Date: Wed, 10 Jun 2009 10:03:31 -0300 From: Chris Bowlby <excalibur@accesswave.ca> To: freebsd-net@freebsd.org Subject: IPSec VPN issues Message-ID: <4A2FAF23.6090906@accesswave.ca>
next in thread | raw e-mail | index | archive | help
Hi Everyone, I let this question sit in freebsd-questions overnight before posting this here, as I did not get any responses. Any help would be appreciated. -------------------------------- I'm in the process of configuring a VPN tunnel via IPSec to another network to provide an easy means to manage both networks. I can get the VPN established from my FreeBSD box to the server on the other side, but I can't seem to route any traffic through the interface so that it goes to the other side of the VPN. I know I am missing a step, but I can't seem to find any information in the documentation about what that step might be. Here is what I have so far: I have compiled my kernel with the following options: # IP Sec Options options IPSEC # IP Security options IPSEC_DEBUG # debug for IP security options IPSEC_FILTERTUNNEL # To properly filter on the inner packets (this was done in case I needed to expand some fire-walling to this box) And added the crypto device: # IPSec device crypto the kernel is installed and running with no issues as far as I can tell. I have also installed security/ipsec-tools, though I did noticed that a kernel patch was required for something related to NAT. As I am running FreeBSD 7.2, I was not sure if that patch was still required, and I am honestly not sure if NATing is what I need/require to get this running. My interfaces are as follows: amaethon# ifconfig em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=19b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4> inet 1xx.1xx.2xx.2xx netmask 0xffffff00 broadcast 1xx.1xx.2xx.255 media: Ethernet autoselect (100baseTX <full-duplex>) status: active gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1280 tunnel inet 1xx.1xx.2xx.2 --> xxx.2xx.1xx.1xx inet 1xx.1xx.2xx.2 --> 1xx.1xx.xxx.1 netmask 0xfffffc00 The routing tables are as follows: default 1xx.1xx.2xx.1 UGS 0 1807 em0 127.0.0.1 127.0.0.1 UH 0 4 lo0 1xx.1xx.xxx.0/22 1xx.1xx.xxx.1 UGS 0 0 gif0 1xx.1xx.xxx.1 1xx.1xx.2xx.2 UH 1 327 gif0 1xx.1xx.2xx.0/24 link#1 UC 0 0 em0 1xx.1xx.2xx.1 00:13:10:09:5b:1f UHLW 2 0 em0 1114 1xx.1xx.2xx.2 00:1c:c0:94:2c:0c UHLW 1 924 lo0 Right now I am simply looking to have any local (to the host) pinging a system on the other side. As I don't have immediate access to the routing details of the other end, and it's configured exactly the same as it has been for other VPN's, I am inclined to believe the issue is on my side of the VPN. The system I have, only has one NIC in it at this time, but can easily be configured to have a second. The system is also behind another system that is handling the local routing and fire-walling, and is NATing all appropriate traffic to the various box's. I have used the examples in the freebsd handbook to guide me as far as I have gotten thus far (btw there is a step missing in there, forgetting to tell you to run setkey -f /path/to/racoon/setkey.conf). I have googled everything I can find, looked over freebsd.org and freebsddiary.org (those articles are a bit out dated I think), and have found no information to indicate what I am missing.. I suspect it might be that this system is not doing traffic NATing, or a packet filter configuration is required, but I have tried every example with no luck. At this point I am stuck, and looking for some guidance.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4A2FAF23.6090906>