Date: Fri, 25 May 2001 00:03:03 +0000 From: Gunther Schadow <gunther@aurora.regenstrief.org> To: Brandt Everett <everett@bentonrea.com> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: FreeBSD and IPSEC Message-ID: <3B0DA136.24B4451C@aurora.regenstrief.org> References: <004401c0e47d$86adb5b0$632807d8@prosser.bentonrea.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Brandt Everett wrote: > I have two remote offices. I am running FreeBSD ver 4.0R on all three > firewalls. I would like to create two VPN between the remote offices and > our HQ here. I can create a VPN connection using the gif and > esp/tunnel//require, without the racoon, but from time to time the remote > offices loose communication with the HQ. If I allow routing between the > remote sites, without the VPN or encryption they work just fine. There are > some ipfw rules in place, but this happens even if I open the firewall up > all the way. > > Does anyone have any suggestions for troubleshooting this? Any ideas on > where to continue looking for problems? I'm not looking for answers(unless > you got them) I'm looking for the next place to look. Yes, very much so! First of all: upgrade! There is a serious bug in the KAME IPsec tunnel code that will cause all kinds of havoc. This bug was finally killed by Itojun in the first May 2001 KAME snap kit. I suggest you upgrade to FreeBSD 4.3-RELEASE and then use an early May KAME snap kit (if not the most recent) for your kernel. I don't know how fast KAME fixes make it back into FreeBSD releases, but this fix was very recent, so it likely is not fixed in 4.3-RELEASE. Once you got that done, I'm sure everything will be fine. But to be sure, let's have a quick look at your tunnel configuration. You don't use the gif+IPsec transport mode cludge, or do you? It would work with this cludge, but it isn't nice. It would seem odd to me if you used gif and IPsec TUNNEL. Seems as if you do. Forget about gif. Upgrade your kernels and use "esp/tunnel/$here-$there/require" properly. Be sure your routes aren't messed up. And test from the right endpoints. You don't need this self route that is sometimes suggested, but you need to test *through* the two endpoints not from one to the other. It can work so beautifully! regards -Gunther -- Gunther Schadow, M.D., Ph.D. gschadow@regenstrief.org Medical Information Scientist Regenstrief Institute for Health Care Adjunct Assistent Professor Indiana University School of Medicine tel:1(317)630-7960 http://aurora.regenstrief.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3B0DA136.24B4451C>