From owner-freebsd-net@FreeBSD.ORG Wed Jun 10 13:33:31 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 268201065675 for ; Wed, 10 Jun 2009 13:33:31 +0000 (UTC) (envelope-from excalibur@accesswave.ca) Received: from smtpout.eastlink.ca (smtpout.eastlink.ca [24.222.0.30]) by mx1.freebsd.org (Postfix) with ESMTP id E39CC8FC08 for ; Wed, 10 Jun 2009 13:33:30 +0000 (UTC) (envelope-from excalibur@accesswave.ca) Received: from ip03.eastlink.ca ([24.222.39.36]) by mta01.eastlink.ca (Sun Java System Messaging Server 6.2-4.03 (built Sep 22 2005)) with ESMTP id <0KL000J55XLTDA81@mta01.eastlink.ca> for freebsd-net@freebsd.org; Wed, 10 Jun 2009 10:03:29 -0300 (ADT) Received: from blk-11-8-77.eastlink.ca (HELO mail.dreadnet.org) ([76.11.8.77]) by ip03.eastlink.ca with ESMTP; Wed, 10 Jun 2009 10:03:28 -0300 Received: from localhost (mail.dreadnet.org [192.168.200.15]) by mail.dreadnet.org (Postfix) with ESMTP id AEE6B6D73C38 for ; Wed, 10 Jun 2009 10:03:28 -0300 (ADT) Received: from mail.dreadnet.org ([192.168.200.15]) by localhost (mail.dreadnet.org [192.168.200.15]) (amavisd-new, port 10024) with ESMTP id f8cgrLNIE+8J for ; Wed, 10 Jun 2009 10:03:26 -0300 (ADT) Received: from [192.168.200.103] (unknown [192.168.200.103]) by mail.dreadnet.org (Postfix) with ESMTP id 9CAD36D73C2C for ; Wed, 10 Jun 2009 10:03:26 -0300 (ADT) Date: Wed, 10 Jun 2009 10:03:31 -0300 From: Chris Bowlby To: freebsd-net@freebsd.org Message-id: <4A2FAF23.6090906@accesswave.ca> MIME-version: 1.0 Content-type: text/plain; charset=ISO-8859-1 Content-transfer-encoding: 7BIT X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AroEAOlLL0pMCwhN/2dsb2JhbACBT8wphA0F X-IronPort-AV: E=Sophos;i="4.41,341,1241406000"; d="scan'208";a="363550637" X-Virus-Scanned: amavisd-new at dreadnet.org User-Agent: Thunderbird 2.0.0.19 (X11/20081227) Subject: IPSec VPN issues X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Jun 2009 13:33:31 -0000 Hi Everyone, I let this question sit in freebsd-questions overnight before posting this here, as I did not get any responses. Any help would be appreciated. -------------------------------- I'm in the process of configuring a VPN tunnel via IPSec to another network to provide an easy means to manage both networks. I can get the VPN established from my FreeBSD box to the server on the other side, but I can't seem to route any traffic through the interface so that it goes to the other side of the VPN. I know I am missing a step, but I can't seem to find any information in the documentation about what that step might be. Here is what I have so far: I have compiled my kernel with the following options: # IP Sec Options options IPSEC # IP Security options IPSEC_DEBUG # debug for IP security options IPSEC_FILTERTUNNEL # To properly filter on the inner packets (this was done in case I needed to expand some fire-walling to this box) And added the crypto device: # IPSec device crypto the kernel is installed and running with no issues as far as I can tell. I have also installed security/ipsec-tools, though I did noticed that a kernel patch was required for something related to NAT. As I am running FreeBSD 7.2, I was not sure if that patch was still required, and I am honestly not sure if NATing is what I need/require to get this running. My interfaces are as follows: amaethon# ifconfig em0: flags=8843 metric 0 mtu 1500 options=19b inet 1xx.1xx.2xx.2xx netmask 0xffffff00 broadcast 1xx.1xx.2xx.255 media: Ethernet autoselect (100baseTX ) status: active gif0: flags=8051 metric 0 mtu 1280 tunnel inet 1xx.1xx.2xx.2 --> xxx.2xx.1xx.1xx inet 1xx.1xx.2xx.2 --> 1xx.1xx.xxx.1 netmask 0xfffffc00 The routing tables are as follows: default 1xx.1xx.2xx.1 UGS 0 1807 em0 127.0.0.1 127.0.0.1 UH 0 4 lo0 1xx.1xx.xxx.0/22 1xx.1xx.xxx.1 UGS 0 0 gif0 1xx.1xx.xxx.1 1xx.1xx.2xx.2 UH 1 327 gif0 1xx.1xx.2xx.0/24 link#1 UC 0 0 em0 1xx.1xx.2xx.1 00:13:10:09:5b:1f UHLW 2 0 em0 1114 1xx.1xx.2xx.2 00:1c:c0:94:2c:0c UHLW 1 924 lo0 Right now I am simply looking to have any local (to the host) pinging a system on the other side. As I don't have immediate access to the routing details of the other end, and it's configured exactly the same as it has been for other VPN's, I am inclined to believe the issue is on my side of the VPN. The system I have, only has one NIC in it at this time, but can easily be configured to have a second. The system is also behind another system that is handling the local routing and fire-walling, and is NATing all appropriate traffic to the various box's. I have used the examples in the freebsd handbook to guide me as far as I have gotten thus far (btw there is a step missing in there, forgetting to tell you to run setkey -f /path/to/racoon/setkey.conf). I have googled everything I can find, looked over freebsd.org and freebsddiary.org (those articles are a bit out dated I think), and have found no information to indicate what I am missing.. I suspect it might be that this system is not doing traffic NATing, or a packet filter configuration is required, but I have tried every example with no luck. At this point I am stuck, and looking for some guidance.