Date: Fri, 17 Aug 2001 21:11:52 -0500 From: "Travis Leuthauser" <lists-freebsd-stable@crimsonwasteland.com> To: <freebsd-net@freebsd.org> Subject: IPSec VPN tunnel question Message-ID: <OLEPKBMLIHCGDKLGKPJGCEFPDNAA.lists-freebsd-stable@crimsonwasteland.com>
next in thread | raw e-mail | index | archive | help
I am trying to setup an IPSec based VPN between my FreeBSD server, which is
running IPFW w/ a custom ruleset and NATD for my home network, and a Netopia
R9100 Dual Ethernet router. I am attempting to use
IPSec/tunnel/esp/hmac-md5 authentication/no encryption. Below is my
configuration:
Output from 'uname -a':
FreeBSD firewall.crimsonwasteland.com 4.4-PRERELEASE FreeBSD 4.4-PRERELEASE
#0: Sat Aug 11 09:30:22 GMT 2001
root@firewall.crimsonwasteland.com:/usr/obj/usr/src/sys/FIREWALL i386
Public IP on xl0: 24.181.119.107
Private IP on xl1: 172.16.69.1
Public IP on Netopia: x.x.x.x
Private IP on Netopia: 172.16.250.1
Snippet of IPFW Ruleset:
00010 allow ip from any to x.x.x.x out xmit gif0
00020 allow ip from x.x.x.x to any in recv gif0
00030 allow ip from any to 172.16.250.0/24 out xmit gif0
00040 allow ip from 172.16.250.0/24 to any in recv gif0
00050 divert 8668 ip from any to any via xl0
00100 allow ip from any to any via lo0
00200 deny log ip from any to 127.0.0.0/8
00300 deny log ip from 127.0.0.0/8 to any
... Several rules allowing specific services ...
65500 deny log ip from any to any
Output from ifconfig gif0:
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
tunnel inet 24.181.119.107 --> x.x.x.x
inet 172.16.69.1 --> 172.16.250.1 netmask 0xffffff00
inet6 fe80::204:76ff:fe6f:7136%gif0 prefixlen 64 scopeid 0x8
Output from setkey -D:
x.x.x.x 24.181.119.107
esp mode=tunnel spi=2568731067(0x991bb9bb) reqid=0(0x00000000)
E: null
A: hmac-md5 75b916ac 534cef32 d3db8a44 cf5b62c1
replay=0 flags=0x00000040 state=mature seq=1 pid=23835
created: Aug 17 20:53:11 2001 current: Aug 17 20:53:14 2001
diff: 3(s) hard: 0(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
refcnt=1
24.181.119.107 x.x.x.x
esp mode=tunnel spi=2568731067(0x991bb9bb) reqid=0(0x00000000)
E: null
A: hmac-md5 75b916ac 534cef32 d3db8a44 cf5b62c1
replay=0 flags=0x00000040 state=mature seq=0 pid=23835
created: Aug 17 20:53:11 2001 current: Aug 17 20:53:14 2001
diff: 3(s) hard: 0(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
refcnt=1
Output from setkey -DP:
172.16.250.0/24[any] 172.16.69.0/24[any] any
in ipsec
esp/tunnel/x.x.x.x-24.181.119.107/require
spid=10 seq=1 pid=23842
refcnt=1
172.16.69.0/24[any] 172.16.250.0/24[any] any
out ipsec
esp/tunnel/24.181.119.107-x.x.x.x/require
spid=9 seq=0 pid=23842
refcnt=1
Output from netstat -nr:
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 24.181.118.1 UGSc 30 234144 xl0
24.181.118/23 link#1 UC 2 0 xl0
24.181.118.1 0:50:b:7:44:1c UHLW 28 0 xl0 1199
24.181.119.107 0:4:76:6f:71:36 UHLW 0 2 lo0
127.0.0.1 127.0.0.1 UH 0 0 lo0
172.16.69/24 link#2 UC 4 0 xl1
172.16.69.1 0:4:76:6f:71:4e UHLW 1 8107 lo0
172.16.69.2 0:10:4b:33:79:b9 UHLW 6 752816 xl1 1198
172.16.69.254 link#2 UHLW 1 9836 xl1
172.16.69.255 ff:ff:ff:ff:ff:ff UHLWb 2 1523 xl1
172.16.250.1 172.16.69.1 UH 0 25 gif0
Internet6:
Destination Gateway Flags
Netif Expire
::1 ::1 UH
lo0
fe80::%xl0/64 link#1 UC
xl0
fe80::204:76ff:fe6f:7136%xl0 0:4:76:6f:71:36 UHL
lo0
fe80::%xl1/64 link#2 UC
xl1
fe80::204:76ff:fe6f:714e%xl1 0:4:76:6f:71:4e UHL
lo0
fe80::%lo0/64 fe80::1%lo0 Uc
lo0
fe80::1%lo0 link#4 UHL
lo0
fe80::%gif0/64 link#8 UC
gif0
fe80::204:76ff:fe6f:7136%gif0 link#8 UHL
lo0
ff01::/32 ::1 U
lo0
ff02::%xl0/32 link#1 UC
xl0
ff02::%xl1/32 link#2 UC
xl1
ff02::%lo0/32 ::1 UC
lo0
ff02::%gif0/32 link#8 UC
gif0
Snippet from dmesg:
Aug 7 09:43:35 firewall /kernel: Copyright (c) 1992-2001 The FreeBSD
Project.
