From owner-freebsd-questions  Fri Jun 29 10:44:38 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from corleone.idealab.com (mx2.idealab.com [64.208.8.4])
	by hub.freebsd.org (Postfix) with SMTP id 959DA37B405
	for <questions@FreeBSD.org>; Fri, 29 Jun 2001 10:44:26 -0700 (PDT)
	(envelope-from jim@compete.com)
Received: (qmail 21821 invoked by alias); 29 Jun 2001 17:44:26 -0000
Received: (qmail 21766 invoked from network); 29 Jun 2001 17:44:25 -0000
Received: from unknown (HELO cartman.boston.geekhouse.net) (10.5.1.109)
  by corleone.idealab.com with SMTP; 29 Jun 2001 17:44:25 -0000
Received: by cartman.boston.geekhouse.net (Postfix, from userid 1000)
	id 46FF6324E; Fri, 29 Jun 2001 13:44:24 -0400 (EDT)
Date: Fri, 29 Jun 2001 13:44:24 -0400
From: Jim Mock <jim@compete.com>
To: questions@FreeBSD.org
Subject: more on VPN
Message-ID: <20010629134423.A2536@cartman.boston.geekhouse.net>
Reply-To: jim@compete.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.3.19i
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

I've made some progress on the VPN since the mail I sent to the list a
few days ago.  The two machines are now exchanging keys with racoon
quite happily and I see traffic on gif0, but I still can't ping either
side from the other.  Here's the setup as it currently stands:

aa.aaa.aaa.aa is the Boston firewall's external IP address.
bb.bbb.bbb.bbb is the San Francisco firewall's external IP address.

Boston
------
On the firewall, I have the following script in /usr/local/etc/rc.d:

   % more vpn.sh
   #!/bin/sh

   # set up the tunnel device
   gifconfig gif0 aa.aaa.aaa.aa bb.bbb.bbb.bbb

   # set up the internal side of the tunnel
   ifconfig gif0 192.168.0.10 192.168.1.1 netmask 255.255.255.0

   # add a route
   route add -net 192.168.1.0/24 192.168.1.1

   # set up the keys
   setkey -f /etc/ipsec.conf
   % 

This produces the following:

   % ifconfig gif0
   gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
	   inet 192.168.0.10 --> 192.168.1.1 netmask 0xffffff00
   % 

   % netstat -rn | grep gif0
   192.168.1          192.168.1.1        UGSc        0      227     gif0
   192.168.1.1        192.168.0.10       UH          2       20     gif0
   % 

/etc/ipsec.conf contains the following:

   % more /etc/ipsec.conf
   flush;
   spdflush;

   spdadd 192.168.0.0/24 192.168.1.0/24 any -P out ipsec esp/tunnel/aa.aaa.aaa.aa-bb.bbb.bbb.bbb/require;
   spdadd 192.168.1.0/24 192.168.0.0/24 any -P in ipsec esp/tunnel/bb.bbb.bbb.bbb-aa.aaa.aaa.aa/require;
   % 

setkey -D produces the following output:

   % setkey -D
   aa.aaa.aaa.aa bb.bbb.bbb.bbb
      esp mode=tunnel spi=149552552(0x08e9fda8) reqid=0(0x00000000)
      E: 3des-cbc  1b204067 464bfc6f 7b392ce5 ced431d2 81f3e3e5 34a8191c
      A: hmac-sha1  0f7debd3 dd057e35 3cc76a30 1c986de3 76e24268
      replay=4 flags=0x00000000 state=mature seq=1 pid=1000
      created: Jun 29 13:01:25 2001   current: Jun 29 13:20:53 2001
      diff: 1168(s)   hard: 3600(s)   soft: 2880(s)
      last: Jun 29 13:09:26 2001      hard: 0(s)      soft: 0(s)
      current: 4368(bytes)    hard: 51200000(bytes)   soft: 40960000(bytes)
      allocated: 33   hard: 0 soft: 0
      refcnt=2
   bb.bbb.bbb.bbb aa.aaa.aaa.aa 
      esp mode=tunnel spi=122421204(0x074bffd4) reqid=0(0x00000000)
      E: 3des-cbc  8540f84a 71bbf61d 397bc0a2 c7a1ea64 2a089d7d df1a34c7
      A: hmac-sha1  3b258495 2c8f1a23 fa0d8595 4621c53d 6ecaac1d
      replay=4 flags=0x00000000 state=mature seq=0 pid=1000
      created: Jun 29 13:01:25 2001   current: Jun 29 13:20:53 2001
      diff: 1168(s)   hard: 3600(s)   soft: 2880(s)
      last: Jun 29 13:20:49 2001      hard: 0(s)      soft: 0(s)
      current: 7704(bytes)    hard: 51200000(bytes)   soft: 40960000(bytes)
      allocated: 138  hard: 0 soft: 0
      refcnt=1

The output of ipfw show tells me packets are going through:

