From owner-freebsd-questions Mon May 27 1:29:16 2002 Delivered-To: freebsd-questions@freebsd.org Received: from gadolinium.btinternet.com (gadolinium.btinternet.com [194.73.73.111]) by hub.freebsd.org (Postfix) with ESMTP id 26D0737B406 for ; Mon, 27 May 2002 01:29:08 -0700 (PDT) Received: from host217-35-31-244.in-addr.btopenworld.com ([217.35.31.244] helo=marvin.penguinpowered.org.uk) by gadolinium.btinternet.com with esmtp (Exim 3.22 #8) id 17CFsI-0004lv-00 for freebsd-questions@freebsd.org; Mon, 27 May 2002 09:29:07 +0100 Received: from [192.168.10.12] (helo=set.home.penguinpowered.org.uk) by marvin.penguinpowered.org.uk with esmtp (Exim 3.33 #1) id 17CFyY-0001wy-00 for freebsd-questions@freebsd.org; Mon, 27 May 2002 09:35:34 +0100 Received: from waynep by set.home.penguinpowered.org.uk with local (Exim 3.34 #1) id 17CGri-0000PM-00 for freebsd-questions@freebsd.org; Mon, 27 May 2002 09:32:34 +0000 From: Wayne Pascoe To: freebsd-questions@freebsd.org Subject: VPN with IPSEC - LONG Date: 27 May 2002 09:32:34 +0000 Message-ID: Lines: 98 User-Agent: Gnus/5.0808 (Gnus v5.8.8) XEmacs/21.4 (Civil Service) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi all, I am trying to setup a VPN with IPSEC. I've followed the instructions at http://asherah.dyndns.org/~josh/ipsec-howto.txt I have two machines with the following Machine 1 Internal address 192.168.10.1 Internal network 192.168.10.0/24 External address 10.0.0.1 Machine 2 Internal address 192.168.2.1 Internal network 192.168.2.0/24 External address 10.1.1.1 Each of these machines acts as a gateway for a batch of other machines. I have changed my external address only in these examples. On each machine I have a file called vpn.sh. To get these to execute properly, I had to recompile the kernel with IPSEC, IPSEC_ESP and gif 4. Before doing the recompile I got messages about protocol not supported and no such interface: gif0 I also had to do ifconfig gif0 create on each machine My 2 vpn.sh scripts are as follows: Machine 1 # less vpn.sh #!/bin/sh # These commands need to be run on node A # Set up the tunnel device. This presumes you have gif(4) support # gif0 connects 10.0.0.1 to 10.1.1.1 gifconfig gif0 10.0.0.1 10.1.1.1 # The 'internal' side of the tunnel connects 192.168.10.1 to 192.168.2.1 ifconfig gif0 inet 192.168.10.1 192.168.2.1 netmask 255.255.255.0 # The next 2 lines delete all existing entries from the SPD and SAD setkey -FP setkey -F # Add the policy setkey -c << EOF spdadd 192.168.10.0/24 192.168.2.0/24 any -P out ipsec esp/tunnel/10.0.0.1- 10.1.1.1/require; spdadd 192.168.2.0/24 192.168.10.0/24 any -P in ipsec esp/tunnel/10.1.1.1- 10.0.0.1/require; EOF Machine 2 # less vpn.sh #!/bin/sh # These commands need to be run on node B # Set up the tunnel device. This presumes you have gif(4) support # gif0 connects 10.1.1.1 to 10.0.0.1 gifconfig gif0 10.1.1.1 10.0.0.1 # The 'internal' side of the tunnel connects 192.168.2.1 to 192.168.10.1 ifconfig gif0 inet 192.168.2.1 192.168.10.1 netmask 255.255.255.0 # The next 2 lines delete all existing entries from the SPD and SAD setkey -FP setkey -F # Add the policy setkey -c << EOF spdadd 192.168.2.0/24 192.168.10.0/24 any -P out ipsec esp/tunnel/10.1.1.1 -10.0.0.1/require; spdadd 192.168.10.0/24 192.168.2.0/24 any -P in ipsec esp/tunnel/10.0.0.1 -10.1.1.1/require; EOF I also have racoon running on both machines. In /usr/local/etc/racoon/psk.txt on both machines I have the following: 10.1.1.1 testing1 10.0.0.1 testing2 The first time I started racoon on both machines, the firewall logs showed that requests from port 500 to port 500 on each machine were being blocked. I've now added ipf rules to allow all traffic from port 500, udp on each machine to port 500 on the other machine. I see no further messages in my logs. The problem is that even after doing all of this, I can't ping through the VPN. netstat -rn on machine 1 shows 192.168.2.1 192.168.10.1 UH 0 0 gif0 That looks to me like things should work. Can anyone give me some tips as to how to proceed from here? TIA, -- - Wayne Pascoe - http://www.penguinpowered.org.uk/wayne/ WINDOWS: Where do you want to go today? LINUX: Where do you want to go tomorrow? FreeBSD: Are you guys coming or what? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message