Date: Mon, 17 Nov 2003 15:47:02 -0000 From: "Jamie Heckford" <jamie@tridentmicrosystems.co.uk> To: <freebsd-net@freebsd.org> Subject: Problem with Racoon/IPSec/Setkey - Routing to/from multiple networks Message-ID: <002101c3ad22$0b51cf30$115dcfc2@nico>
next in thread | raw e-mail | index | archive | help
Hi, Seem to be having a strange problem routing to some of our nets over here using setkey and racoon. Setkey adds all of the below lines fine, and racoon doesn't complain. However, I can only route to the network that I initate the connection to/from first... For example: If I ping 192.168.100.254 from 192.168.102.254 then the tunnel is established after a couple of seconds and it works fine. I can then ping any other 192.168.0.0/16 address as this is what the setkey entry is for. If I then try and ping 194.207.93.254 then I get no reponse in either direction. However, if I restart racoon and ping 194.207.93.254 first, it works fine... But then 192.168.100.254 does not! Could anyone shed any light on why this is happening.. Do I need to do it slightly differently if I am specifying multiple policies with setkey? Any help would be greatly appreciated... Config file and version info below (router at 192.168.102.254 is a Cisco 827 ADSL) FreeBSD 4.9-RELEASE #0: Tue Nov 4 14:10:37 GMT 2003 v 17 12:57:11 perry-gw-vpn1 racoon: INFO: main.c:172:main(): @(#)package version freebsd-20030826a Nov 17 12:57:11 perry-gw-vpn1 racoon: INFO: main.c:174:main(): @(#)internal version 20001216 sakane@kame.net Nov 17 12:57:11 perry-gw-vpn1 racoon: INFO: main.c:175:main(): @(#)This product linked OpenSSL 0.9.7c 30 Sep 2003 (http://www.openssl.org/) #!/bin/sh #################################################################### LOCAL_NETWORK=194.207.93.0/24 ALLNET_1=192.168.0.0/16 LOCAL_INSIDE=194.207.93.251 LOCAL_OUTSIDE=81.3.89.53 STJUST_NETWORK=192.168.106.0/24 STJUST_INSIDE=192.168.106.254 STJUST_OUTSIDE=81.17.79.72 BENELUX_NETWORK=192.168.102.0/24 BENELUX_INSIDE=192.168.102.254 BENELUX_OUTSIDE=80.126.6.130 #################################################################### /usr/local/sbin/racoon # ST JUST /sbin/ifconfig gif0 destroy /sbin/ifconfig gif0 create /sbin/ifconfig gif0 tunnel ${LOCAL_OUTSIDE} ${STJUST_OUTSIDE} /sbin/ifconfig gif0 inet ${LOCAL_INSIDE} ${STJUST_INSIDE} netmask 255.255.255.255 /sbin/route add -net ${STJUST_NETWORK} ${STJUST_INSIDE} # BENELUX /sbin/ifconfig gif1 destroy /sbin/ifconfig gif1 create /sbin/ifconfig gif1 tunnel ${LOCAL_OUTSIDE} ${BENELUX_OUTSIDE} /sbin/ifconfig gif1 inet ${LOCAL_INSIDE} ${BENELUX_INSIDE} netmask 255.255.255.255 /sbin/route add -net ${BENELUX_NETWORK} ${BENELUX_INSIDE} /usr/sbin/setkey -c << EOF flush; spdflush; spdadd ${LOCAL_NETWORK} ${STJUST_NETWORK} any -P out ipsec esp/tunnel/${LOCAL_OUTSIDE}-${STJUST_OUTSIDE}/require; spdadd ${STJUST_NETWORK} ${LOCAL_NETWORK} any -P in ipsec esp/tunnel/${STJUST_OUTSIDE}-${LOCAL_OUTSIDE}/require; spdadd ${ALLNET_1} ${STJUST_NETWORK} any -P out ipsec esp/tunnel/${LOCAL_OUTSIDE}-${STJUST_OUTSIDE}/require; spdadd ${STJUST_NETWORK} ${ALLNET_1} any -P in ipsec esp/tunnel/${STJUST_OUTSIDE}-${LOCAL_OUTSIDE}/require; spdadd ${LOCAL_NETWORK} ${BENELUX_NETWORK} any -P out ipsec esp/tunnel/${LOCAL_OUTSIDE}-${BENELUX_OUTSIDE}/require; spdadd ${BENELUX_NETWORK} ${LOCAL_NETWORK} any -P in ipsec esp/tunnel/${BENELUX_OUTSIDE}-${LOCAL_OUTSIDE}/require; spdadd ${ALLNET_1} ${BENELUX_NETWORK} any -P out ipsec esp/tunnel/${LOCAL_OUTSIDE}-${BENELUX_OUTSIDE}/require; spdadd ${BENELUX_NETWORK} ${ALLNET_1} any -P in ipsec esp/tunnel/${BENELUX_OUTSIDE}-${LOCAL_OUTSIDE}/require; EOF -- Jamie Heckford Network Manager Trident Microsystems Ltd. t: +44(0)1737-780790 f: +44(0)1737-771908 w: http://www.tridentmicrosystems.co.uk/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?002101c3ad22$0b51cf30$115dcfc2>