From owner-freebsd-net@FreeBSD.ORG Mon Nov 17 07:47:16 2003 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3DE6216A4CE for ; Mon, 17 Nov 2003 07:47:16 -0800 (PST) Received: from mail.trident-uk.co.uk (mail.trident-uk.co.uk [81.3.89.57]) by mx1.FreeBSD.org (Postfix) with ESMTP id BFE8843FA3 for ; Mon, 17 Nov 2003 07:47:14 -0800 (PST) (envelope-from jamie@tridentmicrosystems.co.uk) Received: from localhost (localhost.pe.trident-uk.co.uk [127.0.0.1]) by mail.trident-uk.co.uk (Postfix) with ESMTP id CA28E20D5D for ; Mon, 17 Nov 2003 15:47:11 +0000 (GMT) Received: from nico (nico.trident-uk.co.uk [194.207.93.17]) by mail.trident-uk.co.uk (Postfix) with ESMTP id 189F620D4F for ; Mon, 17 Nov 2003 15:47:11 +0000 (GMT) From: "Jamie Heckford" To: Date: Mon, 17 Nov 2003 15:47:02 -0000 Organization: Trident Microsystems Ltd Message-ID: <002101c3ad22$0b51cf30$115dcfc2@nico> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4920.2300 X-Virus-Scanned: by AMaViS perl-11 Subject: Problem with Racoon/IPSec/Setkey - Routing to/from multiple networks X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: jamie@tridentmicrosystems.co.uk List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Nov 2003 15:47:16 -0000 Hi, Seem to be having a strange problem routing to some of our nets over here using setkey and racoon. Setkey adds all of the below lines fine, and racoon doesn't complain. However, I can only route to the network that I initate the connection to/from first... For example: If I ping 192.168.100.254 from 192.168.102.254 then the tunnel is established after a couple of seconds and it works fine. I can then ping any other 192.168.0.0/16 address as this is what the setkey entry is for. If I then try and ping 194.207.93.254 then I get no reponse in either direction. However, if I restart racoon and ping 194.207.93.254 first, it works fine... But then 192.168.100.254 does not! Could anyone shed any light on why this is happening.. Do I need to do it slightly differently if I am specifying multiple policies with setkey? Any help would be greatly appreciated... Config file and version info below (router at 192.168.102.254 is a Cisco 827 ADSL) FreeBSD 4.9-RELEASE #0: Tue Nov 4 14:10:37 GMT 2003 v 17 12:57:11 perry-gw-vpn1 racoon: INFO: main.c:172:main(): @(#)package version freebsd-20030826a Nov 17 12:57:11 perry-gw-vpn1 racoon: INFO: main.c:174:main(): @(#)internal version 20001216 sakane@kame.net Nov 17 12:57:11 perry-gw-vpn1 racoon: INFO: main.c:175:main(): @(#)This product linked OpenSSL 0.9.7c 30 Sep 2003 (http://www.openssl.org/) #!/bin/sh #################################################################### LOCAL_NETWORK=194.207.93.0/24 ALLNET_1=192.168.0.0/16 LOCAL_INSIDE=194.207.93.251 LOCAL_OUTSIDE=81.3.89.53 STJUST_NETWORK=192.168.106.0/24 STJUST_INSIDE=192.168.106.254 STJUST_OUTSIDE=81.17.79.72 BENELUX_NETWORK=192.168.102.0/24 BENELUX_INSIDE=192.168.102.254 BENELUX_OUTSIDE=80.126.6.130 #################################################################### /usr/local/sbin/racoon # ST JUST /sbin/ifconfig gif0 destroy /sbin/ifconfig gif0 create /sbin/ifconfig gif0 tunnel ${LOCAL_OUTSIDE} ${STJUST_OUTSIDE} /sbin/ifconfig gif0 inet ${LOCAL_INSIDE} ${STJUST_INSIDE} netmask 255.255.255.255 /sbin/route add -net ${STJUST_NETWORK} ${STJUST_INSIDE} # BENELUX /sbin/ifconfig gif1 destroy /sbin/ifconfig gif1 create /sbin/ifconfig gif1 tunnel ${LOCAL_OUTSIDE} ${BENELUX_OUTSIDE} /sbin/ifconfig gif1 inet ${LOCAL_INSIDE} ${BENELUX_INSIDE} netmask 255.255.255.255 /sbin/route add -net ${BENELUX_NETWORK} ${BENELUX_INSIDE} /usr/sbin/setkey -c << EOF flush; spdflush; spdadd ${LOCAL_NETWORK} ${STJUST_NETWORK} any -P out ipsec esp/tunnel/${LOCAL_OUTSIDE}-${STJUST_OUTSIDE}/require; spdadd ${STJUST_NETWORK} ${LOCAL_NETWORK} any -P in ipsec esp/tunnel/${STJUST_OUTSIDE}-${LOCAL_OUTSIDE}/require; spdadd ${ALLNET_1} ${STJUST_NETWORK} any -P out ipsec esp/tunnel/${LOCAL_OUTSIDE}-${STJUST_OUTSIDE}/require; spdadd ${STJUST_NETWORK} ${ALLNET_1} any -P in ipsec esp/tunnel/${STJUST_OUTSIDE}-${LOCAL_OUTSIDE}/require; spdadd ${LOCAL_NETWORK} ${BENELUX_NETWORK} any -P out ipsec esp/tunnel/${LOCAL_OUTSIDE}-${BENELUX_OUTSIDE}/require; spdadd ${BENELUX_NETWORK} ${LOCAL_NETWORK} any -P in ipsec esp/tunnel/${BENELUX_OUTSIDE}-${LOCAL_OUTSIDE}/require; spdadd ${ALLNET_1} ${BENELUX_NETWORK} any -P out ipsec esp/tunnel/${LOCAL_OUTSIDE}-${BENELUX_OUTSIDE}/require; spdadd ${BENELUX_NETWORK} ${ALLNET_1} any -P in ipsec esp/tunnel/${BENELUX_OUTSIDE}-${LOCAL_OUTSIDE}/require; EOF -- Jamie Heckford Network Manager Trident Microsystems Ltd. t: +44(0)1737-780790 f: +44(0)1737-771908 w: http://www.tridentmicrosystems.co.uk/