Date: Wed, 20 Nov 2002 08:33:45 -0500 From: Scott Ullrich <sullrich@CRE8.COM> To: 'Guido van Rooij' <guido@gvr.org>, Scott Ullrich <sullrich@CRE8.COM> Cc: 'Archie Cobbs' <archie@dellroad.org>, David Kelly <dkelly@HiWAAY.net>, "'greg.panula@dolaninformation.com'" <greg.panula@dolaninformation.com>, FreeBSD-stable@FreeBSD.ORG Subject: RE: IPsec/gif VPN tunnel packets on wrong NIC in ipfw? SOLUTION A ND QUESTIONS Message-ID: <2F6DCE1EFAB3BC418B5C324F13934C9601D23C78@exchange.corp.cre8.com>
next in thread | raw e-mail | index | archive | help
I sent this to you yesterday but here goes again.... Bash# ipfw show 00050 77 6323 allow ip from 10.0.250.10 to 10.0.250.11 00050 21 3247 allow ip fro 10.0.250.11 to 10.0.250.10 00051 2 240 allow ip from any to any via gif0 keep-state 00100 244 18970 divert 8668 ip from any to any via sis0 00110 0 0 allow ip from any to any via sis1 keep-state 00125 0 0 check-state 00225 225 19082 allow ip from me to any keep-state 00325 0 0 allow ip from any to any via sis1 00425 796 139512 allow ip from any to any via sis2 keep-state 00525 0 0 allow icmp from any to any 00625 2 240 allow ip from any to any via gif0 65535 58 8660 deny ip frmm any to any Bash# ifconfig sis0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500 inet 10.0.250.10 netmask 0xffffff00 broadcast 10.0.250.255 ether 00:00:24:c0:34:c4 media: Ethernet autoselect (100baseTX <full-duplex>) status: active sis1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255 ether 00:00:24:c0:34:c5 media: Ethernet autoselect (none) status: no carrier sis2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 inet 10.1.0.1 netmask 0xffffff00 broadcast 10.1.0.255 ether 00:00:24:c0:34:c6 media: Ethernet autoselect (100baseTX <full-duplex>) status: active ppp0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500 faith0: flags=8002<BROADCAST,MULTICAST> mtu 1500 vlan0: flags=0<> mtu 1500 ether 00:00:00:00:00:00 vlan: 0 parent interface: <none> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384 inet 127.0.0.1 netmask 0xffffff00 tap0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500 ether 00:bd:da:26:00:00 gif0: flags=805<<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280 tunnel inet 10.0.250.10 --> 10.0.250.11 inet 10.1.0.1 -->110.2.0.1 netmask 0xffffffff Bash# setkey -D -P 10.2.0.0/24[any] 10.1.0.0/24[any] any in ipsec esp/transport/10.0.250.11-10.0.250.10/require spid=1 seq=1 pid=577 refcnt=1 10.1.0.0/24[any] 10.2.0.0/24[any] any out ipsec esp/transport/10.0.250.10-10.0.250.11/require spid=2 seq=0 pid=577 refcnt=1 -Scott -----Original Message----- From: Guido van Rooij [mailto:guido@gvr.org] Sent: Wednesday, November 20, 2002 7:45 AM To: Scott Ullrich Cc: 'Archie Cobbs'; David Kelly; 'greg.panula@dolaninformation.com'; FreeBSD-stable@FreeBSD.ORG Subject: Re: IPsec/gif VPN tunnel packets on wrong NIC in ipfw? SOLUTION A ND QUESTIONS On Tue, Nov 19, 2002 at 11:41:49PM -0500, Scott Ullrich wrote: > I thought it was going to work after Guido pointed out that I was > using tunnel mode vs. transport. I changed it over to transport and > could not get it to work under any conditions. I tried gif rules, > internal network rules before and after the divert and many other > methods including using a allow all from any to any ruleset and could > not get this to work so I am reverting back. I am honestly lost at > this point and need to do the tcpdumps that david has done to see what > is going wrong. I am almost positive you are doing something wrong. Please repost the things I asked for, i.e. 1) ifconfig of physical and gif devices 2) setkey -DP 3) ipfw config -Guido To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2F6DCE1EFAB3BC418B5C324F13934C9601D23C78>