Date: Wed, 30 Jun 2004 16:23:55 -0500 From: "Micheal Patterson" <micheal@tsgincorporated.com> To: "James P. Howard, II" <howardjp@vocito.com>, <freebsd-questions@freebsd.org> Subject: Re: Routing problem in IPv4/IPSec VPN environment Message-ID: <066c01c45ee8$8dc26f10$4df24243@tsgincorporated.com> References: <20040629195708.GA11542@foxxy.triohost.com>
next in thread | previous in thread | raw e-mail | index | archive | help
----- Original Message ----- From: "James P. Howard, II" <howardjp@vocito.com> To: <freebsd-questions@freebsd.org> Sent: Tuesday, June 29, 2004 2:57 PM Subject: Routing problem in IPv4/IPSec VPN environment > As a personal favor, I am building a VPN for a small business. I > have chosen FreeBSD for this due to my greater familiarity. The > project will consist of linking four sites, each with a FreeBSD > system providing DHCP, NAT, and VPN services. I have built DHCP and > NAT servers before, but the IPSec and VPN is new to me. > > Right now, the first two systems are nearly complete. The two > machines are named goldengate and waltwhitman. Here's the IP > config, currently: > > goldengate: external 192.168.1.101 internal 10.1.1.1 > waltwhitman: external 192.168.1.102 internal 10.1.2.1 > > The external interfaces are in the reserved space because testing is > taking place behind a cable/DSL router providing NAT services. The > output of "gifconfig -a; ifconfig -a; netstat -rn" for each will be > provided at the end of this message. > > IPSec, with Racoon, is properly exchanging keys. From goldengate, I > can ping 10.1.2.1 and from waltwhitman I can ping 10.1.1.1. > > If a Windows computer is connected behind either system, they > receive an IP (10.1.x.254, where x is the network number). > > The problem is, if behind the 10.1.2.1 firewall, I cannot ping > 10.1.1.1 and vice-versa. I assume, at this point, this is some type > of routing issue and not a problem with IPSec. This seems to be > confirmed by the fact tracerouting to the local internal interface > goes through the *other* internal interface first: <snip> Not to be disrespectful, but did you do what I've done in the past and forget to enable forwarding so the systems can route traffic? micheal@support/>sysctl -a |grep forward net.inet.ip.forwarding: 1 If not, make sure that gateway_enable="YES" in rc.conf and reboot, or sysctl net.inet.ip.forwarding=1 from command line to enable it without a reboot. -- Micheal Patterson TSG Network Administration 405-917-0600 Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?066c01c45ee8$8dc26f10$4df24243>