Aug 7 09:43:35 firewall /kernel: Copyright (c) 1979, 1980, 1983, 1986,
1988, 1989, 1991, 1992, 1993, 1994
Aug 7 09:43:35 firewall /kernel: The Regents of the University of
California. All rights reserved.
Aug 7 09:43:35 firewall /kernel: FreeBSD 4.4-PRERELEASE #6: Tue Aug 7
08:18:34 GMT 2001
Aug 7 09:43:35 firewall /kernel:
korak@firewall.crimsonwasteland.com:/usr/src/sys/compile/FIREWALL
Aug 7 09:43:35 firewall /kernel: Timecounter "i8254" frequency 1193182 Hz
Aug 7 09:43:35 firewall /kernel: CPU: Pentium II/Pentium II Xeon/Celeron
(267.27-MHz 686-class CPU)
Aug 7 09:43:35 firewall /kernel: Origin = "GenuineIntel" Id = 0x633
Stepping = 3
Aug 7 09:43:35 firewall /kernel:
Features=0x80f9ff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,M
MX>
Aug 7 09:43:35 firewall /kernel: real memory = 134217728 (131072K bytes)
Aug 7 09:43:35 firewall /kernel: avail memory = 126742528 (123772K bytes)
Aug 7 09:43:35 firewall /kernel: Preloaded elf kernel "kernel" at
0xc037f000.
Aug 7 09:43:35 firewall /kernel: Preloaded userconfig_script
"/boot/kernel.conf" at 0xc037f09c.
Aug 7 09:43:35 firewall /kernel: Pentium Pro MTRR support enabled
Aug 7 09:43:35 firewall /kernel: md0: Malloc disk
Aug 7 09:43:35 firewall /kernel: npx0: <math processor> on motherboard
Aug 7 09:43:35 firewall /kernel: npx0: INT 16 interface
Aug 7 09:43:35 firewall /kernel: pcib0: <Intel 82443LX (440 LX) host to PCI
bridge> on motherboard
Aug 7 09:43:35 firewall /kernel: pci0: <PCI bus> on pcib0
Aug 7 09:43:35 firewall /kernel: pcib1: <Intel 82443LX (440 LX) PCI-PCI
(AGP) bridge> at device 1.0 on pci0
Aug 7 09:43:35 firewall /kernel: pci1: <PCI bus> on pcib1
Aug 7 09:43:35 firewall /kernel: pci1: <Intel i740 AGP SVGA controller> at
0.0 irq 9
Aug 7 09:43:35 firewall /kernel: isab0: <Intel 82371AB PCI to ISA bridge>
at device 7.0 on pci0
Aug 7 09:43:35 firewall /kernel: isa0: <ISA bus> on isab0
Aug 7 09:43:35 firewall /kernel: atapci0: <Intel PIIX4 ATA33 controller>
port 0xf000-0xf00f at device 7.1 on pci0
Aug 7 09:43:35 firewall /kernel: ata0: at 0x1f0 irq 14 on atapci0
Aug 7 09:43:35 firewall /kernel: ata1: at 0x170 irq 15 on atapci0
Aug 7 09:43:35 firewall /kernel: uhci0: <Intel 82371AB/EB (PIIX4) USB
controller> port 0x6400-0x641f irq 11 at device 7.2 on pci0
Aug 7 09:43:35 firewall /kernel: usb0: <Intel 82371AB/EB (PIIX4) USB
controller> on uhci0
Aug 7 09:43:35 firewall /kernel: usb0: USB revision 1.0
Aug 7 09:43:35 firewall /kernel: uhub0: Intel UHCI root hub, class 9/0, rev
1.00/1.00, addr 1
Aug 7 09:43:35 firewall /kernel: uhub0: 2 ports with 2 removable, self
powered
Aug 7 09:43:35 firewall /kernel: chip1: <Intel 82371AB Power management
controller> port 0x5f00-0x5f0f at device 7.3 on pci0
Aug 7 09:43:35 firewall /kernel: xl0: <3Com 3c905B-TX Fast Etherlink XL>
port 0x6500-0x657f mem 0xe4000000-0xe400007f irq 9 at devi
ce 9.0 on pci0
Aug 7 09:43:35 firewall /kernel: xl0: Ethernet address: 00:04:76:6f:71:36
Aug 7 09:43:35 firewall /kernel: miibus0: <MII bus> on xl0
Aug 7 09:43:35 firewall /kernel: xlphy0: <3Com internal media interface> on
miibus0
