[vpn-help] Policy configuration

Matthew Grooms mgrooms at shrew.net
Mon Mar 13 03:54:02 CST 2006


Michael Ragusa wrote:
> i was reading the howto and have used a few of the alpha copies and 
> everything works fine but when i connect up to my racoon gateway i get 
> spd errors. how do i configure incoming and outgoing policy in the 
> shrewsoft client
> 
> _______________________________________________
> vpn-help mailing list
> vpn-help at lists.shrew.net
> http://lists.shrew.net/mailman/listinfo/vpn-help

Michael,

      Thanks very much for trying out the software. There are two 
methods for configuring client side security policies. Both of these 
methods involve the client using its client address and a remote network 
list to generate the policies.

For the automatic config method ( ipsec-tools CVS only ), you specify 
the list of private networks a client should build policies for using 
the split network include statement of the mode_cfg section in 
racoon.conf. The client will request this list from the gateway after 
authentication completes.

For the manual config method ( ipsec-tools 6.x ), you specify the list 
of private networks a client should build polices for by defining them 
in the policy tab of a site configuration using the VPN Access Manager.

Here is an example setup to get you started. Lets say you have a VPN 
gateway running ipsec-tools and a few remote clients running the VPN 
client with the following network configuration ...

private dns server 10.1.1.2
private network #1 10.1.1.0/24
private network #2 10.2.2.0/24
vpn client address pool 10.99.99.0/24

mode_cfg
{
	# racoon CVS only
	#
	default_domain "mydomain.net";
	split_network include 10.1.1.0/24,10.2.2.0/24;

	# racoon 6.x
	#
	pool_size 253;
	network4 10.99.99.1;
	netmask4 255.255.255.0;
	auth_source system;
	dns4 10.1.1.2;
}

Lets assume that the first client connects from address x.x.x.x to our 
gateway at address y.y.y.y and gets assigned the client address 
10.99.99.1 from the mode_cfg pool. The client would then generate the 
equivalent of these SPD policies for its side of the connection ...

spdadd 10.99.99.1 10.1.1.0/24 any -P out ipsec \
	esp/tunnel/x.x.x.x-y.y.y.y/require ;

spdadd 10.1.1.0/24 10.99.99.1 any -P in ipsec \
	esp/tunnel/y.y.y.y-x.x.x.x/require ;

spdadd 10.99.99.1 10.2.2.0/24 any -P out ipsec \
	esp/tunnel/x.x.x.x-y.y.y.y/require ;

spdadd 10.2.2.0/24 10.99.99.1 any -P in ipsec \
	esp/tunnel/y.y.y.y-x.x.x.x/require ;

... Policies will also be generated in SPD by the gateway for its side 
of the connection ( with inversed parameters of course ). But for this 
to work properly, you _must_ use the generate_policy option in your 
anonymous remote section of the racoon.conf config file.

Also, please use the latest beta. Every release fixes countless bugs and 
offers corrected or increased functionality. I already fixed a serious 
bug in beta 7 so please use this package for any further testing ...

http://www.shrew.net/download/vpn-client-1.0-beta-8.exe

I would be more than happy to help trouble shoot the issue you are 
seeing but will need more information about your configuration. It would 
also help to include the debug output from racoon and the client 
software ( mailed directy to me ) so I can see where we are getting 
tripped up.

Thanks,

-Matthew



More information about the vpn-help mailing list