Date: Fri, 29 Jun 2001 13:44:24 -0400 From: Jim Mock <jim@compete.com> To: questions@FreeBSD.org Subject: more on VPN Message-ID: <20010629134423.A2536@cartman.boston.geekhouse.net>
next in thread | raw e-mail | index | archive | help
I've made some progress on the VPN since the mail I sent to the list a
few days ago. The two machines are now exchanging keys with racoon
quite happily and I see traffic on gif0, but I still can't ping either
side from the other. Here's the setup as it currently stands:
aa.aaa.aaa.aa is the Boston firewall's external IP address.
bb.bbb.bbb.bbb is the San Francisco firewall's external IP address.
Boston
------
On the firewall, I have the following script in /usr/local/etc/rc.d:
% more vpn.sh
#!/bin/sh
# set up the tunnel device
gifconfig gif0 aa.aaa.aaa.aa bb.bbb.bbb.bbb
# set up the internal side of the tunnel
ifconfig gif0 192.168.0.10 192.168.1.1 netmask 255.255.255.0
# add a route
route add -net 192.168.1.0/24 192.168.1.1
# set up the keys
setkey -f /etc/ipsec.conf
%
This produces the following:
% ifconfig gif0
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
inet 192.168.0.10 --> 192.168.1.1 netmask 0xffffff00
%
% netstat -rn | grep gif0
192.168.1 192.168.1.1 UGSc 0 227 gif0
192.168.1.1 192.168.0.10 UH 2 20 gif0
%
/etc/ipsec.conf contains the following:
% more /etc/ipsec.conf
flush;
spdflush;
spdadd 192.168.0.0/24 192.168.1.0/24 any -P out ipsec esp/tunnel/aa.aaa.aaa.aa-bb.bbb.bbb.bbb/require;
spdadd 192.168.1.0/24 192.168.0.0/24 any -P in ipsec esp/tunnel/bb.bbb.bbb.bbb-aa.aaa.aaa.aa/require;
%
setkey -D produces the following output:
% setkey -D
aa.aaa.aaa.aa bb.bbb.bbb.bbb
esp mode=tunnel spi=149552552(0x08e9fda8) reqid=0(0x00000000)
E: 3des-cbc 1b204067 464bfc6f 7b392ce5 ced431d2 81f3e3e5 34a8191c
A: hmac-sha1 0f7debd3 dd057e35 3cc76a30 1c986de3 76e24268
replay=4 flags=0x00000000 state=mature seq=1 pid=1000
created: Jun 29 13:01:25 2001 current: Jun 29 13:20:53 2001
diff: 1168(s) hard: 3600(s) soft: 2880(s)
last: Jun 29 13:09:26 2001 hard: 0(s) soft: 0(s)
current: 4368(bytes) hard: 51200000(bytes) soft: 40960000(bytes)
allocated: 33 hard: 0 soft: 0
refcnt=2
bb.bbb.bbb.bbb aa.aaa.aaa.aa
esp mode=tunnel spi=122421204(0x074bffd4) reqid=0(0x00000000)
E: 3des-cbc 8540f84a 71bbf61d 397bc0a2 c7a1ea64 2a089d7d df1a34c7
A: hmac-sha1 3b258495 2c8f1a23 fa0d8595 4621c53d 6ecaac1d
replay=4 flags=0x00000000 state=mature seq=0 pid=1000
created: Jun 29 13:01:25 2001 current: Jun 29 13:20:53 2001
diff: 1168(s) hard: 3600(s) soft: 2880(s)
last: Jun 29 13:20:49 2001 hard: 0(s) soft: 0(s)
current: 7704(bytes) hard: 51200000(bytes) soft: 40960000(bytes)
allocated: 138 hard: 0 soft: 0
refcnt=1
The output of ipfw show tells me packets are going through:
03100 0 0 allow esp from aa.aaa.aaa.aa to bb.bbb.bbb.bbb
03200 186 19880 allow esp from bb.bbb.bbb.bbb to aa.aaa.aaa.aa
03300 3 764 allow udp from aa.aaa.aaa.aa 500 to bb.bbb.bbb.bbb 500
03400 5 1160 allow udp from bb.bbb.bbb.bbb 500 to aa.aaa.aaa.aa 500
03500 0 0 allow ipencap from aa.aaa.aaa.aa to bb.bbb.bbb.bbb
03600 0 0 allow ipencap from bb.bbb.bbb.bbb to aa.aaa.aaa.aa
03700 33 2652 allow ip from any to any via gif0
None of the deny rules I have set up are activated when I try to ping a
machine on either side.
