Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 27 Jun 2001 12:29:46 -0400
From:      Jim Mock <jim@compete.com>
To:        questions@FreeBSD.org
Subject:   VPN setup
Message-ID:  <20010627122946.A2121@cartman.boston.geekhouse.net>

next in thread | raw e-mail | index | archive | help
Howdy,

I've been trying to get a VPN set up between our Boston and SF offices,
and have made about as much progress as I would trying to ram my head
through a brick wall.

In the following, aa.aaa.aaa.aa and bb.bbb.bbb.bbb are the IP addresses
of the two machines.  aa.aaa.aaa.aa is the machine here in Boston,
bb.bbb.bbb.bbb is the machine in San Francisco.  Also, in the firewall
rules, ${vpn} is gif0, ${sfip} is bb.bbb.bbb.bbb, and ${oip} is
aa.aaa.aaa.aa.  IPSEC is compiled into the kernel on each machine.

Boston firewall
---------------
In /etc/rc.conf:

   ipsec_enable="YES"
   ipsec_file="/etc/ipsec.conf"
   gif_interfaces="gif0"
   gifconfig_gif0="aa.aaa.aaa.aa bb.bbb.bbb.bbb"

I've also brought up gif0:

   ifconfig gif0 172.16.1.1 172.16.2.1 netmask 255.255.255.252

In /etc/ipsec.conf:

   spdadd aa.aaa.aaa.aa/32 bb.bbb.bbb.bbb/32 any -P out ipsec
     esp/tunnel/aa.aaa.aaa.aa-bb.bbb.bbb.bbb/require;
   spdadd bb.bbb.bbb.bbb/32 aa.aaa.aaa.aa/32 any -P in ipsec
     esp/tunnel/bb.bbb.bbb.bb-aa.aaa.aaa.aa/require;

ifconfig output for gif0:

   gif0: flags=8011<UP,POINTOPOINT,MULTICAST> mtu 1280
	   inet 172.16.1.1 --> 172.16.2.1 netmask 0xfffffffc

I've also added the following firewall rules:

   ${fwcmd} add allow esp from ${oip} to ${sfip}
   ${fwcmd} add allow esp from ${sfip} to ${oip}
   ${fwcmd} add allow udp from ${oip} isakmp to ${sfip} isakmp
   ${fwcmd} add allow udp from ${sfip} isakmp to ${oip} isakmp
   ${fwcmd} add allow ipencap from ${oip} to ${sfip}
   ${fwcmd} add allow ipencap from ${sfip} to ${oip}
   ${fwcmd} add allow ip from any to any via ${vpn}

SF Firewall
-----------
In /etc/rc.conf:

   ipsec_enable="YES"
   ipsec_file="/etc/ipsec.conf"
   gif_interfaces="gif0"
   gifconfig_gif0="bb.bbb.bbb.bbb aa.aaa.aaa.aa"

I've also brought up gif0 on this end:

   ifconfig gif0 172.16.2.1 172.16.1.1 netmask 255.255.255.252

In /etc/ipsec.conf:

   spdadd bb.bbb.bbb.bbb/32 aa.aaa.aaa.aa/32 any -P out ipsec
     esp/tunnel/bb.bbb.bbb.bbb-aa.aaa.aaa.aa/require;
   spdadd aa.aaa.aaa.aa/32 bb.bbb.bbb.bbb/32 any -P in ipsec
     esp/tunnel/aa.aaa.aaa.aa-bb.bbb.bbb.bbb/require;

ifconfig output for gif0:

   gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
	   inet 172.16.2.1 --> 172.16.1.1 netmask 0xfffffffc

Here are the firewall rules on that machine:

   ${fwcmd} add allow esp from ${oip} to ${bosip}
   ${fwcmd} add allow esp from ${bosip} to ${oip}
   ${fwcmd} add allow udp from ${oip} isakmp to ${bosip} isakmp
   ${fwcmd} add allow udp from ${bosip} isakmp to ${oip} isakmp
   ${fwcmd} add allow ipencap from ${oip} to ${bosip}
   ${fwcmd} add allow ipencap from ${bosip} to ${oip}
   ${fwcmd} add allow ip from any to any via ${vpn}

If I try to ping 172.16.2.1 (the SF side) from the Boston machine, this
happens:


   % ping 172.16.2.1
   PING 172.16.2.1 (172.16.2.1): 56 data bytes
   ping: sendto: Network is down
   ping: sendto: Network is down
   ping: sendto: Network is down
   ping: sendto: Network is down
   ping: sendto: Network is down
   ^C
   --- 172.16.2.1 ping statistics ---
   5 packets transmitted, 0 packets received, 100% packet loss
   % 

If I try to ping 172.16.1.1 (the Boston side) from the SF machine, this
happens:

   % ping 172.16.1.1
   ^C
   --- 172.16.1.1 ping statistics ---
   5 packets transmitted, 0 packets received, 100% packet loss
   % 

I get no "Network is down" messages, but the end result is the same.
There is nothing in the firewall logs on either machine saying the
packets were denied.  The only info "ipfw show" on the Boston machine
provides is this:

   03900   7   588 allow ip from any to any via gif0

None of the other rules have any counts, and none of the deny rules are
matching.  However, on the SF machine, I see this:

   02900    54     5616 allow ipencap from 66.122.112.198 to 64.211.217.66
   03100    54     4536 allow ip from any to any via gif0

Those are the only two rules WRT to the VPN that are being matched on
that machine.

What am I missing?  Is there an easier way to do this?

- jim

-- 
- jim mock <jim@compete.com>      www.compete.com - jim@FreeBSD.org -
- senior systems administrator - Compete, Inc. - ph: 1.617.867.7035 -

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010627122946.A2121>