From owner-freebsd-net Fri Aug 17 19:12:13 2001 Delivered-To: freebsd-net@freebsd.org Received: from firewall.crimsonwasteland.com (cx154799-b.btnrug1.la.home.com [24.181.119.107]) by hub.freebsd.org (Postfix) with SMTP id 3E44237B410 for ; Fri, 17 Aug 2001 19:11:54 -0700 (PDT) (envelope-from lists-freebsd-stable@crimsonwasteland.com) Received: (qmail 23916 invoked from network); 18 Aug 2001 02:11:53 -0000 Received: from travis.crimsonwasteland.com (HELO travis) (172.16.69.2) by cx154799-b.btnrug1.la.home.com with SMTP; 18 Aug 2001 02:11:53 -0000 From: "Travis Leuthauser" To: Subject: IPSec VPN tunnel question Date: Fri, 17 Aug 2001 21:11:52 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Importance: Normal Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I am trying to setup an IPSec based VPN between my FreeBSD server, which is running IPFW w/ a custom ruleset and NATD for my home network, and a Netopia R9100 Dual Ethernet router. I am attempting to use IPSec/tunnel/esp/hmac-md5 authentication/no encryption. Below is my configuration: Output from 'uname -a': FreeBSD firewall.crimsonwasteland.com 4.4-PRERELEASE FreeBSD 4.4-PRERELEASE #0: Sat Aug 11 09:30:22 GMT 2001 root@firewall.crimsonwasteland.com:/usr/obj/usr/src/sys/FIREWALL i386 Public IP on xl0: 24.181.119.107 Private IP on xl1: 172.16.69.1 Public IP on Netopia: x.x.x.x Private IP on Netopia: 172.16.250.1 Snippet of IPFW Ruleset: 00010 allow ip from any to x.x.x.x out xmit gif0 00020 allow ip from x.x.x.x to any in recv gif0 00030 allow ip from any to 172.16.250.0/24 out xmit gif0 00040 allow ip from 172.16.250.0/24 to any in recv gif0 00050 divert 8668 ip from any to any via xl0 00100 allow ip from any to any via lo0 00200 deny log ip from any to 127.0.0.0/8 00300 deny log ip from 127.0.0.0/8 to any ... Several rules allowing specific services ... 65500 deny log ip from any to any Output from ifconfig gif0: gif0: flags=8051 mtu 1280 tunnel inet 24.181.119.107 --> x.x.x.x inet 172.16.69.1 --> 172.16.250.1 netmask 0xffffff00 inet6 fe80::204:76ff:fe6f:7136%gif0 prefixlen 64 scopeid 0x8 Output from setkey -D: x.x.x.x 24.181.119.107 esp mode=tunnel spi=2568731067(0x991bb9bb) reqid=0(0x00000000) E: null A: hmac-md5 75b916ac 534cef32 d3db8a44 cf5b62c1 replay=0 flags=0x00000040 state=mature seq=1 pid=23835 created: Aug 17 20:53:11 2001 current: Aug 17 20:53:14 2001 diff: 3(s) hard: 0(s) soft: 0(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 refcnt=1 24.181.119.107 x.x.x.x esp mode=tunnel spi=2568731067(0x991bb9bb) reqid=0(0x00000000) E: null A: hmac-md5 75b916ac 534cef32 d3db8a44 cf5b62c1 replay=0 flags=0x00000040 state=mature seq=0 pid=23835 created: Aug 17 20:53:11 2001 current: Aug 17 20:53:14 2001 diff: 3(s) hard: 0(s) soft: 0(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 refcnt=1 Output from setkey -DP: 172.16.250.0/24[any] 172.16.69.0/24[any] any in ipsec esp/tunnel/x.x.x.x-24.181.119.107/require spid=10 seq=1 pid=23842 refcnt=1 172.16.69.0/24[any] 172.16.250.0/24[any] any out ipsec esp/tunnel/24.181.119.107-x.x.x.x/require spid=9 seq=0 pid=23842 refcnt=1 Output from netstat -nr: Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default 24.181.118.1 UGSc 30 234144 xl0 24.181.118/23 link#1 UC 2 