From owner-freebsd-questions Wed Sep 4 15:21:40 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6294D37B400 for ; Wed, 4 Sep 2002 15:21:35 -0700 (PDT) Received: from mail.seekingfire.com (coyote.seekingfire.com [24.72.10.212]) by mx1.FreeBSD.org (Postfix) with ESMTP id C927B43E4A for ; Wed, 4 Sep 2002 15:21:34 -0700 (PDT) (envelope-from tillman@seekingfire.com) Received: from blues.seekingfire.prv (blues.seekingfire.prv [192.168.23.211]) by mail.seekingfire.com (Postfix) with ESMTP id 57F521D5 for ; Wed, 4 Sep 2002 16:21:34 -0600 (CST) Received: (from tillman@localhost) by blues.seekingfire.prv (8.11.6/8.11.6) id g84MLla06636 for freebsd-questions@FreeBSD.ORG; Wed, 4 Sep 2002 16:21:47 -0600 Date: Wed, 4 Sep 2002 16:21:47 -0600 From: Tillman Hodgson To: freebsd-questions@FreeBSD.ORG Subject: IPSEC & routing w/o gif Message-ID: <20020904162147.D6553@seekingfire.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i X-Urban-Legend: There is lots of hidden information in headers Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Howdy, I'm trying to set up an IPSEC ESP tunnel between a gateway running FreeBSD 4.6-STABLE and a gateway running Mandrake 8.2 with FreeSWAN 1.98. I'm using pre-shared keys and the tunnel appears to be established ... here's some sample output from racoon: # /usr/local/sbin/racoon -F -f /usr/local/etc/racoon/racoon.conf 2002-09-04 16:06:53: DEBUG: pfkey.c:192:pfkey_handler(): get pfkey UPDATE message 2002-09-04 16:06:53: DEBUG: pfkey.c:1100:pk_recvupdate(): pfkey UPDATE succeeded: ESP/Tunnel 24.72.31.206->24.72.10.212 spi=181508844(0xad19aec) 2002-09-04 16:06:53: INFO: pfkey.c:1107:pk_recvupdate(): IPsec-SA established: ESP/Tunnel 24.72.31.206->24.72.10.212 spi=181508844(0xad19aec) 2002-09-04 16:06:53: DEBUG: pfkey.c:1145:pk_recvupdate(): === 2002-09-04 16:06:53: DEBUG: pfkey.c:192:pfkey_handler(): get pfkey ADD message 2002-09-04 16:06:53: INFO: pfkey.c:1319:pk_recvadd(): IPsec-SA established: ESP/Tunnel 24.72.10.212->24.72.31.206 spi=1469637767(0x5798e487) 2002-09-04 16:06:53: DEBUG: pfkey.c:1324:pk_recvadd(): === Unfortunately, routing doesn't seem to work: # ping 192.168.31.206 PING 192.168.31.206 (192.168.31.206): 56 data bytes ping: sendto: No route to host I understand how routing would work with 2 FreeBSD boxes running an IP-over-IP tunnel and then using transport mode IPSEC between the outside IP's ... that's reasonably traditional. How does one set up routing between the internal networks with regular ESP tunnels? I've tried: gifconfig gif0 24.72.10.212 24.72.31.206 ifconfig gif0 inet 192.168.23.2 192.168.31.206 netmask 255.255.255.0 But I had that same problem with that in place. I've tried: route -n add -net 192.168.31.0 192.168.31.206 route -n add 192.168.31.206 192.168.23.2 and the routes appear in my routing table: # netstat -r -n -f inet default 24.72.10.1 UGSc 309 623239 rl1 24.72.10/24 link#2 UC 3 119 rl1 24.72.10.212 00:50:bf:e1:f2:b7 UHLW 0 60 lo0 127.0.0.1 127.0.0.1 UH 0 53651 lo0 192.168.8 192.168.168.6 UGSc 0 0 lo0 192.168.23 link#1 UC 4 0 rl0 192.168.23.2 00:50:bf:e1:f4:33 UHLW 1 0 lo0 192.168.31 192.168.31.206 UGSc 0 0 rl1 192.168.31.206 192.168.23.2 UGHS 0 6 rl0 192.168.168.1 192.168.168.1 UH 0 2 lo0 192.168.168.5 192.168.168.5 UH 0 28 lo0 But I had that same problem with that in place. I don't want to use IP-over-IP tunnels as I want to be able to service cross-platform tunnels easily. How should I be configuring my routing? TIA, - Tillman Hodgson -- One uses power by grasping it lightly. To grasp with too much force is to be taken over by power, thus becoming its victim. - Bene Gesserit Axiom To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message