From owner-freebsd-net Wed Nov 15 13:50:32 2000 Delivered-To: freebsd-net@freebsd.org Received: from rapidnet.com (rapidnet.com [205.164.216.1]) by hub.freebsd.org (Postfix) with ESMTP id 5BEDE37B4D7 for ; Wed, 15 Nov 2000 13:50:29 -0800 (PST) Received: from localhost (nick@localhost) by rapidnet.com (8.9.3/8.9.3) with ESMTP id OAA56037; Wed, 15 Nov 2000 14:49:50 -0700 (MST) Date: Wed, 15 Nov 2000 14:49:50 -0700 (MST) From: Nick Rogness To: "James E. Quick" Cc: freebsd-net@freebsd.org Subject: Re: I need help with IPSEC In-Reply-To: <200011151654.eAFGsCC24802@papoose.quick.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 15 Nov 2000, James E. Quick wrote: > I am in desperate need of help with IPSEC. > I have a pair of firewalls configured with: > IPSEC > IPSEC_ESP > IPSEC_DEBUG > > I started with an attempt using raccoon, then backed off > to using manually added entries via skey. > I do not see anything in racoon output that looks like an > error. > > The remote end of the gateway is a box running 4.1.1-STABLE. > It has a single public IP address via a cable modem with > 172.16.1.x addresses behind it. > My endpoint is running 4.2-BETA and has an ISP provided /30 > subnet externally, with my publicly routable Class C behind. > > I note that when I try to reach any 172.16.1 address > with either form of IPSEC configured I get 'No route to host' > errors. This suggests that IPSEC is not encapsulating anything. > You know I have had the same problems. I haven't quite figured out the tunnelling part of IPSEC yet. So what I did, as a work around, was to add a tunnel interface (gif) and then add IPSEC on top of that in transparent mode (tunnel mode still works). See below. > I would appreciate hearing from anyone who has set up esp > style tunnels between either 2 FreeBSDs or between FreeBSD and > anything else. I used gif interfaces to build a packet tunnel (IPv4 -> IPv4). I then added the appropriate routes for each network, so I could affectively ping across the tunnels. Tested the connection between the 2 using ssh. Everything fine at this point. I then proceeded to add the IPSEC options in the kernel, like you have above. Added the SAD entries with setkey. Added the SPD policies with setkey also. Verified connectivity. Ran a packet sniffer between the 2 networks, seen packet type ESP. Everything worked OK. It did add about 2->4 ms of latency to a 10BaseT connection but that seems logical. > We are both running ipfilt on our ends. > The remote site is also running simple ipnat configuration. I have not added NAT into the equation yet. Nick Rogness - Drive defensively. Buy a tank. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message