San Francisco
-------------
% more vpn.sh
#!/bin/sh
# set up the tunnel device
gifconfig gif0 bb.bbb.bbb.bbb aa.aaa.aaa.aa
# set up the internal side of the tunnel
ifconfig gif0 inet 192.168.1.1 192.168.0.10 netmask 255.255.255.0
# add a route
route add -net 192.168.0.0/24 192.168.0.10
# set up the keys
setkey -f /etc/ipsec.conf
%
This gives me:
% ifconfig gif0
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
inet 192.168.1.1 --> 192.168.0.10 netmask 0xffffff00
%
% netstat -rn | grep gif0
192.168 192.168.0.10 UGSc 0 677 gif0
192.168.0.10 192.168.1.1 UH 1 132 gif0
%
In /etc/ipsec.conf:
% more /etc/ipsec.conf
flush;
spdflush;
spdadd 192.168.1.0/24 192.168.0.0/24 any -P out ipsec esp/tunnel/bb.bbb.bbb.bbb-aa.aaa.aaa.aa/require;
spdadd 192.168.0.0/24 192.168.1.0/24 any -P in ipsec esp/tunnel/aa.aaa.aaa.aa-bb.bbb.bbb.bbb/require;
%
Output of setkey -D:
% setkey -D
bb.bbb.bbb.bbb aa.aaa.aaa.aa
esp mode=tunnel spi=18868878(0x011fea8e) reqid=0(0x00000000)
E: 3des-cbc a1070723 ca19fd9c a58d53bc be46fe0d 87511fd8 e20996a5
A: hmac-sha1 ae0afab2 0fddc4f8 d9f43058 c9a9653e 849b7bc5
replay=4 flags=0x00000000 state=mature seq=1 pid=300
created: Jun 29 10:41:38 2001 current: Jun 29 10:41:55 2001
diff: 17(s) hard: 3600(s) soft: 2880(s)
last: Jun 29 10:41:52 2001 hard: 0(s) soft: 0(s)
current: 520(bytes) hard: 51200000(bytes) soft: 40960000(bytes)
allocated: 5 hard: 0 soft: 0
refcnt=2
aa.aaa.aaa.aa bb.bbb.bbb.bbb
esp mode=tunnel spi=160142316(0x098b93ec) reqid=0(0x00000000)
E: 3des-cbc f4dd081d 029f81d4 f07580e0 dfaee2a4 7cd81489 647c818d
A: hmac-sha1 bc18c39b 557321e8 c76925b9 561e64a4 5ea38d3e
replay=4 flags=0x00000000 state=mature seq=0 pid=300
created: Jun 29 10:41:38 2001 current: Jun 29 10:41:55 2001
diff: 17(s) hard: 3600(s) soft: 2880(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 51200000(bytes) soft: 40960000(bytes)
allocated: 0 hard: 0 soft: 0
refcnt=1
%
And here's the ipfw show output showing traffic:
02500 0 0 allow esp from 66.122.112.198 to 64.211.217.66
02600 11 1496 allow esp from 64.211.217.66 to 66.122.112.198
02700 5 1160 allow udp from 66.122.112.198 500 to 64.211.217.66 500
02800 3 764 allow udp from 64.211.217.66 500 to 66.122.112.198 500
02900 0 0 allow ipencap from 66.122.112.198 to 64.211.217.66
03000 0 0 allow ipencap from 64.211.217.66 to 66.122.112.198
03100 23 1500 allow ip from any to any via gif0
I've been banging my head against a wall with this for 3 or 4 days now...
trying various things. This is the closest I've come to it actually
working. Any ideas?
- jim
--
- jim mock <jim@compete.com> www.compete.com - jim@FreeBSD.org -
- senior systems administrator - Compete, Inc. - ph: 1.617.867.7035 -
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010629134423.A2536>