Date: Sat, 3 Apr 2004 12:01:56 -0700 From: Stephen Rozzo <stephen@sonn.com> To: freebsd-security@freebsd.org Subject: IPSec Racoon and Port Forwarding Message-ID: <20040403190156.GA45280@sonn.com>
next in thread | raw e-mail | index | archive | help
Hello,
I have given myself quite the headache trying to make this VPN work correc=
tly. I am attempting to use racoon to establish keys and construct an encry=
pted tunnel between one host(A.A.A.A) with a routable IP address and anothe=
r that has a private address(10.0.0.2) with a cable modem(B.B.B.B) forwardi=
ng all ports to the private address(10.0.0.2). Here is a quick topographic =
dipiction of the infastructure:=20
=20
192.168.121.0/24=09
------------------
|
|
_____|_____=20
| |priv_int 192.168.121.253
VPN Gateway(1) | |
|___________|pub_int A.A.A.A
|
~~~~~~~~~~~~~
Internet
~~~~~~~~~~~~~
_____|_____
| |
Cable Modem | |pub_int B.B.B.B(forwarded to 10.0.0.2)=
=20
|___________|
_____|_____ =20
| |pub/priv_int 10.0.0.2
VPN Gateway(2) | |
|___________|priv_int 192.168.122.254=20
|
|
|
------------------
192.168.122.0/24
Here is what I have in ipsec.conf on VPN Gateway (1):
flush;
spdflsuh;
spdadd A.A.A.A/32 B.B.B.B/32 ipencap -P out ipsec esp/tunnel/A.A.A.A-B.B.B.=
B/require;
spdadd B.B.B.B/32 A.A.A.A/32 ipencap -P in ipsec esp/tunnel/B.B.B.B-A.A.A.A=
/require;
ifconfig output:
dc0: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 192.168.121.253 netmask 0xffffff00 broadcast 192.168.121.255
ether 00:a0:cc:d1:a2:df
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
dc1: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet A.A.A.A netmask 0xfffffff8 broadcast 216.160.154.159
ether 00:a0:cc:62:f0:6a
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
gif1: flags=3D8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
tunnel inet A.A.A.A --> B.B.B.B=20
inet 192.168.121.253 --> 192.168.122.254 netmask 0xffffffff
VPN Gateway 2(10.0.0.1) ipsec.conf:
spdadd 0.0.0.0/0 A.A.A.A/32 ipencap -P out ipsec esp/tunnel/10.0.0.2-A.A.A.=
A/require;
spdadd A.A.A.A/32 0.0.0.0/0 ipencap -P in ipsec esp/tunnel/A.A.A.A-10.0.0.2=
/require;
ifconfig output:
bge0: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=3D3<RXCSUM,TXCSUM>
inet 10.0.0.2 netmask 0xffffff00 broadcast 10.0.0.255
ether 00:0e:7f:ff:0e:0c
media: Ethernet autoselect (10baseT/UTP <half-duplex>)
status: active
xl0: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=3D3<RXCSUM,TXCSUM>
inet 192.168.122.254 netmask 0xffffff00 broadcast 192.168.122.255
ether 00:04:75:8b:80:ce
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
gif0: flags=3D8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
tunnel inet 10.0.0.2 --> A.A.A.A=20
inet 192.168.122.254 --> 192.168.121.253 netmask 0xffffffff
Until I instate a SP for these two hosts I can pass traffic back and forth =
to both private subnets (192.168.X.X) just fine. Once I read in these ipsec=
policies I can not get any traffic back and forth.. Any suggestions? I loo=
ked numerous places and found no one else documenting problems or success.
Thanks
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040403190156.GA45280>