Date: 27 May 2002 09:32:34 +0000 From: Wayne Pascoe <freebsd@penguinpowered.org.uk> To: freebsd-questions@freebsd.org Subject: VPN with IPSEC - LONG Message-ID: <m24rguhr65.fsf@set.home.penguinpowered.org.uk>
next in thread | raw e-mail | index | archive | help
Hi all, I am trying to setup a VPN with IPSEC. I've followed the instructions at http://asherah.dyndns.org/~josh/ipsec-howto.txt I have two machines with the following Machine 1 Internal address 192.168.10.1 Internal network 192.168.10.0/24 External address 10.0.0.1 Machine 2 Internal address 192.168.2.1 Internal network 192.168.2.0/24 External address 10.1.1.1 Each of these machines acts as a gateway for a batch of other machines. I have changed my external address only in these examples. On each machine I have a file called vpn.sh. To get these to execute properly, I had to recompile the kernel with IPSEC, IPSEC_ESP and gif 4. Before doing the recompile I got messages about protocol not supported and no such interface: gif0 I also had to do ifconfig gif0 create on each machine My 2 vpn.sh scripts are as follows: Machine 1 # less vpn.sh #!/bin/sh # These commands need to be run on node A # Set up the tunnel device. This presumes you have gif(4) support # gif0 connects 10.0.0.1 to 10.1.1.1 gifconfig gif0 10.0.0.1 10.1.1.1 # The 'internal' side of the tunnel connects 192.168.10.1 to 192.168.2.1 ifconfig gif0 inet 192.168.10.1 192.168.2.1 netmask 255.255.255.0 # The next 2 lines delete all existing entries from the SPD and SAD setkey -FP setkey -F # Add the policy setkey -c << EOF spdadd 192.168.10.0/24 192.168.2.0/24 any -P out ipsec esp/tunnel/10.0.0.1- 10.1.1.1/require; spdadd 192.168.2.0/24 192.168.10.0/24 any -P in ipsec esp/tunnel/10.1.1.1- 10.0.0.1/require; EOF Machine 2 # less vpn.sh #!/bin/sh # These commands need to be run on node B # Set up the tunnel device. This presumes you have gif(4) support # gif0 connects 10.1.1.1 to 10.0.0.1 gifconfig gif0 10.1.1.1 10.0.0.1 # The 'internal' side of the tunnel connects 192.168.2.1 to 192.168.10.1 ifconfig gif0 inet 192.168.2.1 192.168.10.1 netmask 255.255.255.0 # The next 2 lines delete all existing entries from the SPD and SAD setkey -FP setkey -F # Add the policy setkey -c << EOF spdadd 192.168.2.0/24 192.168.10.0/24 any -P out ipsec esp/tunnel/10.1.1.1 -10.0.0.1/require; spdadd 192.168.10.0/24 192.168.2.0/24 any -P in ipsec esp/tunnel/10.0.0.1 -10.1.1.1/require; EOF I also have racoon running on both machines. In /usr/local/etc/racoon/psk.txt on both machines I have the following: 10.1.1.1 testing1 10.0.0.1 testing2 The first time I started racoon on both machines, the firewall logs showed that requests from port 500 to port 500 on each machine were being blocked. I've now added ipf rules to allow all traffic from port 500, udp on each machine to port 500 on the other machine. I see no further messages in my logs. The problem is that even after doing all of this, I can't ping through the VPN. netstat -rn on machine 1 shows 192.168.2.1 192.168.10.1 UH 0 0 gif0 That looks to me like things should work. Can anyone give me some tips as to how to proceed from here? TIA, -- - Wayne Pascoe - http://www.penguinpowered.org.uk/wayne/ WINDOWS: Where do you want to go today? LINUX: Where do you want to go tomorrow? FreeBSD: Are you guys coming or what? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?m24rguhr65.fsf>