From: Mike Laster <email@hidden>
  • Date: Mon, 16 Sep 2002 17:09:05 -0400
I have a VPN tunnel endpoint on a 10.2 box and am seeing what appears to be a bug in either
IPSec or OS X routing.

I can ping the host on the other end of the tunnel just fine from another box on my network. However
any attempt at opening a TCP connection (telnet) times out while trying to establish a socket.

Here's where it gets weird. If I run tcpdump on my gateway box (not the one I'm running the telnet from)
then it works! It seems that en0 on the gateway has to be in promiscous mode or else TCP responses
from the other end of the VPN are not seen. I don't know how ICMP works but TCP doesn't though.
It's a mystery to me.

Is this a bug, or did I just misconfigure something?

The machine I am telnet/pinging from is 192.168.1.30. Our network is configured as 192.168.1.0/24,
but the admins of the other end won't allow us to have a /24 on our end for security reasons, so we
pretend it is 192.168.1.24/29, which still contains the 192.168.1.30 address. Could this be why things
are acting funny?

setkey.conf:
spdadd 192.168.30.0/24 192.168.1.24/29 any -P in ipsec esp/tunnel/12.26.55.6-216.27.17.50/require;
spdadd 192.168.1.24/29 192.168.30.0/24 any -P out ipsec esp/tunnel/216.27.17.50-12.26.55.6/require;

vpntracker.conf:
##
# Generated by equinux VPN Tracker 1.0PR2
# http://www.equinux.com/vpntracker
##

path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/cert";

log notify;
#log debug2;

padding
{
randomize off;
maximum_length 20;
exclusive_tail off;
strict_check off;
}

listen
{
isakmp 216.27.17.50;
}

timer
{
counter 5;
interval 20 seconds;
persend 1;
phase1 30 seconds;
phase2 15 seconds;
}


# Connection Type: Default
remote 12.26.55.6
{
exchange_mode main, aggressive;
initial_contact off;
passive off;
proposal_check strict;
support_mip6 off;
generate_policy off;
nonce_size 16;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group modp1024;
lifetime time 1 hours;
}
}

sainfo address 192.168.1.24/29 any address 192.168.30.0/24 any
{
lifetime time 1 hours;
encryption_algorithm 3des, cast128, des;
authentication_algorithm hmac_md5, hmac_sha1;
compression_algorithm deflate;
}

psk.txt:
12.26.55.6 my_shared_secret_goes_here
_______________________________________________
macnetworkprog mailing list | email@hidden
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/macnetworkprog
Do not post admin requests to the list. They will be ignored.
  • Follow-Ups:
    • Re: IPSec/routing bug in 10.2?
      • From: Joshua Graessley <email@hidden>
  • Prev by Date: Mounting remote volumes w/MS UAM
  • Next by Date: Re: IPSec/routing bug in 10.2?
  • Previous by thread: Mounting remote volumes w/MS UAM
  • Next by thread: Re: IPSec/routing bug in 10.2?
  • Index(es):
    • Date
    • Thread