From owner-freebsd-hackers  Sat Sep 28  9:59:50 2002
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id E999037B401
	for <freebsd-hackers@freebsd.org>; Sat, 28 Sep 2002 09:59:48 -0700 (PDT)
Received: from harrier.mail.pas.earthlink.net (harrier.mail.pas.earthlink.net [207.217.120.12])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 941AA43E65
	for <freebsd-hackers@freebsd.org>; Sat, 28 Sep 2002 09:59:48 -0700 (PDT)
	(envelope-from tlambert2@mindspring.com)
Received: from pool0305.cvx40-bradley.dialup.earthlink.net ([216.244.43.50] helo=mindspring.com)
	by harrier.mail.pas.earthlink.net with esmtp (Exim 3.33 #1)
	id 17vKwP-0005nl-00; Sat, 28 Sep 2002 09:59:41 -0700
Message-ID: <3D95DD4C.EAD33CF0@mindspring.com>
Date: Sat, 28 Sep 2002 09:48:12 -0700
From: Terry Lambert <tlambert2@mindspring.com>
X-Mailer: Mozilla 4.79 [en] (Win98; U)
X-Accept-Language: en
MIME-Version: 1.0
To: Ian Cartwright <ian351c@cox.net>
Cc: freebsd-hackers@freebsd.org
Subject: Re: VPN Routing through gif (4) tunnel
References: <003b01c2670f$ab21bac0$6600a8c0@iansxp>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-hackers.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-hackers>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-hackers>
X-Loop: FreeBSD.ORG

Ian Cartwright wrote:
> I am trying to construct a "B2B" mode VPN tunnel between my house and my
> work using FreeBSD. My work uses Checkpoint VPN-1 and I have a FreeBSD
> firewall that is running ipfilter to do firewall/NAT duties. I have so
> far been successful in creating a tunnel between the FreeBSD box and my
> work VPN server using /usr/ports/security/racoon, gif (4), and the IPSEC
> kernel module. I am able to establish a tunnel and pass packets from my
> FreeBSD firewall to my work network. I have not been able to pass
> packets from the rest of my home network to my work over the VPN tunnel.
> The packets seem to never make it into the tunnel, and also do not pass
> out to the Internet via my firewall.

Do a tcpdump on the VPN box itself.

Then attempt a connection.

If the packets are being sent to the remote end, and a response
packet is coming back, but the packet is not being forwarded,
then it's likely the same problem I've seen.

The only fix I've seen that works is to get rid of the default
route on the VPN box itself, and use point-to-point routes,
instead.

-- Terry

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message