From owner-freebsd-security Wed Mar 20 11:58: 6 2002 Delivered-To: freebsd-security@freebsd.org Received: from studsboll.d2g.com (a63.flamman.student.liu.se [130.236.218.63]) by hub.freebsd.org (Postfix) with ESMTP id D2A8A37B405 for ; Wed, 20 Mar 2002 11:57:48 -0800 (PST) Received: from studsboll.realworld.nu (localhost [127.0.0.1]) by studsboll.d2g.com (8.11.6/8.11.6) with SMTP id g2KJvlS06902 for ; Wed, 20 Mar 2002 20:57:47 +0100 (CET) (envelope-from doktorn@realworld.nu) Date: Wed, 20 Mar 2002 20:57:47 +0100 From: Rickard Borgmäster To: freebsd-security@freebsd.org Subject: IPSec tunnel FreeBSD<->OpenBSD using isakmp Message-Id: <20020320205747.4197222b.doktorn@realworld.nu> X-Mailer: Sylpheed version 0.7.2 (GTK+ 1.2.10; i386-portbld-freebsd4.5) Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Dunno if this belongs to net or security but... I've established a tunnel between my home FreeBSD host and a corporate OpenBSD firewall. This works just fine. Well, works, but not good enough. Specs: home: FreeBSD 4.5 IPF pub-ip: 130.236.218.63 priv-net: 192.168.2.0/24 office: OpenBSD 3.0-stable PF pub-ip: 213.88.128.16 priv-net: 10.0.0.0/24 I think I have this somewhat going. If I launch isakmpd at both ends, I can see this at OpenBSD box: # netstat -rn [...] Port Destination Port Proto SA(Address/Proto/Type/Direction) 192.168.2/24 0 10.0.0/24 0 0 130.236.218.63/50/use/in 10.0.0/24 0 192.168.2/24 0 0 130.236.218.63/50/require/out However, on the FreeBSD side, netstat -rn won't show anything about 10.0.0.0/24. Maybe Encap routes won't show in the ordinary routing table on FreeBSD? Well, anyways, this works just fine. From 192.168.2.0/24 I can ping to 10.0.0.0/24 and vice versa. Both the private networks can communicate just fine. However, there is one thing that won't work. Prooly this is a by-design thing, but I still want it to work =) From either the OpenBSD or FreeBSD box, I am unable to reach the private net behind the other IPSec node. Ie, from FreeBSD box, I cannot reach 10.0.0.0/24. And from OpenBSD box, I cannot reach 192.168.2.0/24. How come? -- Rickard .--. .--. .----------------------------------------. | | | | .-. | Rickard Borgmäster | | | | |/ / | doktorn@sub.nu | .-^ | .--. | < | http://doktorn.sub.nu/ | ( o | ( () ) | |\ \ `----------------------------------------' `-----' `--' `--' `--' To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message