From owner-freebsd-questions@FreeBSD.ORG  Fri Oct 15 20:53:20 2010
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 2AD77106566C
	for <freebsd-questions@freebsd.org>;
	Fri, 15 Oct 2010 20:53:20 +0000 (UTC)
	(envelope-from claudiu.vasadi@gmail.com)
Received: from mail-ww0-f50.google.com (mail-ww0-f50.google.com [74.125.82.50])
	by mx1.freebsd.org (Postfix) with ESMTP id AB8048FC12
	for <freebsd-questions@freebsd.org>;
	Fri, 15 Oct 2010 20:53:19 +0000 (UTC)
Received: by wwb39 with SMTP id 39so1546027wwb.31
	for <freebsd-questions@freebsd.org>;
	Fri, 15 Oct 2010 13:53:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=domainkey-signature:mime-version:received:received:date:message-id
	:subject:from:to:content-type;
	bh=AVCvAYB2L68IJbXme40wZoSo6b1LQ9+lRG4jkOZ9j8o=;
	b=AIaAMZS6YNFZ0a28azzlgAv7N30Y+8tnXzYa4ivZC8vWeSgwyG0zj8Sj9nH6j4X7hv
	ueS5UQSS2NIxM9ncHH4QdqfNkbbQHm99bbTv2H+npZT3lnK5wuafACo4NAQoHamhaDpq
	uhgFBkogkfE33o899VHX0Ze67uPZ/pbEjngnY=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=mime-version:date:message-id:subject:from:to:content-type;
	b=R0RSgjZDU6gXVJN6jUPiiw4XGrd+N8iNbON2cKgWekPHEyubZPp6kxoXzqzYx3AtDj
	pkxTvAfVwPGKUteExZXCQmH/mV9UGg+HocXQPGpf91VnfeM4A/EHUSARp05lmiTJyDn1
	KTaDSy8jDOnT6GxDb3QFfH7sEBw8w9gQ7aHRA=
MIME-Version: 1.0
Received: by 10.227.151.200 with SMTP id d8mr1558534wbw.105.1287175998305;
	Fri, 15 Oct 2010 13:53:18 -0700 (PDT)
Received: by 10.216.232.208 with HTTP; Fri, 15 Oct 2010 13:53:18 -0700 (PDT)
Date: Fri, 15 Oct 2010 22:53:18 +0200
Message-ID: <AANLkTim=E3aT-SaOjyL2rx11kdfmtY1uBtrtuqK1zBPH@mail.gmail.com>
From: claudiu vasadi <claudiu.vasadi@gmail.com>
To: FreeBSD <freebsd-questions@freebsd.org>
Content-Type: text/plain; charset=ISO-8859-1
X-Content-Filtered-By: Mailman/MimeDel 2.1.5
Subject: ipsec vpn - gif_if connection problem
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Oct 2010 20:53:20 -0000

Hello guys,

I have 3x 8.1-RELEASE i386 machines with a custom kernel that consists of
the GENERIC kernel plus:
options IPSEC
options IPSEC_DEBUG
device crypto
the 3 extra options needed for IPSEC/racoon VPN. All the setup was made
according to [URL="http://www.freebsd.org/doc/handbook/ipsec.html"]
http://www.freebsd.org/doc/handbook/ipsec.html[/URL] and it worked. I got to
the racoon/setkey part and after I managed to get that working too, at some
point, the gif interfaces stopped communicating (a.k.a no more connection
between the 3 machines).

At first, I thought it's a routing problem but I didn't see anything weird;
then I turned to the firewall (pf) and I disabled it but with no effect.
Step by step I disabled racoon, setkey and recreated the gif interfaces but
still, no effect.

For the sake of sanity, I will detail below only 2 machines:

machine 1 (192.168.1.0/24 gw 192.168.1.1):
[root@mainserver1 ~]# ifconfig gif2
gif2: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1280
tunnel inet 79.113.55.0 --> 79.113.90.52
inet 192.168.1.1 --> 192.168.2.1 netmask 0xffffff00
options=1<ACCEPT_REV_ETHIP_VER>
[root@mainserver1 ~]# netstat -f inet -rn
Routing tables

Internet:
Destination Gateway Flags Refs Use Netif Expire
default 79.113.48.1 UGS 0 123132 tun0
79.113.48.1 link#5 UHS 0 0 tun0
79.113.55.0 link#5 UHS 0 16 lo0
127.0.0.1 link#4 UH 0 1287 lo0
192.168.0.0/24 192.168.10.1 UGS 0 277 tap0
192.168.1.0/24 link#2 U 0 3249916 rl0
192.168.1.1 link#2 UHS 1 1 lo0
192.168.2.0/24 192.168.2.1 UGS 0 0 gif2
192.168.2.1 link#9 UH 0 3 gif2
192.168.10.0/24 link#8 U 0 0 tap0
192.168.10.2 link#8 UHS 0 0 lo0

machine 2 (192.168.2.0/24 gw 192.168.2.1):
[root@mainserver2 ~]# ifconfig gif1
gif1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1280
tunnel inet 79.113.90.52 --> 79.113.55.0
inet 192.168.2.1 --> 192.168.1.1 netmask 0xffffff00
options=1<ACCEPT_REV_ETHIP_VER>
[root@mainserver2 ~]# netstat -f inet -rn
Routing tables

Internet:
Destination Gateway Flags Refs Use Netif Expire
default 10.100.144.12 UGS 0 811847 tun0
10.100.144.12 link#5 UHS 0 0 tun0
79.113.90.52 link#5 UHS 0 175 lo0
127.0.0.1 link#4 UH 0 1043 lo0
192.168.0.0/24 192.168.0.1 UGS 0 16 gif0
192.168.0.1 link#6 UH 0 19 gif0
192.168.1.0/24 192.168.1.1 UGS 0 0 gif1
192.168.1.1 link#7 UH 0 4 gif1
192.168.2.0/24 link#2 U 0 5702099 rl0
192.168.2.1 link#2 UHS 2 0 lo0

machine 1 uses gif2 (as it goes to machine2) and machine 2 uses gif1 (as it
goes to machine 1)


Scenario:
Both gif_if created. I run ping from machine 1 to ext_IP of machine 2 =
works; but if I ping the internal IP of any machine from the other one, it
does not.

I started tcpdump on machine1 and started pinging from machine2. I can see
the echo_reply if I ping the external_IP but not if I do the same with the
internal_IP. From this, I am thinking there is a problem with the routing
table but tbh, I cannot see it. If this would not be the case however, I
would assume the firewall is blocking something (but the firewall is
disabled).

What am I missing here ?

-- 
Best regards,
Claudiu Vasadi