From owner-freebsd-questions Wed Jun 27 9:29:55 2001 Delivered-To: freebsd-questions@freebsd.org Received: from corleone.idealab.com (mx2.idealab.com [64.208.8.4]) by hub.freebsd.org (Postfix) with SMTP id 7223637B40A for ; Wed, 27 Jun 2001 09:29:48 -0700 (PDT) (envelope-from jim@compete.com) Received: (qmail 23676 invoked by alias); 27 Jun 2001 16:29:48 -0000 Received: (qmail 23623 invoked from network); 27 Jun 2001 16:29:47 -0000 Received: from unknown (HELO cartman.boston.geekhouse.net) (10.5.1.109) by corleone.idealab.com with SMTP; 27 Jun 2001 16:29:47 -0000 Received: by cartman.boston.geekhouse.net (Postfix, from userid 1000) id 875813219; Wed, 27 Jun 2001 12:29:46 -0400 (EDT) Date: Wed, 27 Jun 2001 12:29:46 -0400 From: Jim Mock To: questions@FreeBSD.org Subject: VPN setup Message-ID: <20010627122946.A2121@cartman.boston.geekhouse.net> Reply-To: jim@compete.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.3.19i Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Howdy, I've been trying to get a VPN set up between our Boston and SF offices, and have made about as much progress as I would trying to ram my head through a brick wall. In the following, aa.aaa.aaa.aa and bb.bbb.bbb.bbb are the IP addresses of the two machines. aa.aaa.aaa.aa is the machine here in Boston, bb.bbb.bbb.bbb is the machine in San Francisco. Also, in the firewall rules, ${vpn} is gif0, ${sfip} is bb.bbb.bbb.bbb, and ${oip} is aa.aaa.aaa.aa. IPSEC is compiled into the kernel on each machine. Boston firewall --------------- In /etc/rc.conf: ipsec_enable="YES" ipsec_file="/etc/ipsec.conf" gif_interfaces="gif0" gifconfig_gif0="aa.aaa.aaa.aa bb.bbb.bbb.bbb" I've also brought up gif0: ifconfig gif0 172.16.1.1 172.16.2.1 netmask 255.255.255.252 In /etc/ipsec.conf: spdadd aa.aaa.aaa.aa/32 bb.bbb.bbb.bbb/32 any -P out ipsec esp/tunnel/aa.aaa.aaa.aa-bb.bbb.bbb.bbb/require; spdadd bb.bbb.bbb.bbb/32 aa.aaa.aaa.aa/32 any -P in ipsec esp/tunnel/bb.bbb.bbb.bb-aa.aaa.aaa.aa/require; ifconfig output for gif0: gif0: flags=8011 mtu 1280 inet 172.16.1.1 --> 172.16.2.1 netmask 0xfffffffc I've also added the following firewall rules: ${fwcmd} add allow esp from ${oip} to ${sfip} ${fwcmd} add allow esp from ${sfip} to ${oip} ${fwcmd} add allow udp from ${oip} isakmp to ${sfip} isakmp ${fwcmd} add allow udp from ${sfip} isakmp to ${oip} isakmp ${fwcmd} add allow ipencap from ${oip} to ${sfip} ${fwcmd} add allow ipencap from ${sfip} to ${oip} ${fwcmd} add allow ip from any to any via ${vpn} SF Firewall ----------- In /etc/rc.conf: ipsec_enable="YES" ipsec_file="/etc/ipsec.conf" gif_interfaces="gif0" gifconfig_gif0="bb.bbb.bbb.bbb aa.aaa.aaa.aa" I've also brought up gif0 on this end: ifconfig gif0 172.16.2.1 172.16.1.1 netmask 255.255.255.252 In /etc/ipsec.conf: spdadd bb.bbb.bbb.bbb/32 aa.aaa.aaa.aa/32 any -P out ipsec esp/tunnel/bb.bbb.bbb.bbb-aa.aaa.aaa.aa/require; spdadd aa.aaa.aaa.aa/32 bb.bbb.bbb.bbb/32 any -P in ipsec esp/tunnel/aa.aaa.aaa.aa-bb.bbb.bbb.bbb/require; ifconfig output for gif0: gif0: flags=8051 mtu 1280 inet 172.16.2.1 --> 172.16.1.1 netmask 0xfffffffc Here are the firewall rules on that machine: ${fwcmd} add allow esp from ${oip} to ${bosip} ${fwcmd} add allow esp from ${bosip} to ${oip} ${fwcmd} add allow udp from ${oip} isakmp to ${bosip} isakmp ${fwcmd} add allow udp from ${bosip} isakmp to ${oip} isakmp ${fwcmd} add allow ipencap from ${oip} to ${bosip} ${fwcmd} add allow ipencap from ${bosip} to ${oip} ${fwcmd} add allow ip from any to any via ${vpn} If I try to ping 172.16.2.1 (the SF side) from the Boston machine, this happens: % ping 172.16.2.1 PING 172.16.2.1 (172.16.2.1): 56 data bytes ping: sendto: Network is down ping: sendto: Network is down ping: sendto: Network is down ping: sendto: Network is down ping: sendto: Network is down ^C --- 172.16.2.1 ping statistics --- 5 packets transmitted, 0 packets received, 100% packet loss % If I try to ping 172.16.1.1 (the Boston side) from the SF machine, this happens: % ping 172.16.1.1 ^C --- 172.16.1.1 ping statistics --- 5 packets transmitted, 0 packets received, 100% packet loss % I get no "Network is down" messages, but the end result is the same. There is nothing in the firewall logs on either machine saying the packets were denied. The only info "ipfw show" on the Boston machine provides is this: 03900 7 588 allow ip from any to any via gif0 None of the other rules have any counts, and none of the deny rules are matching. However, on the SF machine, I see this: 02900 54 5616 allow ipencap from 66.122.112.198 to 64.211.217.66 03100 54 4536 allow ip from any to any via gif0 Those are the only two rules WRT to the VPN that are being matched on that machine. What am I missing? Is there an easier way to do this? - jim -- - jim mock www.compete.com - jim@FreeBSD.org - - senior systems administrator - Compete, Inc. - ph: 1.617.867.7035 - To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message