From owner-freebsd-security Thu Jan 24 12: 1:48 2002 Delivered-To: freebsd-security@freebsd.org Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66]) by hub.freebsd.org (Postfix) with ESMTP id 96D6437B404 for ; Thu, 24 Jan 2002 12:01:44 -0800 (PST) Received: from caddis.yogotech.com (caddis.yogotech.com [206.127.123.130]) by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id NAA17779; Thu, 24 Jan 2002 13:01:32 -0700 (MST) (envelope-from nate@yogotech.com) Received: (from nate@localhost) by caddis.yogotech.com (8.11.6/8.11.6) id g0OK1V237582; Thu, 24 Jan 2002 13:01:31 -0700 (MST) (envelope-from nate) From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15440.26651.603917.777527@caddis.yogotech.com> Date: Thu, 24 Jan 2002 13:01:31 -0700 To: anderson@centtech.com Cc: dr3node , freebsd-security@FreeBSD.ORG Subject: Re: Can't set up an IPsec tunnel. In-Reply-To: <3C50588C.7200324B@centtech.com> References: <200201241847.AHX10883@vmms1.verisignmail.com> <3C50588C.7200324B@centtech.com> X-Mailer: VM 6.96 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid Reply-To: nate@yogotech.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > IPSEC won't work through masquarading boxes or NAT firewalls. Not easily, anyway. You have to do special things to make it work through NAT, like double-encapsulating it. Nate > > i've read everything i could find. > > that is the latest try: > > Remote host: > > > > ifconfig gif0 create tunnel 222.222.22.2 111.111.11.1 > > ifconfig gif0 inet 222.222.22.2 192.168.0.1 netmask 0xffffff00 > > setkey -FP > > setkey -F > > ipsec.conf: > > // > > spdadd 0.0.0.0/0 192.168.0.0/24 any -P out ipsec > > esp/tunnel/222.222.22.2-111.111.11.1/require; > > spdadd 192.168.0.0/24 0.0.0.0/0 any -P in ipsec > > esp/tunnel/111.111.11.1-222.222.22.2/require; > > // > > + racoon with the keys in /usr/local/etc/racoon/psk.txt > > setkey -f /etc/ipsec.conf > > > > Local gateway: > > > > ifconfig fxp0 111.111.11.1 netmask 0xffffffff alias > > ifconfig gif0 create tunnel 111.111.11.1 222.222.22.2 > > ifconfig gif0 inet 192.168.0.1 222.222.22.2 netmask 0xffffff00 > > setkey -FP > > setkey -F > > > > ipsec.conf: > > // > > spdadd 192.168.0.0/24 0.0.0.0/0 any -P out ipsec > > esp/tunnel/111.111.11.1-222.222.22.2/require; > > spdadd 0.0.0.0/0 192.168.0.0/24 any -P in ipsec > > esp/tunnel/222.222.22.2-111.111.11.1/require; > > // > > > > + racoon with the keys in /usr/local/etc/racoon/psk.txt > > setkey -f /etc/ipsec.conf > > and the connection on the gate drops down. > > the error is: /kernel: gif_output: recursively called too many times(2) > > > > i'm wondering what if any troubles because of that RedHat gate with the > > masquarade or because of my stupidy. > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > -- > ------------------------------------------------------------------ > Eric Anderson anderson@centtech.com Centaur Technology > If at first you don't succeed, sky diving is probably not for you. > ------------------------------------------------------------------ > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message