From owner-freebsd-net@FreeBSD.ORG Wed Oct 4 23:11:21 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C5C3516A5D4 for ; Wed, 4 Oct 2006 23:11:21 +0000 (UTC) (envelope-from fwun@bigpond.net.au) Received: from imta05ps.mx.bigpond.com (imta05ps.mx.bigpond.com [144.140.82.142]) by mx1.FreeBSD.org (Postfix) with ESMTP id 29E8343D45 for ; Wed, 4 Oct 2006 23:11:20 +0000 (GMT) (envelope-from fwun@bigpond.net.au) Received: from web06ps ([144.140.81.183]) by imta05ps.mx.bigpond.com with ESMTP id <20061004231118.WMHM9673.imta05ps.mx.bigpond.com@web06ps> for ; Wed, 4 Oct 2006 23:11:18 +0000 Received: from unknown by webedge.bigpond.com; Wed, 4 Oct 2006 23:11:18 +0000 Message-ID: <12945313.1160003478916.JavaMail.root@web06ps> Date: Thu, 5 Oct 2006 9:11:18 +1000 From: To: freebsd-net@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) Sensitivity: Normal Subject: IPSEC (can't ping ip at loopback device) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Oct 2006 23:11:21 -0000 Hi, Thank you for your concern. This configuraiton can ping all internal networks (by static route), but it still can't ping the address at the loopback device (lo). >From HQ office: # Dynamic VPN setup script #!/bin/sh LOCAL_OUTSIDE=60.225.5.1 REMOTE_OUTSIDE=203.33.16.1 LOCAL_INSIDE=10.1.1.1 (local ip at loopback device) REMOTE_INSIDE=10.1.2.1 (assigned to remote loopback device) /sbin/ifconfig lo0 inet $LOCAL_INSIDE/24 alias setkey -FP setkey -F # Tunnel to Ric office /sbin/ifconfig gif102 destroy /sbin/ifconfig gif102 create /sbin/ifconfig gif102 tunnel $LOCAL_OUTSIDE $REMOTE_OUTSIDE /sbin/ifconfig gif102 $LOCAL_INSIDE $REMOTE_INSIDE netmask 255.255.255.255 /sbin/route delete $REMOTE_INSIDE/24 /sbin/route delete 10.1.100.1/24 /sbin/route delete 172.17.4.1/24 /sbin/route add $REMOTE_INSIDE/24 $REMOTE_INSIDE /sbin/route add 10.1.100.1/24 $REMOTE_INSIDE /sbin/route add 172.17.4.1/24 $REMOTE_INSIDE setkey -c << EOF # Tunnel to Ric office spdadd $LOCAL_INSIDE $REMOTE_INSIDE any -P out ipsec esp/tunnel/$LOCAL_OUTSIDE-$REMOTE_OUTSIDE/require ; spdadd $REMOTE_INSIDE $LOCAL_INSIDE any -P in ipsec esp/tunnel/$REMOTE_OUTSIDE-$LOCAL_OUTSIDE/require ; add $LOCAL_OUTSIDE $REMOTE_OUTSIDE esp 2744 -m tunnel -E blowfish-cbc 0xC0AD6D1F390BBECD431A75A3461C2FD62433DD1D947804CAD75133DABF 2F25C4B6F928521AECE611218C007CE917CC986CF36382DB29D11B -A hmac-sha1 0xB4D3FBE932C36E1D09BA4827F78A542D37C936BE ; add $REMOTE_OUTSIDE $LOCAL_OUTSIDE esp 3944 -m tunnel -E blowfish-cbc 0xB4E4556530711A5831A8289B4A8DB9334F62A878E6FAAF889A243FEA7B DEEE3058A4E8220289C02A09321BEFE0619AA641006F3C02230B3B -A hmac-sha1 0xAFB28AABC10B4B704A730CB070A719ED93254AB6 ; EOF >From Ric's office: #!/bin/sh LOCAL_OUTSIDE=203.33.16.1 REMOTE_OUTSIDE=60.225.5.1 LOCAL_INSIDE=10.1.2.1 (local ip at loopback device) REMOTE_INSIDE=10.1.1.1 (assigned to remote loopback device) /sbin/ifconfig lo0 inet $LOCAL_INSIDE/24 alias setkey -FP setkey -F # Tunnel to HQ office /sbin/ifconfig gif102 destroy /sbin/ifconfig gif102 create /sbin/ifconfig gif102 tunnel $LOCAL_OUTSIDE $REMOTE_OUTSIDE /sbin/ifconfig gif102 $LOCAL_INSIDE $REMOTE_INSIDE netmask 255.255.255.255 #/sbin/route delete $REMOTE_INSIDE/24 /sbin/route delete 10.1.1.0/24 /sbin/route delete 10.1.10.0/24 /sbin/route delete 172.17.3.0/24 #/sbin/route add $REMOTE_INSIDE/24 $REMOTE_INSIDE /sbin/route add 10.1.1.0/24 $REMOTE_INSIDE /sbin/route add 10.1.10.0/24 $REMOTE_INSIDE /sbin/route add 172.17.3.0/24 $REMOTE_INSIDE setkey -c << EOF # Tunnel to HQ office spdadd $LOCAL_INSIDE $REMOTE_INSIDE any -P out ipsec esp/tunnel/$LOCAL_OUTSIDE-$REMOTE_OUTSIDE/require ; spdadd $REMOTE_INSIDE $LOCAL_INSIDE any -P in ipsec esp/tunnel/$REMOTE_OUTSIDE-$LOCAL_OUTSIDE/require ; add $LOCAL_OUTSIDE $REMOTE_OUTSIDE esp 2744 -m tunnel -E blowfish-cbc 0xC0AD6D1F390BBECD431A75A3461C2FD62433DD1D947804CAD75133DABF2F25C4B6F928521AECE611218C007CE 917CC986CF36382DB29D11B -A hmac-sha1 0xB4D3FBE932C36E1D09BA4827F78A542D37C936BE ; add $REMOTE_OUTSIDE $LOCAL_OUTSIDE esp 3944 -m tunnel -E blowfish-cbc 0xB4E4556530711A5831A8289B4A8DB9334F62A878E6FAAF889A243FEA7BDEEE3058A4E8220289C02A09321BEFE 0619AA641006F3C02230B3B -A hmac-sha1 0xAFB28AABC10B4B704A730CB070A719ED93254AB6 ; EOF HQ's routing table: hqrouter:~ # netstat -rn | less Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default 60.225.51.9 UGS 1 21433 sis0 10.1.1.1 10.1.1.1 UH 0 0 lo0 10.1.2/24 10.1.2.1 UGS 0 0 gif102 10.1.2.1 10.1.1.1 UH 22 31 gif102 10.1.10/24 link#2 UC 0 0 sis1 10.1.100/24 10.1.2.1 UGS 0 2 gif102 127.0.0.1 127.0.0.1 UH 0 546 lo0 172.17.3/24 link#3 UC 0 0 ath0 172.17.4/24 10.1.2.1 UGS 0 2 gif102 Ric's routing table: ric:~ # netstat -rn | less Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default 203.17.10.8 UGS 1 858822 tun0 10.1.1/24 10.1.1.1 UGS 0 0 gif102 10.1.1.1 10.1.2.1 UH 5 4 gif102 10.1.2.1 10.1.2.1 UH 0 0 lo0 10.1.10/24 10.1.1.1 UGS 0 0 gif102 10.1.100/24 link#2 UC 0 0 sis1 172.17.3/24 10.1.1.1 UGS 0 2 gif102 172.17.4/24 link#3 UC 0 0 ath0 Thanks S