From owner-freebsd-net@FreeBSD.ORG Wed Jul 9 18:04:35 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2ACDD1065673 for ; Wed, 9 Jul 2008 18:04:35 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1.sentex.ca [64.7.153.18]) by mx1.freebsd.org (Postfix) with ESMTP id C87438FC16 for ; Wed, 9 Jul 2008 18:04:34 +0000 (UTC) (envelope-from mike@sentex.net) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by smarthost1.sentex.ca (8.14.2/8.14.2) with ESMTP id m69I4WXj050236; Wed, 9 Jul 2008 14:04:32 -0400 (EDT) (envelope-from mike@sentex.net) Received: from mdt-xp.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.13.8/8.13.3) with ESMTP id m69I4VOh031916 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 9 Jul 2008 14:04:31 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <200807091804.m69I4VOh031916@lava.sentex.ca> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Wed, 09 Jul 2008 14:04:29 -0400 To: zaphod@fsklaw.com, freebsd-net@freebsd.org From: Mike Tancsa In-Reply-To: References: <8f7879db41dbaecc479a017110e8f32f.squirrel@cor> <200807040155.m641tl8s000607@lava.sentex.ca> <7904ac587e71a42fb86c2bbe77bde0ae.squirrel@cor> <200807091545.m69FjcP4031350@lava.sentex.ca> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Scanned-By: MIMEDefang 2.64 on 64.7.153.18 Cc: Subject: Re: Tunneling issues X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jul 2008 18:04:35 -0000 At 01:30 PM 7/9/2008, zaphod@fsklaw.com wrote: >Seems pretty straight forward a tunnel. But nothing heads out. Can't ping >a thing. I think your tunnel endpoints are overlapping your remote subnets. The GIF tunnel IP addresses are not supposed to be on the same internal LAN. If server 1's public IP is 1.1.1.1 and server 2 is 2.2.2.2 and server1's internet network is 192.168.1.0/24 and server2's inside network is 192.168.2.0/24 This should work. #!/bin/sh #server1 to connect to server2 MEOUTSIDE=1.1.1.1 MEINSIDE=10.10.69.1 REMOTEOUTSIDE=2.2.2.2 REMOTEINSIDE=10.10.69.2 REMOTENET=192.168.2.0/24 /sbin/ifconfig gif1 create tunnel $MEOUTSIDE $REMOTEOUTSIDE /sbin/ifconfig gif1 $MEINSIDE netmask 255.255.255.252 $REMOTEINSIDE /sbin/route delete $REMOTENET /sbin/route add $REMOTENET $REMOTEINSIDE #!/bin/sh #server2 script to connect to server1 MEOUTSIDE=2.2.2.2 MEINSIDE=10.10.69.2 REMOTEOUTSIDE=1.1.1.1 REMOTEINSIDE=10.10.69.1 REMOTENET=192.168.1.0/24 /sbin/ifconfig gif1 create tunnel $MEOUTSIDE $REMOTEOUTSIDE /sbin/ifconfig gif1 $MEINSIDE netmask 255.255.255.252 $REMOTEINSIDE /sbin/route delete $REMOTENET /sbin/route add $REMOTENET $REMOTEINSIDE Also, dont confuse using GIF and IPSEC. To create some IPSEC tunnels, you dont need gif or gre interfaces. The policies will do that for you. ---Mike >Server1 > >orange# more mkgif >#/bin/sh >ifconfig gif1 create >ifconfig gif1 1.1.1.1 2.2.2.2 >ifconfig gif1 inet 192.168.72.1 192.168.70.1 netmask 255.255.255.0 >ifconfig gif1 tunnel 1.1.1.1 2.2.2.2 >ifconfig gif1 mtu 1500 >route change 192.168.70.0 192.168.70.1 255.255.255.0 >route change 192.168.71.0 192.168.70.1 255.255.255.0 > >Server2 >to# more mkgif >#/bin/sh >ifconfig gif1 create >ifconfig gif1 2.2.2.2 1.1.1.1 >ifconfig gif1 inet 192.168.70.1 192.168.72.1 netmask 255.255.255.0 >ifconfig gif1 tunnel 2.2.2.2 1.1.1.1 >ifconfig gif1 mtu 1500 >route change 192.168.72.0 192.168.72.1 255.255.255.0