Date: Mon, 13 Feb 2006 13:57:42 -0800 From: George Hartzell <hartzell@alerce.com> To: freebsd-mobile@freebsd.org Subject: ssh-based vpn and routing question. Message-ID: <17393.214.512151.13869@satchel.alerce.com>
next in thread | raw e-mail | index | archive | help
I'm trying to set up an ssh-based vpn between a 6.0-STABLE laptop and a remote server (I've tried it to both 6.0-STABLE and 5.3-STABLE). I can bring up a ppp link via an ssh tunnel and each side can ping the address of the other side of the tunnel. I would like to route all traffic from my laptop to the server's real address (a routable static ip address from my ISP) so that it goes across the tunnel instead (e.g. to tunnel through a firewall that allows ssh but doesn't pass pop3s connections and the powers that be don't want to touch the firewall rules but are ok w/ the tunnel...). I've tried just adding a static host route pointing to the server end of the ppp link, but that doesn't work (via "route add" and ppp's "add command). ** Not only can I not ping the server's static ip address, but I can no longer ping its end of the ppp link. ** When I remove the route I eventually regain the ability to ping the remote end of the ppp link, the waiting time seems to be proportional to how long I let the ping run while I had the link in place. In order to test my sanity I tried to do it in reverse. Once the link was up I ssh'ed in to server, added a route to the outside address of the laptop (which happened to be a 10.xxx.yyy.zzz address) via the laptop end of the ppp link. I was able to ping both the laptop's outside 10.x addr and its end of the ppp link. I tried setting net.inet.ip.forwarding=1 and it didn't make things work in the server case, nor did it break the sanity-checking laptop case. I've tried this on both an older (sigh...) 5.3-STABLE server and a recent 6.0-STABLE server. They both behave identically. There are no firewalls running on any of the freebsd boxes. At this point I'm assuming that ppp is doing something asymmetric, but I am stymied. The fact that I can do the reverse of what I want is driving me nuts.... Does anyone have any constructive commentary? Thanks, g.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?17393.214.512151.13869>