From owner-freebsd-net  Fri Aug 31  6:26:47 2001
Delivered-To: freebsd-net@freebsd.org
Received: from tomts5-srv.bellnexxia.net (tomts5.bellnexxia.net [209.226.175.25])
	by hub.freebsd.org (Postfix) with ESMTP id 1159037B406
	for <freebsd-net@freebsd.org>; Fri, 31 Aug 2001 06:26:40 -0700 (PDT)
Received: from xena.gsicomp.on.ca ([64.228.155.124])
          by tomts5-srv.bellnexxia.net
          (InterMail vM.4.01.03.16 201-229-121-116-20010115) with ESMTP
          id <20010831132638.XFLC10424.tomts5-srv.bellnexxia.net@xena.gsicomp.on.ca>
          for <freebsd-net@freebsd.org>; Fri, 31 Aug 2001 09:26:38 -0400
Received: from hermes (hermes.gsicomp.on.ca [192.168.0.18])
	by xena.gsicomp.on.ca (8.11.1/8.11.1) with SMTP id f7VDJru00560
	for <freebsd-net@freebsd.org>; Fri, 31 Aug 2001 09:19:53 -0400 (EDT)
	(envelope-from matt@gsicomp.on.ca)
Message-ID: <003201c1321f$71de65e0$1200a8c0@gsicomp.on.ca>
From: "Matthew Emmerton" <matt@gsicomp.on.ca>
To: <freebsd-net@freebsd.org>
Subject: Help with IPSec VPN
Date: Fri, 31 Aug 2001 09:18:37 -0400
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4807.1700
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org

Hi all,

I've been trying to get an IPSec tunneling VPN between two boxes working
without much success.  I've read the FAQs and HOWTOs on www.freebsd.org,
www.freebsddiary.org, www.daemonnews.org and www.kame.net and they all have
helped me get closer to where I want to be, but I'm still missing something.

The exact problem that I'm running into is that once I've got everything
configured (all details below), when I try and ping the other end of the
tunnel, nothing happens.  I get this from 'netstat -p ipsec', with every
other ipsec counter showing a value of 0.

        8 outbound packets with no SA available

Both boxes are running RELENG_4_3 (security release), and have 'options
IPSEC' and 'options IPSEC_ESP' in the kernel.

Box A is 192.168.0.2/24, Box B is 192.168.0.3/24.

Here's what I'm doing on box A:

gabby# gifconfig gif0 192.168.0.2 192.168.0.3
gabby# ifconfig gif0 inet 10.0.2.1 10.0.3.1 netmask 255.255.255.0
gabby# setkey -F
gabby# setkey -FP
gabby# setkey -c << EOF
add 10.0.2.1 10.0.3.1 esp 1000 -E 3des-cbc "goofgoofgoofgoofgoofgoof";
add 10.0.3.1 10.0.2.1 esp 1001 -E 3des-cbc "foolfoolfoolfoolfoolfool";
spdadd 10.0.2.0/24 10.0.3.0/24 any -P out ipsec
esp/tunnel/192.168.0.2-192.168.0.3/require;
spdadd 10.0.3.0/24 10.0.2.0/24 any -P in ipsec
esp/tunnel/192.168.0.3-192.168.0.2/require;
EOF
gabby# route add -net 10.0.3.0/24 10.0.3.1
gabby#

I'm doing the exact same thing on Box B, except that all the IP pairs are
reversed, with the exception of the 'add' lines for setkey (as outlined in
the KAME IpSec FAQ, VPN tunnel section.) and the route statement.

Here's output from gifconfig, ifconfig, netstat, and setkey (slightly
trimmed):
gabby# gifconfig -a gif0
gif0: flags=8011<UP,POINTOPOINT,MULTICAST> mtu 1280
        inet6 fe80::200:c0ff:fef2:7c40%gif0 --> ::  prefixlen 64
        inet 10.0.2.1 --> 10.0.3.1 netmask 0xffffff00
        physical address inet 192.168.0.2 --> 192.168.0.3

gabby# ifconfig gif0
gif0: flags=8011<UP,POINTOPOINT,MULTICAST> mtu 1280
        inet6 fe80::200:c0ff:fef2:7c40%gif0 --> :: prefixlen 64 scopeid 0x4
        inet 10.0.2.1 --> 10.0.3.1 netmask 0xffffff00

gabby# netstat -rn -f inet
Destination        Gateway            Flags     Refs     Use     Netif
Expire
default            192.168.0.1        UGSc        1        0      ed0
10.0.3/24          10.0.3.1           UGSc        0        0     gif0
10.0.3.1           10.0.2.1           UH          1        8     gif0
127.0.0.1          127.0.0.1          UH          1       92      lo0
192.168            link#1             UC          0        0      ed0 =>

gabby# setkey -D
10.0.3.1 10.0.2.1
        esp mode=any spi=1001(0x000003e9) reqid=0(0x00000000)
        E: 3des-cbc  666f6f6c 666f6f6c 666f6f6c 666f6f6c 666f6f6c 666f6f6c
        replay=0 flags=0x00000040 state=mature seq=1 pid=403
        created: Aug 31 08:39:59 2001   current: Aug 31 09:11:49 2001
        diff: 1910(s)   hard: 0(s)      soft: 0(s)
        last:                           hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        refcnt=1
10.0.2.1 10.0.3.1
        esp mode=any spi=1000(0x000003e8) reqid=0(0x00000000)
        E: 3des-cbc  676f6f66 676f6f66 676f6f66 676f6f66 676f6f66 676f6f66
        replay=0 flags=0x00000040 state=mature seq=0 pid=403
        created: Aug 31 08:39:59 2001   current: Aug 31 09:11:49 2001
        diff: 1910(s)   hard: 0(s)      soft: 0(s)
        last:                           hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        refcnt=1

gabby# setkey -DP
10.0.3.0/24[any] 10.0.2.0/24[any] any
        in ipsec
        esp/tunnel/192.168.0.3-192.168.0.2/require
        spid=4 seq=1 pid=404
        refcnt=1
10.0.2.0/24[any] 10.0.3.0/24[any] any
        out ipsec
        esp/tunnel/192.168.0.2-192.168.0.3/require
        spid=3 seq=0 pid=404
        refcnt=1

--
Matt Emmerton


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message