[vpn-help] Policy configuration
Matthew Grooms
mgrooms at shrew.net
Mon Mar 13 03:54:02 CST 2006
Michael Ragusa wrote:
> i was reading the howto and have used a few of the alpha copies and
> everything works fine but when i connect up to my racoon gateway i get
> spd errors. how do i configure incoming and outgoing policy in the
> shrewsoft client
>
> _______________________________________________
> vpn-help mailing list
> vpn-help at lists.shrew.net
> http://lists.shrew.net/mailman/listinfo/vpn-help
Michael,
Thanks very much for trying out the software. There are two
methods for configuring client side security policies. Both of these
methods involve the client using its client address and a remote network
list to generate the policies.
For the automatic config method ( ipsec-tools CVS only ), you specify
the list of private networks a client should build policies for using
the split network include statement of the mode_cfg section in
racoon.conf. The client will request this list from the gateway after
authentication completes.
For the manual config method ( ipsec-tools 6.x ), you specify the list
of private networks a client should build polices for by defining them
in the policy tab of a site configuration using the VPN Access Manager.
Here is an example setup to get you started. Lets say you have a VPN
gateway running ipsec-tools and a few remote clients running the VPN
client with the following network configuration ...
private dns server 10.1.1.2
private network #1 10.1.1.0/24
private network #2 10.2.2.0/24
vpn client address pool 10.99.99.0/24
mode_cfg
{
# racoon CVS only
#
default_domain "mydomain.net";
split_network include 10.1.1.0/24,10.2.2.0/24;
# racoon 6.x
#
pool_size 253;
network4 10.99.99.1;
netmask4 255.255.255.0;
auth_source system;
dns4 10.1.1.2;
}
Lets assume that the first client connects from address x.x.x.x to our
gateway at address y.y.y.y and gets assigned the client address
10.99.99.1 from the mode_cfg pool. The client would then generate the
equivalent of these SPD policies for its side of the connection ...
spdadd 10.99.99.1 10.1.1.0/24 any -P out ipsec \
esp/tunnel/x.x.x.x-y.y.y.y/require ;
spdadd 10.1.1.0/24 10.99.99.1 any -P in ipsec \
esp/tunnel/y.y.y.y-x.x.x.x/require ;
spdadd 10.99.99.1 10.2.2.0/24 any -P out ipsec \
esp/tunnel/x.x.x.x-y.y.y.y/require ;
spdadd 10.2.2.0/24 10.99.99.1 any -P in ipsec \
esp/tunnel/y.y.y.y-x.x.x.x/require ;
... Policies will also be generated in SPD by the gateway for its side
of the connection ( with inversed parameters of course ). But for this
to work properly, you _must_ use the generate_policy option in your
anonymous remote section of the racoon.conf config file.
Also, please use the latest beta. Every release fixes countless bugs and
offers corrected or increased functionality. I already fixed a serious
bug in beta 7 so please use this package for any further testing ...
http://www.shrew.net/download/vpn-client-1.0-beta-8.exe
I would be more than happy to help trouble shoot the issue you are
seeing but will need more information about your configuration. It would
also help to include the debug output from racoon and the client
software ( mailed directy to me ) so I can see where we are getting
tripped up.
Thanks,
-Matthew
More information about the vpn-help
mailing list