Date: Thu, 17 Jun 2004 17:10:03 +0200 (CEST) From: Andre Rein <ar@ra23.net> To: freebsd-questions@freebsd.org Subject: IPSec Routing and Interfaces, ping problem (long) Message-ID: <20040617165120.R64239@juergen.edv-winter.de>
next in thread | raw e-mail | index | archive | help
Hi Ml,
got a little understanding problem with my VPN connection.
I set up isakmpd. Connected from a static client ip.
Everything works fine.
10.0.1.0-------195.226.x.98--------[INTERNET]--------195.226.x.124-------10.0.0.0
gif0: flags=8050<POINTOPOINT,RUNNING,MULTICAST> mtu 1280
tunnel inet 195.226.x.124 --> 195.226.x.98
inet 10.0.0.124 --> 10.0.1.1 netmask 0xffffff00
inet6 fe80::250:baff:fede:bb73%gif0 prefixlen 64 scopeid 0x9
the gif0 Interface i created myself with:
gifconfig gif0 195.226.65.124 195.226.65.98
ifconfig gif0 inet 10.0.0.124 10.0.1.1 netmask 255.255.255.0
setkey -FP
setkey -F
setkey -c << EOF
spdadd 10.0.0.0/24 10.0.1.0/24 any -P out ipsec
esp/tunnel/195.226.x.124-195.226.x.98/require;
spdadd 10.0.1.0/24 10.0.0.0/24 any -P in ipsec
esp/tunnel/195.226.x.98-195.226.x.124/require;
EOF
First I tried racoon, so do I need gif0 Interface when using isakmpd?
Anyway, heres my setkey -D output:
195.226.x.124 195.226.x.98
esp mode=any spi=115684691(0x06e53553) reqid=0(0x00000000)
E: 3des-cbc f69579f2 ccee42f3 e046f2d3 ea44eaf0 0111da98 cf79ee9d
A: hmac-md5 f7f015ab 8200c964 13332790 8fdc3591
seq=0x0000002e replay=0 flags=0x00000000 state=mature
created: Jun 17 16:54:38 2004 current: Jun 17 16:55:38 2004
diff: 60(s) hard: 90(s) soft: 81(s)
last: Jun 17 16:55:38 2004 hard: 0(s) soft: 0(s)
current: 6256(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 46 hard: 0 soft: 0
sadb_seq=1 pid=79990 refcnt=2
195.226.x.98 195.226.x.124
esp mode=any spi=542689727(0x2058c9bf) reqid=0(0x00000000)
E: 3des-cbc 935381d8 a9ccfc65 b82ab59d 4c2201fa c41adfc5 077cab63
A: hmac-md5 be01afa0 884cb945 0d561298 d17b5fbf
seq=0x0000002e replay=0 flags=0x00000000 state=mature
created: Jun 17 16:54:38 2004 current: Jun 17 16:55:38 2004
diff: 60(s) hard: 90(s) soft: 81(s)
last: Jun 17 16:55:38 2004 hard: 0(s) soft: 0(s)
current: 3864(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 46 hard: 0 soft: 0
sadb_seq=0 pid=79990 refcnt=1
I added a route to the 10.0.1/24 net:
10.0.1/24 10.0.1.1 UGSc 0 2736 gif0
Now I set up a connection from a dynamic client.
192.168.10/30------Dynamic-IP--------[INTERNET]--------195.226.x.124-------10.0.0.0
setkey -D:
195.226.x.124 217.236.140.95
esp mode=any spi=1631512562(0x613ee7f2) reqid=0(0x00000000)
E: rijndael-cbc ae65af22 6256a79a d37eb700 c7cd9917
A: hmac-md5 3e378bc3 f7abd982 67d838d9 b678d18d
seq=0x000001c6 replay=0 flags=0x00000000 state=mature
created: Jun 17 16:57:06 2004 current: Jun 17 17:04:52 2004
diff: 466(s) hard: 2000(s) soft: 1800(s)
last: Jun 17 17:04:51 2004 hard: 0(s) soft: 0(s)
current: 69008(bytes) hard: 204800000(bytes) soft: 184320000(bytes)
allocated: 454 hard: 0 soft: 0
sadb_seq=3 pid=80022 refcnt=2
217.236.140.95 195.226.x.124
esp mode=any spi=1382069086(0x5260b35e) reqid=0(0x00000000)
E: rijndael-cbc 3e52567a 51306d35 e2333684 55b64a40
A: hmac-md5 695a1b0a fb962e83 b38ff954 a2b4b4aa
seq=0x000001c5 replay=0 flags=0x00000000 state=mature
created: Jun 17 16:57:06 2004 current: Jun 17 17:04:52 2004
diff: 466(s) hard: 2000(s) soft: 1800(s)
last: Jun 17 17:04:51 2004 hard: 0(s) soft: 0(s)
current: 38052(bytes) hard: 204800000(bytes) soft: 184320000(bytes)
allocated: 453 hard: 0 soft: 0
sadb_seq=2 pid=80022 refcnt=1
>From the client I can ping 10.0.0.124. So I tried another host in this
net(10.0.0.1).
I gave 10.0.0.1 a route to the 192.168.10/30 net
192.168.10/30 10.0.0.124 UGSc 0 341 rl0
I'm able to ping 10.0.0.1 now from my vpnclient and ping the
vpnclient from 10.0.0.1 without any trouble.
The only problem I get, is to ping the vpnclient from the vpnserver.
It won't work.
So how should I setup the server to ping the client?
Am I just blind and don't see my mistake?
gruss/regards
Andre
--
"And some greetings from the Toaster"
"Plata Verata Nectu"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040617165120.R64239>