Date: Tue, 13 Feb 2007 09:59:24 -0800 From: JoeJR <joejr@bluebottle.com> To: freebsd-questions@freebsd.org Subject: FreeBSD IPSec VPN routing problem Message-ID: <1171389564.45d1fc7c9e845@mail.bluebottle.com>
next in thread | raw e-mail | index | archive | help
Hello list! I've been playing around with IPSEC site-to-site VPN. The setup is as follows: [Home cisco 871w, A] -> (internet) -> [FreeBSD IPsec VPN-server] -> (internet) -> [Buddy's Home cisco 871w, B]. A and B can both reach the FreeBSD IPSec server, on their VPN IPs: A(10.10.10.1) to IPsec endpoint: Pinging 10.3.2.1 with 32 bytes of data: Reply from 10.3.2.1: bytes=32 time=84ms TTL=63 Reply from 10.3.2.1: bytes=32 time=85ms TTL=63 B(10.10.8.1) to IPsec endpoint: PING 10.3.2.1 (10.3.2.1): 56 data bytes 64 bytes from 10.3.2.1: icmp_seq=0 ttl=63 time=74.705 ms 64 bytes from 10.3.2.1: icmp_seq=1 ttl=63 time=74.547 ms This is what i use to setup the GIF interfaces: ifconfig gif0 create ifconfig gif0 tunnel A.B.C.D E.F.G.H ifconfig gif0 inet 10.3.2.1 10.10.10.1 netmask 0xffffffff route add 10.10.10.0/24 10.10.10.1 ifconfig gif1 create ifconfig gif1 tunnel A.B.C.D I.J.K.L ifconfig gif1 inet 10.3.2.1 10.10.8.1 netmask 0xffffffff route add 10.10.8.0/24 10.10.8.1 And here is my IPsec policy setup: #/usr/sbin/setkey -F /usr/sbin/setkey -c << EOF flush; spdflush; spdadd 10.3.2.0/24 10.10.8.0/24 any -P out ipsec esp/tunnel/A.B.C.D-I.J.K.L/unique; spdadd 10.10.8.0/24 10.3.2.1/24 any -P in ipsec esp/tunnel/I.J.K.L-A.B.C.D/unique; spdadd 10.3.2.0/24 10.10.10.0/24 any -P out ipsec esp/tunnel/A.B.C.D-E.F.G.H/unique; spdadd 10.10.10.0/24 10.3.2.0/24 any -P in ipsec esp/tunnel/E.F.G.H-A.B.C.D/unique; EOF Everything seems nice and dandy, however: Pinging 10.10.8.1 from 10.10.10.1 with 32 bytes of data: Request timed out. Request timed out. It appears the server is not routing it between the interfaces. I have net.inet.ip.forwarding: 1 with sysctl. Can anyone shed some light on what I am missing here to have packets from 10.10.10.1 hit 10.10.8.1 directly? Both IPs are reachable and reply on ping from the VPN server. ---------------------------------------------------------------------- Click for second home mortgage, fast & free, no fees, approval today: http://tags.bluebottle.com/fc/CAaCMPJkw6jI6BQN6DGBVISyCSRuFufs/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1171389564.45d1fc7c9e845>