Date: Fri, 31 Aug 2001 09:18:37 -0400 From: "Matthew Emmerton" <matt@gsicomp.on.ca> To: <freebsd-net@freebsd.org> Subject: Help with IPSec VPN Message-ID: <003201c1321f$71de65e0$1200a8c0@gsicomp.on.ca>
next in thread | raw e-mail | index | archive | help
Hi all,
I've been trying to get an IPSec tunneling VPN between two boxes working
without much success. I've read the FAQs and HOWTOs on www.freebsd.org,
www.freebsddiary.org, www.daemonnews.org and www.kame.net and they all have
helped me get closer to where I want to be, but I'm still missing something.
The exact problem that I'm running into is that once I've got everything
configured (all details below), when I try and ping the other end of the
tunnel, nothing happens. I get this from 'netstat -p ipsec', with every
other ipsec counter showing a value of 0.
8 outbound packets with no SA available
Both boxes are running RELENG_4_3 (security release), and have 'options
IPSEC' and 'options IPSEC_ESP' in the kernel.
Box A is 192.168.0.2/24, Box B is 192.168.0.3/24.
Here's what I'm doing on box A:
gabby# gifconfig gif0 192.168.0.2 192.168.0.3
gabby# ifconfig gif0 inet 10.0.2.1 10.0.3.1 netmask 255.255.255.0
gabby# setkey -F
gabby# setkey -FP
gabby# setkey -c << EOF
add 10.0.2.1 10.0.3.1 esp 1000 -E 3des-cbc "goofgoofgoofgoofgoofgoof";
add 10.0.3.1 10.0.2.1 esp 1001 -E 3des-cbc "foolfoolfoolfoolfoolfool";
spdadd 10.0.2.0/24 10.0.3.0/24 any -P out ipsec
esp/tunnel/192.168.0.2-192.168.0.3/require;
spdadd 10.0.3.0/24 10.0.2.0/24 any -P in ipsec
esp/tunnel/192.168.0.3-192.168.0.2/require;
EOF
gabby# route add -net 10.0.3.0/24 10.0.3.1
gabby#
I'm doing the exact same thing on Box B, except that all the IP pairs are
reversed, with the exception of the 'add' lines for setkey (as outlined in
the KAME IpSec FAQ, VPN tunnel section.) and the route statement.
Here's output from gifconfig, ifconfig, netstat, and setkey (slightly
trimmed):
gabby# gifconfig -a gif0
gif0: flags=8011<UP,POINTOPOINT,MULTICAST> mtu 1280
inet6 fe80::200:c0ff:fef2:7c40%gif0 --> :: prefixlen 64
inet 10.0.2.1 --> 10.0.3.1 netmask 0xffffff00
physical address inet 192.168.0.2 --> 192.168.0.3
gabby# ifconfig gif0
gif0: flags=8011<UP,POINTOPOINT,MULTICAST> mtu 1280
inet6 fe80::200:c0ff:fef2:7c40%gif0 --> :: prefixlen 64 scopeid 0x4
inet 10.0.2.1 --> 10.0.3.1 netmask 0xffffff00
gabby# netstat -rn -f inet
Destination Gateway Flags Refs Use Netif
Expire
default 192.168.0.1 UGSc 1 0 ed0
10.0.3/24 10.0.3.1 UGSc 0 0 gif0
10.0.3.1 10.0.2.1 UH 1 8 gif0
127.0.0.1 127.0.0.1 UH 1 92 lo0
192.168 link#1 UC 0 0 ed0 =>
gabby# setkey -D
10.0.3.1 10.0.2.1
esp mode=any spi=1001(0x000003e9) reqid=0(0x00000000)
E: 3des-cbc 666f6f6c 666f6f6c 666f6f6c 666f6f6c 666f6f6c 666f6f6c
replay=0 flags=0x00000040 state=mature seq=1 pid=403
created: Aug 31 08:39:59 2001 current: Aug 31 09:11:49 2001
diff: 1910(s) hard: 0(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
refcnt=1
10.0.2.1 10.0.3.1
esp mode=any spi=1000(0x000003e8) reqid=0(0x00000000)
E: 3des-cbc 676f6f66 676f6f66 676f6f66 676f6f66 676f6f66 676f6f66
replay=0 flags=0x00000040 state=mature seq=0 pid=403
created: Aug 31 08:39:59 2001 current: Aug 31 09:11:49 2001
diff: 1910(s) hard: 0(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
refcnt=1
gabby# setkey -DP
10.0.3.0/24[any] 10.0.2.0/24[any] any
in ipsec
esp/tunnel/192.168.0.3-192.168.0.2/require
spid=4 seq=1 pid=404
refcnt=1
10.0.2.0/24[any] 10.0.3.0/24[any] any
out ipsec
esp/tunnel/192.168.0.2-192.168.0.3/require
spid=3 seq=0 pid=404
refcnt=1
--
Matt Emmerton
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?003201c1321f$71de65e0$1200a8c0>