From owner-freebsd-stable  Wed Nov 20  5:25:39 2002
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 2F7F337B406
	for <FreeBSD-stable@FreeBSD.ORG>; Wed, 20 Nov 2002 05:25:37 -0800 (PST)
Received: from exchange.corp.cre8.com (ns.cre8.com [216.135.81.2])
	by mx1.FreeBSD.org (Postfix) with ESMTP id DFC0143E77
	for <FreeBSD-stable@FreeBSD.ORG>; Wed, 20 Nov 2002 05:25:35 -0800 (PST)
	(envelope-from sullrich@CRE8.COM)
Received: by exchange.corp.cre8.com with Internet Mail Service (5.5.2653.19)
	id <4G1JKXL0>; Wed, 20 Nov 2002 08:33:46 -0500
Message-ID: <2F6DCE1EFAB3BC418B5C324F13934C9601D23C78@exchange.corp.cre8.com>
From: Scott Ullrich <sullrich@CRE8.COM>
To: 'Guido van Rooij' <guido@gvr.org>,
	Scott Ullrich <sullrich@CRE8.COM>
Cc: 'Archie Cobbs' <archie@dellroad.org>,
	David Kelly <dkelly@HiWAAY.net>,
	"'greg.panula@dolaninformation.com'" <greg.panula@dolaninformation.com>,
	FreeBSD-stable@FreeBSD.ORG
Subject: RE: IPsec/gif VPN tunnel packets on wrong NIC in ipfw? SOLUTION A
	 ND QUESTIONS
Date: Wed, 20 Nov 2002 08:33:45 -0500
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
Content-Type: text/plain
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG

I sent this to you yesterday but here goes again....

Bash# ipfw show
00050         77       6323 allow ip from 10.0.250.10 to 10.0.250.11
00050         21       3247 allow ip fro  10.0.250.11 to 10.0.250.10
00051          2        240 allow ip from any to any via gif0 keep-state
00100        244      18970 divert 8668 ip from any to any via sis0
00110          0          0 allow ip from any to any via sis1 keep-state
00125          0          0 check-state
00225        225      19082 allow ip from me to any keep-state
00325          0          0 allow ip from any to any via sis1
00425        796     139512 allow ip from any to any via sis2 keep-state
00525          0          0 allow icmp from any to any
00625          2        240 allow ip from any to any via gif0
65535         58       8660 deny ip frmm any to any

Bash# ifconfig
sis0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
        inet 10.0.250.10 netmask 0xffffff00 broadcast 10.0.250.255
        ether 00:00:24:c0:34:c4
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
sis1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
        ether 00:00:24:c0:34:c5
        media: Ethernet autoselect (none)
        status: no carrier
sis2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        inet 10.1.0.1 netmask 0xffffff00 broadcast 10.1.0.255
        ether 00:00:24:c0:34:c6
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
ppp0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
faith0: flags=8002<BROADCAST,MULTICAST> mtu 1500
vlan0: flags=0<> mtu 1500
        ether 00:00:00:00:00:00
        vlan: 0 parent interface: <none>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
        inet 127.0.0.1 netmask 0xffffff00
tap0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
        ether 00:bd:da:26:00:00
gif0: flags=805<<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
        tunnel inet 10.0.250.10 --> 10.0.250.11
        inet 10.1.0.1 -->110.2.0.1 netmask 0xffffffff

Bash# setkey -D -P
10.2.0.0/24[any] 10.1.0.0/24[any] any
        in ipsec
        esp/transport/10.0.250.11-10.0.250.10/require
        spid=1 seq=1 pid=577
        refcnt=1
10.1.0.0/24[any] 10.2.0.0/24[any] any
        out ipsec
        esp/transport/10.0.250.10-10.0.250.11/require
        spid=2 seq=0 pid=577
        refcnt=1
-Scott

-----Original Message-----
From: Guido van Rooij [mailto:guido@gvr.org] 
Sent: Wednesday, November 20, 2002 7:45 AM
To: Scott Ullrich
Cc: 'Archie Cobbs'; David Kelly; 'greg.panula@dolaninformation.com';
FreeBSD-stable@FreeBSD.ORG
Subject: Re: IPsec/gif VPN tunnel packets on wrong NIC in ipfw? SOLUTION A
ND QUESTIONS


On Tue, Nov 19, 2002 at 11:41:49PM -0500, Scott Ullrich wrote:
> I thought it was going to work after Guido pointed out that I was 
> using tunnel mode vs. transport. I  changed it over to transport and 
> could not get it to work under any conditions.  I tried gif rules, 
> internal network rules before and after the divert and many other 
> methods including using a allow all from any to any ruleset and could 
> not get this to work so I am reverting back.  I am honestly lost at 
> this point and need to do the tcpdumps that david has done to see what 
> is going wrong.

I am almost positive you are doing something wrong.

Please repost the things I asked for, i.e.
1) ifconfig of physical and gif devices
2) setkey -DP
3) ipfw config

-Guido

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message