Aug 7 09:43:35 firewall /kernel: xlphy0: 10baseT, 10baseT-FDX, 100baseTX,
100baseTX-FDX, auto
Aug 7 09:43:35 firewall /kernel: xl1: <3Com 3c905B-TX Fast Etherlink XL>
port 0x6600-0x667f mem 0xe4001000-0xe400107f irq 12 at dev
ice 10.0 on pci0
Aug 7 09:43:35 firewall /kernel: xl1: Ethernet address: 00:04:76:6f:71:4e
Aug 7 09:43:35 firewall /kernel: miibus1: <MII bus> on xl1
Aug 7 09:43:35 firewall /kernel: xlphy1: <3Com internal media interface> on
miibus1
Aug 7 09:43:35 firewall /kernel: xlphy1: 10baseT, 10baseT-FDX, 100baseTX,
100baseTX-FDX, auto
Aug 7 09:43:35 firewall /kernel: fdc0: <NEC 72065B or clone> at port
0x3f0-0x3f5,0x3f7 irq 6 drq 2 on isa0
Aug 7 09:43:35 firewall /kernel: fdc0: FIFO enabled, 8 bytes threshold
Aug 7 09:43:35 firewall /kernel: fd0: <1440-KB 3.5" drive> on fdc0 drive 0
Aug 7 09:43:35 firewall /kernel: atkbdc0: <Keyboard controller (i8042)> at
port 0x60,0x64 on isa0
Aug 7 09:43:35 firewall /kernel: vga0: <Generic ISA VGA> at port
0x3c0-0x3df iomem 0xa0000-0xbffff on isa0
Aug 7 09:43:35 firewall /kernel: sc0: <System console> at flags 0x100 on
isa0
Aug 7 09:43:35 firewall /kernel: sc0: VGA <16 virtual consoles,
flags=0x300>
Aug 7 09:43:35 firewall /kernel: sio0 at port 0x3f8-0x3ff irq 4 flags 0x10
on isa0
Aug 7 09:43:35 firewall /kernel: sio0: type 16550A
Aug 7 09:43:35 firewall /kernel: ppc0: <Parallel port> at port 0x378-0x37f
irq 7 on isa0
Aug 7 09:43:35 firewall /kernel: ppc0: Generic chipset (NIBBLE-only) in
COMPATIBLE mode
Aug 7 09:43:35 firewall /kernel: ppbus0: IEEE1284 device found /NIBBLE/ECP
Aug 7 09:43:35 firewall /kernel: Probing for PnP devices on ppbus0:
Aug 7 09:43:35 firewall /kernel: ppbus0: <HEWLETT-PACKARD DESKJET 690C>
MLC,PCL,PML
Aug 7 09:43:35 firewall /kernel: plip0: <PLIP network interface> on ppbus0
Aug 7 09:43:35 firewall /kernel: lpt0: <Printer> on ppbus0
Aug 7 09:43:35 firewall /kernel: lpt0: Interrupt-driven port
Aug 7 09:43:35 firewall /kernel: ppi0: <Parallel I/O> on ppbus0
Aug 7 09:43:35 firewall /kernel: DUMMYNET initialized (010124)
Aug 7 09:43:35 firewall /kernel: IP packet filtering initialized, divert
enabled, rule-based forwarding disabled, default to deny, unlimited logging
Aug 7 09:43:35 firewall /kernel: IPsec: Initialized Security Association
Processing.
Commands I used to get to this point:
% ifconfig gif0 create inet 172.16.69.1 172.16.250.1 netmask 255.255.255.0
up
% gifconfig gif0 inet 24.181.119.107 x.x.x.x
% setkey -c
spdadd 172.16.69.0/24 172.16.250.0/24 any -P out ipsec
esp/tunnel/24.181.119.107-x.x.x.x/require ;
spdadd 172.16.250.0/24 172.16.69.0/24 any -P in ipsec
esp/tunnel/x.x.x.x-24.181.119.107/require ;
add 24.181.119.107 x.x.x.x esp 2568731067 -m tunnel -E simple "" -A hmac-md5
0x75b916ac534cef32d3db8a44cf5b62c1 ;
add x.x.x.x 24.181.119.107 esp 2568731067 -m tunnel -E simple "" -A hmac-md5
0x75b916ac534cef32d3db8a44cf5b62c1 ;
^D
If I try to ping or traceroute to 172.16.250.1 from the console of my BSD
server, I get no replies.
Any advice would be greatly appreciated.
-Travis
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?OLEPKBMLIHCGDKLGKPJGCEFPDNAA.lists-freebsd-stable>