Date: Fri, 15 Oct 2010 22:53:18 +0200 From: claudiu vasadi <claudiu.vasadi@gmail.com> To: FreeBSD <freebsd-questions@freebsd.org> Subject: ipsec vpn - gif_if connection problem Message-ID: <AANLkTim=E3aT-SaOjyL2rx11kdfmtY1uBtrtuqK1zBPH@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hello guys, I have 3x 8.1-RELEASE i386 machines with a custom kernel that consists of the GENERIC kernel plus: options IPSEC options IPSEC_DEBUG device crypto the 3 extra options needed for IPSEC/racoon VPN. All the setup was made according to [URL="http://www.freebsd.org/doc/handbook/ipsec.html"] http://www.freebsd.org/doc/handbook/ipsec.html[/URL] and it worked. I got to the racoon/setkey part and after I managed to get that working too, at some point, the gif interfaces stopped communicating (a.k.a no more connection between the 3 machines). At first, I thought it's a routing problem but I didn't see anything weird; then I turned to the firewall (pf) and I disabled it but with no effect. Step by step I disabled racoon, setkey and recreated the gif interfaces but still, no effect. For the sake of sanity, I will detail below only 2 machines: machine 1 (192.168.1.0/24 gw 192.168.1.1): [root@mainserver1 ~]# ifconfig gif2 gif2: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1280 tunnel inet 79.113.55.0 --> 79.113.90.52 inet 192.168.1.1 --> 192.168.2.1 netmask 0xffffff00 options=1<ACCEPT_REV_ETHIP_VER> [root@mainserver1 ~]# netstat -f inet -rn Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default 79.113.48.1 UGS 0 123132 tun0 79.113.48.1 link#5 UHS 0 0 tun0 79.113.55.0 link#5 UHS 0 16 lo0 127.0.0.1 link#4 UH 0 1287 lo0 192.168.0.0/24 192.168.10.1 UGS 0 277 tap0 192.168.1.0/24 link#2 U 0 3249916 rl0 192.168.1.1 link#2 UHS 1 1 lo0 192.168.2.0/24 192.168.2.1 UGS 0 0 gif2 192.168.2.1 link#9 UH 0 3 gif2 192.168.10.0/24 link#8 U 0 0 tap0 192.168.10.2 link#8 UHS 0 0 lo0 machine 2 (192.168.2.0/24 gw 192.168.2.1): [root@mainserver2 ~]# ifconfig gif1 gif1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1280 tunnel inet 79.113.90.52 --> 79.113.55.0 inet 192.168.2.1 --> 192.168.1.1 netmask 0xffffff00 options=1<ACCEPT_REV_ETHIP_VER> [root@mainserver2 ~]# netstat -f inet -rn Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default 10.100.144.12 UGS 0 811847 tun0 10.100.144.12 link#5 UHS 0 0 tun0 79.113.90.52 link#5 UHS 0 175 lo0 127.0.0.1 link#4 UH 0 1043 lo0 192.168.0.0/24 192.168.0.1 UGS 0 16 gif0 192.168.0.1 link#6 UH 0 19 gif0 192.168.1.0/24 192.168.1.1 UGS 0 0 gif1 192.168.1.1 link#7 UH 0 4 gif1 192.168.2.0/24 link#2 U 0 5702099 rl0 192.168.2.1 link#2 UHS 2 0 lo0 machine 1 uses gif2 (as it goes to machine2) and machine 2 uses gif1 (as it goes to machine 1) Scenario: Both gif_if created. I run ping from machine 1 to ext_IP of machine 2 = works; but if I ping the internal IP of any machine from the other one, it does not. I started tcpdump on machine1 and started pinging from machine2. I can see the echo_reply if I ping the external_IP but not if I do the same with the internal_IP. From this, I am thinking there is a problem with the routing table but tbh, I cannot see it. If this would not be the case however, I would assume the firewall is blocking something (but the firewall is disabled). What am I missing here ? -- Best regards, Claudiu Vasadi
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTim=E3aT-SaOjyL2rx11kdfmtY1uBtrtuqK1zBPH>