0 xl0 24.181.118.1 0:50:b:7:44:1c UHLW 28 0 xl0 1199 24.181.119.107 0:4:76:6f:71:36 UHLW 0 2 lo0 127.0.0.1 127.0.0.1 UH 0 0 lo0 172.16.69/24 link#2 UC 4 0 xl1 172.16.69.1 0:4:76:6f:71:4e UHLW 1 8107 lo0 172.16.69.2 0:10:4b:33:79:b9 UHLW 6 752816 xl1 1198 172.16.69.254 link#2 UHLW 1 9836 xl1 172.16.69.255 ff:ff:ff:ff:ff:ff UHLWb 2 1523 xl1 172.16.250.1 172.16.69.1 UH 0 25 gif0 Internet6: Destination Gateway Flags Netif Expire ::1 ::1 UH lo0 fe80::%xl0/64 link#1 UC xl0 fe80::204:76ff:fe6f:7136%xl0 0:4:76:6f:71:36 UHL lo0 fe80::%xl1/64 link#2 UC xl1 fe80::204:76ff:fe6f:714e%xl1 0:4:76:6f:71:4e UHL lo0 fe80::%lo0/64 fe80::1%lo0 Uc lo0 fe80::1%lo0 link#4 UHL lo0 fe80::%gif0/64 link#8 UC gif0 fe80::204:76ff:fe6f:7136%gif0 link#8 UHL lo0 ff01::/32 ::1 U lo0 ff02::%xl0/32 link#1 UC xl0 ff02::%xl1/32 link#2 UC xl1 ff02::%lo0/32 ::1 UC lo0 ff02::%gif0/32 link#8 UC gif0 Snippet from dmesg: Aug 7 09:43:35 firewall /kernel: Copyright (c) 1992-2001 The FreeBSD Project. Aug 7 09:43:35 firewall /kernel: Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 Aug 7 09:43:35 firewall /kernel: The Regents of the University of California. All rights reserved. Aug 7 09:43:35 firewall /kernel: FreeBSD 4.4-PRERELEASE #6: Tue Aug 7 08:18:34 GMT 2001 Aug 7 09:43:35 firewall /kernel: korak@firewall.crimsonwasteland.com:/usr/src/sys/compile/FIREWALL Aug 7 09:43:35 firewall /kernel: Timecounter "i8254" frequency 1193182 Hz Aug 7 09:43:35 firewall /kernel: CPU: Pentium II/Pentium II Xeon/Celeron (267.27-MHz 686-class CPU) Aug 7 09:43:35 firewall /kernel: Origin = "GenuineIntel" Id = 0x633 Stepping = 3 Aug 7 09:43:35 firewall /kernel: Features=0x80f9ff Aug 7 09:43:35 firewall /kernel: real memory = 134217728 (131072K bytes) Aug 7 09:43:35 firewall /kernel: avail memory = 126742528 (123772K bytes) Aug 7 09:43:35 firewall /kernel: Preloaded elf kernel "kernel" at 0xc037f000. Aug 7 09:43:35 firewall /kernel: Preloaded userconfig_script "/boot/kernel.conf" at 0xc037f09c. Aug 7 09:43:35 firewall /kernel: Pentium Pro MTRR support enabled Aug 7 09:43:35 firewall /kernel: md0: Malloc disk Aug 7 09:43:35 firewall /kernel: npx0: on motherboard Aug 7 09:43:35 firewall /kernel: npx0: INT 16 interface Aug 7 09:43:35 firewall /kernel: pcib0: on motherboard Aug 7 09:43:35 firewall /kernel: pci0: on pcib0 Aug 7 09:43:35 firewall /kernel: pcib1: at device 1.0 on pci0 Aug 7 09:43:35 firewall /kernel: pci1: on pcib1 Aug 7 09:43:35 firewall /kernel: pci1: at 0.0 irq 9 Aug 7 09:43:35 firewall /kernel: isab0: at device 7.0 on pci0 Aug 7 09:43:35 firewall /kernel: isa0: on isab0 Aug 7 09:43:35 firewall /kernel: atapci0: port 0xf000-0xf00f at device 7.1 on pci0 Aug 7 09:43:35 firewall /kernel: ata0: at 0x1f0 irq 14 on atapci0 Aug 7 09:43:35 firewall /kernel: ata1: at 0x170 irq 15 on atapci0 Aug 7 09:43:35 firewall /kernel: uhci0: port 0x6400-0x641f irq 11 at device 7.2 on pci0 Aug 7 09:43:35 firewall /kernel: usb0: on uhci0 Aug 7 09:43:35 firewall /kernel: usb0: USB revision 1.0 Aug 7 09:43:35 firewall /kernel: uhub0: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 Aug 7 09:43:35 firewall /kernel: uhub0: 2 ports with 2 removable, self powered Aug 7 09:43:35 firewall /kernel: chip1: port 0x5f00-0x5f0f at device 7.3 on pci0 Aug 7 