Date: Wed, 20 Nov 2002 08:33:45 -0500 From: Scott Ullrich <sullrich@CRE8.COM> To: 'Guido van Rooij' <guido@gvr.org>, Scott Ullrich <sullrich@CRE8.COM> Cc: 'Archie Cobbs' <archie@dellroad.org>, David Kelly <dkelly@HiWAAY.net>, "'greg.panula@dolaninformation.com'" <greg.panula@dolaninformation.com>, FreeBSD-stable@FreeBSD.ORG Subject: RE: IPsec/gif VPN tunnel packets on wrong NIC in ipfw? SOLUTION A ND QUESTIONS Message-ID: <2F6DCE1EFAB3BC418B5C324F13934C9601D23C78@exchange.corp.cre8.com>
next in thread | raw e-mail | index | archive | help
I sent this to you yesterday but here goes again....
Bash# ipfw show
00050 77 6323 allow ip from 10.0.250.10 to 10.0.250.11
00050 21 3247 allow ip fro 10.0.250.11 to 10.0.250.10
00051 2 240 allow ip from any to any via gif0 keep-state
00100 244 18970 divert 8668 ip from any to any via sis0
00110 0 0 allow ip from any to any via sis1 keep-state
00125 0 0 check-state
00225 225 19082 allow ip from me to any keep-state
00325 0 0 allow ip from any to any via sis1
00425 796 139512 allow ip from any to any via sis2 keep-state
00525 0 0 allow icmp from any to any
00625 2 240 allow ip from any to any via gif0
65535 58 8660 deny ip frmm any to any
Bash# ifconfig
sis0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
inet 10.0.250.10 netmask 0xffffff00 broadcast 10.0.250.255
ether 00:00:24:c0:34:c4
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
sis1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
ether 00:00:24:c0:34:c5
media: Ethernet autoselect (none)
status: no carrier
sis2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 10.1.0.1 netmask 0xffffff00 broadcast 10.1.0.255
ether 00:00:24:c0:34:c6
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
ppp0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
faith0: flags=8002<BROADCAST,MULTICAST> mtu 1500
vlan0: flags=0<> mtu 1500
ether 00:00:00:00:00:00
vlan: 0 parent interface: <none>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet 127.0.0.1 netmask 0xffffff00
tap0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
ether 00:bd:da:26:00:00
gif0: flags=805<<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
tunnel inet 10.0.250.10 --> 10.0.250.11
inet 10.1.0.1 -->110.2.0.1 netmask 0xffffffff
Bash# setkey -D -P
10.2.0.0/24[any] 10.1.0.0/24[any] any
in ipsec
esp/transport/10.0.250.11-10.0.250.10/require
spid=1 seq=1 pid=577
refcnt=1
10.1.0.0/24[any] 10.2.0.0/24[any] any
out ipsec
esp/transport/10.0.250.10-10.0.250.11/require
spid=2 seq=0 pid=577
refcnt=1
-Scott
-----Original Message-----
From: Guido van Rooij [mailto:guido@gvr.org]
Sent: Wednesday, November 20, 2002 7:45 AM
To: Scott Ullrich
Cc: 'Archie Cobbs'; David Kelly; 'greg.panula@dolaninformation.com';
FreeBSD-stable@FreeBSD.ORG
Subject: Re: IPsec/gif VPN tunnel packets on wrong NIC in ipfw? SOLUTION A
ND QUESTIONS
On Tue, Nov 19, 2002 at 11:41:49PM -0500, Scott Ullrich wrote:
> I thought it was going to work after Guido pointed out that I was
> using tunnel mode vs. transport. I changed it over to transport and
> could not get it to work under any conditions. I tried gif rules,
> internal network rules before and after the divert and many other
> methods including using a allow all from any to any ruleset and could
> not get this to work so I am reverting back. I am honestly lost at
> this point and need to do the tcpdumps that david has done to see what
> is going wrong.
I am almost positive you are doing something wrong.
Please repost the things I asked for, i.e.
1) ifconfig of physical and gif devices
2) setkey -DP
3) ipfw config
-Guido
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2F6DCE1EFAB3BC418B5C324F13934C9601D23C78>