FreeBSD Mail Archives

Date:      Sat, 28 Sep 2002 10:11:42 -0700
From:      Lars Eggert <larse@ISI.EDU>
To:        Ian Cartwright <ian351c@cox.net>
Cc:        freebsd-hackers@freebsd.org
Subject:   Re: VPN Routing through gif (4) tunnel
Message-ID:  <3D95E2CE.6000502@isi.edu>
References:  <003b01c2670f$ab21bac0$6600a8c0@iansxp>


[-- Attachment #1 --]
Hi,

Ian Cartwright wrote:
> I am trying to construct a "B2B" mode VPN tunnel between my house and my
> work using FreeBSD.
...
> Here is my current configuration (IPs changed to protect the guilty):
> 
> fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>         inet 100.100.100.1 netmask 0xffffff00 broadcast 68.3.250.255
...
> fxp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>         inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
...
> gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
>         tunnel inet 68.3.250.5 --> 199.64.13.20
>         inet 192.168.0.1 --> 200.200.200.1 netmask 0xffffff00
> 
> fxp0 is my external network adapter, connected to the Internet and
> assigned "100.100.100.1" by my ISP. gif0 is the tunnel adapter and ties
> my network to my work's network. The ip 200.200.200.1 is the inside
> interface of my work's VPN server.
> 
> The commands used to create the gif tunnel are as follows: ifconfig gif0
> create tunnel 100.100.100.1 200.200.201.1 ifconfig gif0 inet 192.168.0.1
> 200.200.200.1 netmask 255.255.255.0
> 
> 100.100.100.1 is my external address again
> 200.200.201.1 is the external interface on my work's VPN server
> 200.200.200.1 is the internal interface on my works VPN server again

your tunnel configuration is a bit strange. You want the tunnel wrapper 
IP addresses to be those of the external interfaces, both locally and 
for your remote site. Also, give the tunnel itself addresses that don't 
overlap with addresses you already use. E.g.:

ifconfig gif0 10.0.0.1 10.0.0.2 tunnel 100.100.100.1 
<external-ip-of-remote-end>

Then just add a route for your remote network to the tunnel, e.g.

route add 200.200.200/24 10.0.0.2

As for IPsec and racoon: Are you negotiating IPsec tunnel mode SAs? In 
which case you MUST NOT set up a gif tunnel. (In short, that abuses the 
fact that two parallel tunnels trick routing into forwarding over a 
tunnel mode SA, with consequences; see 
ftp://ftp.isi.edu/internet-drafts/draft-touch-ipsec-vpn-04.txt.

Lars
-- 
Lars Eggert <larse@isi.edu>           USC Information Sciences Institute

[-- Attachment #2 --]
0�	*�H��
��0�10	+0�	*�H��
��	�0�80���fEr��t��cvE��.�0
	*�H��
0��10	UZA10UWestern Cape10U	Cape Town10U
Thawte Consulting1(0&UCertification Services Division1$0"UThawte Personal Freemail CA1+0)	*�H��
	personal-freemail@thawte.com0
000830000000Z
040827235959Z0��10	UZA10UWestern Cape10U	Cape Town10
U
Thawte10UCertificate Services1(0&UPersonal Freemail RSA 2000.8.300��0
	*�H��
��0�����32�c�	%E>�nx'g��ڈ���D)�c5*mp<�ܮ��to0�3��4q��m���O�e�
�K���a����U�5��u�'��r���װ�����|CBPQ��<�9��T������If-	��k�i�N0L0)U"0 �010UPrivateLabel1-2970U�0�0U0
	*�H��
��1�KG]�q��Sl]y�=��&b�"��"��I�'{9����$����
*8�PU�l�
�L����G�l�X�1B	l�i�+�@]j�y��.%݊���
��Z��<�D�&i�H�Υ����bb��0�90���%A0
	*�H��
0��10	UZA10UWestern Cape10U	Cape Town10
U
Thawte10UCertificate Services1(0&UPersonal Freemail RSA 2000.8.300
020824185339Z
030824185339Z0T10
UEggert1
0U*Lars10ULars Eggert10	*�H��
	
larse@isi.edu0�"0
	*�H��
�0�
��6F�x����ΰ7��a��ED��&0��+Dj�)ֽ�X��CUc��n�lei��jm�z~S�����0�J�j�W�V�~	1^����({�I�ݛL�j��Ӗ
a�����o:bP�}W���L��V�ܱ��욗cD��ɖ_��K�v.�����A(���W4���9�;�Z�8�-��uXE
6�b
@_0%�#d�`�����R�to5 L0���R`w��@7
�r	�H�����c�c�����	�U�3�%7N_o�V0T0*+e!000L2uMyffBNUbNJJcdZ2s0U0�
larse@isi.edu0U�00
	*�H��
��]�Ȕ��,�����fK<�������cj���R�Z�eL�an�@���Z6,��=
�fK�?y�O#��8��+�	����Ni�*LS��f���pQ��g<�(aӒ��$�k���Tx�_AL��1>ގ|S�0�90���%A0
	*�H��
0��10	UZA10UWestern Cape10U	Cape Town10
U
Thawte10UCertificate Services1(0&UPersonal Freemail RSA 2000.8.300
020824185339Z
030824185339Z0T10
UEggert1
0U*Lars10ULars Eggert10	*�H��
	
larse@isi.edu0�"0
	*�H��
�0�
��6F�x����ΰ7��a��ED��&0��+Dj�)ֽ�X��CUc��n�lei��jm�z~S�����0�J�j�W�V�~	1^����({�I�ݛL�j��Ӗ
a�����o:bP�}W���L��V�ܱ��욗cD��ɖ_��K�v.�����A(���W4���9�;�Z�8�-��uXE
6�b
@_0%�#d�`�����R�to5 L0���R`w��@7
�r	�H�����c�c�����	�U�3�%7N_o�V0T0*+e!000L2uMyffBNUbNJJcdZ2s0U0�
larse@isi.edu0U�00
	*�H��
��]�Ȕ��,�����fK<�������cj���R�Z�eL�an�@���Z6,��=
�fK�?y�O#��8��+�	����Ni�*LS��f���pQ��g<�(aӒ��$�k���Tx�_AL��1>ގ|S�1�'0�#0��0��10	UZA10UWestern Cape10U	Cape Town10
U
Thawte10UCertificate Services1(0&UPersonal Freemail RSA 2000.8.30%A0	+��a0	*�H��
	1	*�H��
0	*�H��
	1
020928171142Z0#	*�H��
	1c���SX���1���hZu�,0R	*�H��
	1E0C0
*�H��
0*�H��
�0
*�H��
@0+0
*�H��
(0��*�H��
	1�����0��10	UZA10UWestern Cape10U	Cape Town10
U
Thawte10UCertificate Services1(0&UPersonal Freemail RSA 2000.8.30%A0
	*�H��
��ry��Z�#�/b��j!~վ�;0���xO������ol�*����K��R����&Q؃x�IQ�|"Ē��
@T�$H(I}�ƾ�'�t	I@��z���pd*ݷ:��쑤�-Ԣio�-!ܦfCg��yr�,]���M%��n!}Ov���@$�T�?�:`�������E�&\��N����3���0̛O˷p�R���'��aH ��񂋻��ǪY+U����
U���p���(��,YX����

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3D95E2CE.6000502>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation