From owner-freebsd-questions@FreeBSD.ORG Tue Feb 13 19:03:33 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id ADD6E16A401 for ; Tue, 13 Feb 2007 19:03:33 +0000 (UTC) (envelope-from joejr@bluebottle.com) Received: from mi0.bluebottle.com (mi0.bluebottle.com [206.188.25.15]) by mx1.freebsd.org (Postfix) with ESMTP id 8575D13C4A3 for ; Tue, 13 Feb 2007 19:03:31 +0000 (UTC) (envelope-from joejr@bluebottle.com) Received: from fe0.bluebottle.com (internal.bluebottle.com [206.188.24.43]) by mi0.bluebottle.com (8.13.1/8.13.1) with ESMTP id l1DHxR7q004949 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Tue, 13 Feb 2007 09:59:28 -0800 DomainKey-Signature: a=rsa-sha1; s=mail; d=bluebottle.com; c=simple; q=dns; h=received:to:message-id:date:from:subject:mime-version: content-type:content-transfer-encoding:user-agent; b=jU/OanHVs5YQuY7Q1flhQ6OgsFmWLe4FmWgEZCIhN9MsC2W7SL7I5KOghszLV3K7J e+lb9YtLiCvUtVCuUS4hU3V91nT0HwvoZWLHjnymzaMJ3ZvDMxCY4lrmdh+0rbT Received: from localhost (internal.bluebottle.com [206.188.24.43]) (authenticated bits=0) by fe0.bluebottle.com (8.13.1/8.13.1) with ESMTP id l1DHxO65028921 for ; Tue, 13 Feb 2007 09:59:27 -0800 Received: from 206-248-191-58.dsl.teksavvy.com (206-248-191-58.dsl.teksavvy.com [206.248.191.58]) by mail.bluebottle.com (IMP) with HTTP for ; Tue, 13 Feb 2007 09:59:24 -0800 To: freebsd-questions@freebsd.org Message-ID: <1171389564.45d1fc7c9e845@mail.bluebottle.com> Date: Tue, 13 Feb 2007 09:59:24 -0800 From: JoeJR MIME-Version: 1.0 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 8bit User-Agent: Internet Messaging Program (IMP) 3.2.2 X-Virus-Scanned: ClamAV version 0.88.4, clamav-milter version 0.88.4 on localhost X-Virus-Status: Clean X-Trusted-Delivery: <5a6c84c20cfe5906bbc01fb99b0b645f> Subject: FreeBSD IPSec VPN routing problem X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Feb 2007 19:03:33 -0000 Hello list! I've been playing around with IPSEC site-to-site VPN. The setup is as follows: [Home cisco 871w, A] -> (internet) -> [FreeBSD IPsec VPN-server] -> (internet) -> [Buddy's Home cisco 871w, B]. A and B can both reach the FreeBSD IPSec server, on their VPN IPs: A(10.10.10.1) to IPsec endpoint: Pinging 10.3.2.1 with 32 bytes of data: Reply from 10.3.2.1: bytes=32 time=84ms TTL=63 Reply from 10.3.2.1: bytes=32 time=85ms TTL=63 B(10.10.8.1) to IPsec endpoint: PING 10.3.2.1 (10.3.2.1): 56 data bytes 64 bytes from 10.3.2.1: icmp_seq=0 ttl=63 time=74.705 ms 64 bytes from 10.3.2.1: icmp_seq=1 ttl=63 time=74.547 ms This is what i use to setup the GIF interfaces: ifconfig gif0 create ifconfig gif0 tunnel A.B.C.D E.F.G.H ifconfig gif0 inet 10.3.2.1 10.10.10.1 netmask 0xffffffff route add 10.10.10.0/24 10.10.10.1 ifconfig gif1 create ifconfig gif1 tunnel A.B.C.D I.J.K.L ifconfig gif1 inet 10.3.2.1 10.10.8.1 netmask 0xffffffff route add 10.10.8.0/24 10.10.8.1 And here is my IPsec policy setup: #/usr/sbin/setkey -F /usr/sbin/setkey -c << EOF flush; spdflush; spdadd 10.3.2.0/24 10.10.8.0/24 any -P out ipsec esp/tunnel/A.B.C.D-I.J.K.L/unique; spdadd 10.10.8.0/24 10.3.2.1/24 any -P in ipsec esp/tunnel/I.J.K.L-A.B.C.D/unique; spdadd 10.3.2.0/24 10.10.10.0/24 any -P out ipsec esp/tunnel/A.B.C.D-E.F.G.H/unique; spdadd 10.10.10.0/24 10.3.2.0/24 any -P in ipsec esp/tunnel/E.F.G.H-A.B.C.D/unique; EOF Everything seems nice and dandy, however: Pinging 10.10.8.1 from 10.10.10.1 with 32 bytes of data: Request timed out. Request timed out. It appears the server is not routing it between the interfaces. I have net.inet.ip.forwarding: 1 with sysctl. Can anyone shed some light on what I am missing here to have packets from 10.10.10.1 hit 10.10.8.1 directly? Both IPs are reachable and reply on ping from the VPN server. ---------------------------------------------------------------------- Click for second home mortgage, fast & free, no fees, approval today: http://tags.bluebottle.com/fc/CAaCMPJkw6jI6BQN6DGBVISyCSRuFufs/