From owner-freebsd-net@FreeBSD.ORG Wed Jul 9 18:04:57 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4E718106567A for ; Wed, 9 Jul 2008 18:04:57 +0000 (UTC) (envelope-from zaphod@fsklaw.com) Received: from thor-new.fsklaw.com (thor-new.fsklaw.com [64.174.116.34]) by mx1.freebsd.org (Postfix) with ESMTP id 1C3178FC17 for ; Wed, 9 Jul 2008 18:04:57 +0000 (UTC) (envelope-from zaphod@fsklaw.com) Received: from localhost (localhost [127.0.0.1]) by thor-new.fsklaw.com (Postfix) with ESMTP id E2E5316C35E7; Wed, 9 Jul 2008 11:04:56 -0700 (PDT) Received: from thor-new.fsklaw.com ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 08995-05; Wed, 9 Jul 2008 11:04:53 -0700 (PDT) Received: from cor (unknown [192.168.61.119]) by thor-new.fsklaw.com (Postfix) with ESMTP id 0F7C916C35B6; Wed, 9 Jul 2008 11:04:53 -0700 (PDT) Received: from 192.168.62.153 (SquirrelMail authenticated user zaphod) by cor with HTTP; Wed, 9 Jul 2008 11:03:28 -0700 (PDT) Message-ID: <3d2c56c963f5fc5f6732548548068f69.squirrel@cor> In-Reply-To: <4874FA1F.40209@elischer.org> References: <8f7879db41dbaecc479a017110e8f32f.squirrel@cor> <200807040155.m641tl8s000607@lava.sentex.ca> <7904ac587e71a42fb86c2bbe77bde0ae.squirrel@cor> <200807091545.m69FjcP4031350@lava.sentex.ca> <4874FA1F.40209@elischer.org> Date: Wed, 9 Jul 2008 11:03:28 -0700 (PDT) From: zaphod@fsklaw.com To: "Julian Elischer" User-Agent: SquirrelMail/1.4.15 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-Virus-Scanned: by amavisd-new at fsklaw.com Cc: freebsd-net@freebsd.org, zaphod@fsklaw.com, Mike Tancsa Subject: Re: Tunneling issues X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jul 2008 18:04:57 -0000 > zaphod@fsklaw.com wrote: >>> At 11:21 AM 7/9/2008, zaphod@fsklaw.com wrote: >>> >>>> I agree it should work. But it's not. With respect to the next two >>>> questions, yes and yes. >>> Can you post some of the configs you are using for 3 of the sites so >>> we can perhaps spot the problem(s) you are having ? I have a similar >>> setup with 5 sites, all talking to each other via IPSEC tunnels. Its >>> a lot of policies, but they work just fine. >>> >>> >>> >>> >>>> I'm not a huge fan of OpenVPN, but the bigger issue is that the gif >>>> tunnels come up at boot up. As well as routes. Given the client >>>> server >>>> nature of OpenVPN it is suitable, because if a server reboots, I'm not >>>> certain a client would auto re-connect. >>> We have ~ 400 sites running OpenVPN across Canada that all reconnect >>> just fine after reboots / power cycles etc. We dont let the clients >>> talk to each other, but that would just be a config change to allow >>> that to work. >>> >>> ---Mike >>> >> Last first. Well that's good info on OpenVPN. >> >> As to the first, I'm not even at the ipsec stage yet. I'm just trying >> to >> get tunnels up. I wrote a couple of shell scripts to bring them up for >> testing. >> >> Server1 >> >> orange# more mkgif >> #/bin/sh >> ifconfig gif1 create >> ifconfig gif1 1.1.1.1 2.2.2.2 > > ^^^^ what's that for? Well added that as I was googling the problem someone had said to do it so I tried it. Wasn't there initially. Doesn't work with or without. > since you over-ride it in the next line vvvvv > > >> ifconfig gif1 inet 192.168.72.1 192.168.70.1 netmask 255.255.255.0 > > (PTP links don't have netmasks) > snip: Got it from the manual # ifconfig gif0 create # ifconfig gif0 tunnel A.B.C.D W.X.Y.Z # ifconfig gif0 inet 192.168.1.1 192.168.2.1 netmask 0xffffffff I'll try it without. Cheers, Zaphod