   03100    0      0 allow esp from aa.aaa.aaa.aa to bb.bbb.bbb.bbb
   03200  186  19880 allow esp from bb.bbb.bbb.bbb to aa.aaa.aaa.aa
   03300    3    764 allow udp from aa.aaa.aaa.aa 500 to bb.bbb.bbb.bbb 500
   03400    5   1160 allow udp from bb.bbb.bbb.bbb 500 to aa.aaa.aaa.aa 500
   03500    0      0 allow ipencap from aa.aaa.aaa.aa to bb.bbb.bbb.bbb
   03600    0      0 allow ipencap from bb.bbb.bbb.bbb to aa.aaa.aaa.aa
   03700   33   2652 allow ip from any to any via gif0

None of the deny rules I have set up are activated when I try to ping a
machine on either side.

San Francisco
-------------
   % more vpn.sh
   #!/bin/sh

   # set up the tunnel device
   gifconfig gif0 bb.bbb.bbb.bbb aa.aaa.aaa.aa

   # set up the internal side of the tunnel
   ifconfig gif0 inet 192.168.1.1 192.168.0.10 netmask 255.255.255.0

   # add a route
   route add -net 192.168.0.0/24 192.168.0.10

   # set up the keys
   setkey -f /etc/ipsec.conf
   % 

This gives me:

   % ifconfig gif0
   gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
	   inet 192.168.1.1 --> 192.168.0.10 netmask 0xffffff00
   % 

   % netstat -rn | grep gif0
   192.168            192.168.0.10       UGSc        0      677     gif0
   192.168.0.10       192.168.1.1        UH          1      132     gif0
   % 

In /etc/ipsec.conf:

   % more /etc/ipsec.conf
   flush;
   spdflush;

   spdadd 192.168.1.0/24 192.168.0.0/24 any -P out ipsec esp/tunnel/bb.bbb.bbb.bbb-aa.aaa.aaa.aa/require;
   spdadd 192.168.0.0/24 192.168.1.0/24 any -P in ipsec esp/tunnel/aa.aaa.aaa.aa-bb.bbb.bbb.bbb/require;
   % 

Output of setkey -D:

   % setkey -D
   bb.bbb.bbb.bbb aa.aaa.aaa.aa 
      esp mode=tunnel spi=18868878(0x011fea8e) reqid=0(0x00000000)
      E: 3des-cbc  a1070723 ca19fd9c a58d53bc be46fe0d 87511fd8 e20996a5
      A: hmac-sha1  ae0afab2 0fddc4f8 d9f43058 c9a9653e 849b7bc5
      replay=4 flags=0x00000000 state=mature seq=1 pid=300
      created: Jun 29 10:41:38 2001   current: Jun 29 10:41:55 2001
      diff: 17(s)     hard: 3600(s)   soft: 2880(s)
      last: Jun 29 10:41:52 2001      hard: 0(s)      soft: 0(s)
      current: 520(bytes)     hard: 51200000(bytes)   soft: 40960000(bytes)
      allocated: 5    hard: 0 soft: 0
      refcnt=2
   aa.aaa.aaa.aa bb.bbb.bbb.bbb 
      esp mode=tunnel spi=160142316(0x098b93ec) reqid=0(0x00000000)
      E: 3des-cbc  f4dd081d 029f81d4 f07580e0 dfaee2a4 7cd81489 647c818d
      A: hmac-sha1  bc18c39b 557321e8 c76925b9 561e64a4 5ea38d3e
      replay=4 flags=0x00000000 state=mature seq=0 pid=300
      created: Jun 29 10:41:38 2001   current: Jun 29 10:41:55 2001
      diff: 17(s)     hard: 3600(s)   soft: 2880(s)
      last:                           hard: 0(s)      soft: 0(s)
      current: 0(bytes)       hard: 51200000(bytes)   soft: 40960000(bytes)
      allocated: 0    hard: 0 soft: 0
      refcnt=1
   % 

And here's the ipfw show output showing traffic:

   02500     0       0 allow esp from 66.122.112.198 to 64.211.217.66
   02600    11    1496 allow esp from 64.211.217.66 to 66.122.112.198
   02700     5    1160 allow udp from 66.122.112.198 500 to 64.211.217.66 500
   02800     3     764 allow udp from 64.211.217.66 500 to 66.122.112.198 500
   02900     0       0 allow ipencap from 66.122.112.198 to 64.211.217.66
   03000     0       0 allow ipencap from 64.211.217.66 to 66.122.112.198
   03100    23    1500 allow ip from any to any via gif0

I've been banging my head against a wall with this for 3 or 4 days now...
trying various things.  This is the closest I've come to it actually
working.  Any ideas?

- jim

-- 
- jim mock <jim@compete.com>      www.compete.com - jim@FreeBSD.org -
- senior systems administrator - Compete, Inc. - ph: 1.617.867.7035 -

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message