Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 20 Mar 2002 12:21:07 -0800
From:      Lars Eggert <larse@ISI.EDU>
To:        =?ISO-8859-1?Q?Rickard_Borgm=E4ster?= <doktorn@realworld.nu>
Cc:        freebsd-net@freebsd.org
Subject:   Re: IPSec tunnel FreeBSD<->OpenBSD using isakmp
Message-ID:  <3C98EF33.6090207@isi.edu>
References:  <20020320205735.0851b080.doktorn@realworld.nu>
next in thread | previous in thread | raw e-mail | index | archive | help 

[-- Attachment #1 --]
Rickard Borgmster wrote:
 > I've established a tunnel between my home FreeBSD host and a corporate
 > OpenBSD firewall.

IPsec tunnel I assume?

 > I can see this at OpenBSD box:
 > # netstat -rn
 > [...]
 > Port  Destination        Port  Proto SA(Address/Proto/Type/Direction)
 > 192.168.2/24       0     10.0.0/24          0     0
 > 130.236.218.63/50/use/in 10.0.0/24          0     192.168.2/24 
0
 > 0     130.236.218.63/50/require/out
 >
 > However, on the FreeBSD side, netstat -rn won't show anything about
 > 10.0.0.0/24. Maybe Encap routes won't show in the ordinary routing table
 > on FreeBSD?

It looks like the OpenBSD IPsec implementation integrates IPsec tunnel 
mode SAs with the routing table (good!) FreeBSD's KAME doesn't (yet; 
more recent KAME SNAPs have "device sec" which looks promising).

 > From either the OpenBSD or FreeBSD box, I am unable to reach the private
 > net behind the other IPSec node. Ie, from FreeBSD box, I cannot reach
 > 10.0.0.0/24. And from OpenBSD box, I cannot reach 192.168.2.0/24.

I bet your boxes pick the wrong source address when you generate packets 
on them to go to the other net, because you don't have any interfaces 
configured on these nets (IPsec SAs aren't interfaces, at least on 
FreeBSD). Try tcpdumping and tell me what you get.

Lars
-- 
Lars Eggert <larse@isi.edu>               Information Sciences Institute
http://www.isi.edu/larse/              University of Southern California

[-- Attachment #2 --]
0	*H
010	+0	*H
00G0
	*H
010	UZA10UWestern Cape10U	Cape Town10
U
Thawte10UCertificate Services1(0&UPersonal Freemail RSA 2000.8.300
010824164000Z
020824164000Z0T10
UEggert1
0U*Lars10ULars Eggert10	*H
	
larse@isi.edu00
	*H
0|\Pw v~~FDooӦA\-	 Cˀ4.)&{肋,z(ܷر߈T7_'txGH^tt/ҹB8%t<#ֲNV0T0*+e!000L2uMyffBNUbNJJcdZ2s0U0
larse@isi.edu0U00
	*H
aJPMՒ]cѭC+kS+wZ1gY",YT41
j6:~℩D~Kؚ‡l=u(ՎM?cF7@}T00G0
	*H
010	UZA10UWestern Cape10U	Cape Town10
U
Thawte10UCertificate Services1(0&UPersonal Freemail RSA 2000.8.300
010824164000Z
020824164000Z0T10
UEggert1
0U*Lars10ULars Eggert10	*H
	
larse@isi.edu00
	*H
0|\Pw v~~FDooӦA\-	 Cˀ4.)&{肋,z(ܷر߈T7_'txGH^tt/ҹB8%t<#ֲNV0T0*+e!000L2uMyffBNUbNJJcdZ2s0U0
larse@isi.edu0U00
	*H
aJPMՒ]cѭC+kS+wZ1gY",YT41
j6:~℩D~Kؚ‡l=u(ՎM?cF7@}T0)00
	*H
010	UZA10UWestern Cape10U	Cape Town10U
Thawte Consulting1(0&UCertification Services Division1$0"UThawte Personal Freemail CA1+0)	*H
	personal-freemail@thawte.com0
000830000000Z
020829235959Z010	UZA10UWestern Cape10U	Cape Town10
U
Thawte10UCertificate Services1(0&UPersonal Freemail RSA 2000.8.3000
	*H
032c	%E>nx'gڈD)c5*mp<ܮto034qmOe
KaU5u'rװ|CBPQ<9TIf-	kiN0L0)U"0 010UPrivateLabel1-2970U00U0
	*H
so&e4KYbDI

j&*bctmSK8P:l4撜n#	KrgPo.XPWՈ9[9}4%MjÑ/<RbH100010	UZA10UWestern Cape10U	Cape Town10
U
Thawte10UCertificate Services1(0&UPersonal Freemail RSA 2000.8.30G0	+a0	*H
	1	*H
0	*H
	1
020320202107Z0#	*H
	1ZS
0R	*H
	1E0C0
*H
0*H
0
*H
@0+0
*H
(0*H
	1010	UZA10UWestern Cape10U	Cape Town10
U
Thawte10UCertificate Services1(0&UPersonal Freemail RSA 2000.8.30G0
	*H
{mjm.ǐ/i
PֹЅCyVç@c`Jڞy,
IZo\_]]SnAk٭&$lѩtB_<o6

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3C98EF33.6090207>