09:43:35 firewall /kernel: xl0: <3Com 3c905B-TX Fast Etherlink XL> port 0x6500-0x657f mem 0xe4000000-0xe400007f irq 9 at devi ce 9.0 on pci0 Aug 7 09:43:35 firewall /kernel: xl0: Ethernet address: 00:04:76:6f:71:36 Aug 7 09:43:35 firewall /kernel: miibus0: on xl0 Aug 7 09:43:35 firewall /kernel: xlphy0: <3Com internal media interface> on miibus0 Aug 7 09:43:35 firewall /kernel: xlphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto Aug 7 09:43:35 firewall /kernel: xl1: <3Com 3c905B-TX Fast Etherlink XL> port 0x6600-0x667f mem 0xe4001000-0xe400107f irq 12 at dev ice 10.0 on pci0 Aug 7 09:43:35 firewall /kernel: xl1: Ethernet address: 00:04:76:6f:71:4e Aug 7 09:43:35 firewall /kernel: miibus1: on xl1 Aug 7 09:43:35 firewall /kernel: xlphy1: <3Com internal media interface> on miibus1 Aug 7 09:43:35 firewall /kernel: xlphy1: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto Aug 7 09:43:35 firewall /kernel: fdc0: at port 0x3f0-0x3f5,0x3f7 irq 6 drq 2 on isa0 Aug 7 09:43:35 firewall /kernel: fdc0: FIFO enabled, 8 bytes threshold Aug 7 09:43:35 firewall /kernel: fd0: <1440-KB 3.5" drive> on fdc0 drive 0 Aug 7 09:43:35 firewall /kernel: atkbdc0: at port 0x60,0x64 on isa0 Aug 7 09:43:35 firewall /kernel: vga0: at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0 Aug 7 09:43:35 firewall /kernel: sc0: at flags 0x100 on isa0 Aug 7 09:43:35 firewall /kernel: sc0: VGA <16 virtual consoles, flags=0x300> Aug 7 09:43:35 firewall /kernel: sio0 at port 0x3f8-0x3ff irq 4 flags 0x10 on isa0 Aug 7 09:43:35 firewall /kernel: sio0: type 16550A Aug 7 09:43:35 firewall /kernel: ppc0: at port 0x378-0x37f irq 7 on isa0 Aug 7 09:43:35 firewall /kernel: ppc0: Generic chipset (NIBBLE-only) in COMPATIBLE mode Aug 7 09:43:35 firewall /kernel: ppbus0: IEEE1284 device found /NIBBLE/ECP Aug 7 09:43:35 firewall /kernel: Probing for PnP devices on ppbus0: Aug 7 09:43:35 firewall /kernel: ppbus0: MLC,PCL,PML Aug 7 09:43:35 firewall /kernel: plip0: on ppbus0 Aug 7 09:43:35 firewall /kernel: lpt0: on ppbus0 Aug 7 09:43:35 firewall /kernel: lpt0: Interrupt-driven port Aug 7 09:43:35 firewall /kernel: ppi0: on ppbus0 Aug 7 09:43:35 firewall /kernel: DUMMYNET initialized (010124) Aug 7 09:43:35 firewall /kernel: IP packet filtering initialized, divert enabled, rule-based forwarding disabled, default to deny, unlimited logging Aug 7 09:43:35 firewall /kernel: IPsec: Initialized Security Association Processing. Commands I used to get to this point: % ifconfig gif0 create inet 172.16.69.1 172.16.250.1 netmask 255.255.255.0 up % gifconfig gif0 inet 24.181.119.107 x.x.x.x % setkey -c spdadd 172.16.69.0/24 172.16.250.0/24 any -P out ipsec esp/tunnel/24.181.119.107-x.x.x.x/require ; spdadd 172.16.250.0/24 172.16.69.0/24 any -P in ipsec esp/tunnel/x.x.x.x-24.181.119.107/require ; add 24.181.119.107 x.x.x.x esp 2568731067 -m tunnel -E simple "" -A hmac-md5 0x75b916ac534cef32d3db8a44cf5b62c1 ; add x.x.x.x 24.181.119.107 esp 2568731067 -m tunnel -E simple "" -A hmac-md5 0x75b916ac534cef32d3db8a44cf5b62c1 ; ^D If I try to ping or traceroute to 172.16.250.1 from the console of my BSD server, I get no replies. Any advice would be greatly appreciated. -Travis To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message