From owner-freebsd-mobile@FreeBSD.ORG Mon Feb 13 21:57:51 2006 Return-Path: X-Original-To: freebsd-mobile@freebsd.org Delivered-To: freebsd-mobile@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2EF4316A420 for ; Mon, 13 Feb 2006 21:57:51 +0000 (GMT) (envelope-from hartzell@alerce.com) Received: from merlin.alerce.com (w094.z064001164.sjc-ca.dsl.cnc.net [64.1.164.94]) by mx1.FreeBSD.org (Postfix) with ESMTP id B7EB643D49 for ; Mon, 13 Feb 2006 21:57:50 +0000 (GMT) (envelope-from hartzell@alerce.com) Received: from merlin.alerce.com (localhost [127.0.0.1]) by merlin.alerce.com (Postfix) with ESMTP id 90D9A21F1 for ; Mon, 13 Feb 2006 13:57:44 -0800 (PST) Received: from satchel.alerce.com (unknown [192.168.72.178]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by merlin.alerce.com (Postfix) with ESMTP id 59C3E2186 for ; Mon, 13 Feb 2006 13:57:44 -0800 (PST) Received: from satchel.alerce.com (localhost [127.0.0.1]) by satchel.alerce.com (8.13.4/8.13.4) with ESMTP id k1DLvgF9003266 for ; Mon, 13 Feb 2006 13:57:45 -0800 (PST) (envelope-from hartzell@satchel.alerce.com) Received: (from hartzell@localhost) by satchel.alerce.com (8.13.4/8.13.4/Submit) id k1DLvgbp003263; Mon, 13 Feb 2006 13:57:42 -0800 (PST) (envelope-from hartzell) From: George Hartzell MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <17393.214.512151.13869@satchel.alerce.com> Date: Mon, 13 Feb 2006 13:57:42 -0800 To: freebsd-mobile@freebsd.org X-Mailer: VM 7.17 under 21.4 (patch 17) "Jumbo Shrimp" XEmacs Lucid X-Virus-Scanned: ClamAV using ClamSMTP Subject: ssh-based vpn and routing question. X-BeenThere: freebsd-mobile@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: hartzell@alerce.com List-Id: Mobile computing with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Feb 2006 21:57:51 -0000 I'm trying to set up an ssh-based vpn between a 6.0-STABLE laptop and a remote server (I've tried it to both 6.0-STABLE and 5.3-STABLE). I can bring up a ppp link via an ssh tunnel and each side can ping the address of the other side of the tunnel. I would like to route all traffic from my laptop to the server's real address (a routable static ip address from my ISP) so that it goes across the tunnel instead (e.g. to tunnel through a firewall that allows ssh but doesn't pass pop3s connections and the powers that be don't want to touch the firewall rules but are ok w/ the tunnel...). I've tried just adding a static host route pointing to the server end of the ppp link, but that doesn't work (via "route add" and ppp's "add command). ** Not only can I not ping the server's static ip address, but I can no longer ping its end of the ppp link. ** When I remove the route I eventually regain the ability to ping the remote end of the ppp link, the waiting time seems to be proportional to how long I let the ping run while I had the link in place. In order to test my sanity I tried to do it in reverse. Once the link was up I ssh'ed in to server, added a route to the outside address of the laptop (which happened to be a 10.xxx.yyy.zzz address) via the laptop end of the ppp link. I was able to ping both the laptop's outside 10.x addr and its end of the ppp link. I tried setting net.inet.ip.forwarding=1 and it didn't make things work in the server case, nor did it break the sanity-checking laptop case. I've tried this on both an older (sigh...) 5.3-STABLE server and a recent 6.0-STABLE server. They both behave identically. There are no firewalls running on any of the freebsd boxes. At this point I'm assuming that ppp is doing something asymmetric, but I am stymied. The fact that I can do the reverse of what I want is driving me nuts.... Does anyone have any constructive commentary? Thanks, g.