Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 18 Jun 2004 12:16:37 +0200 (CEST)
From:      Andre Rein <ar@ra23.net>
To:        net@freebsd.org
Subject:   IPSec Routing and Interfaces, ping problem (long)
Message-ID:  <20040618121607.V64239@juergen.edv-winter.de>

next in thread | raw e-mail | index | archive | help
Hi Ml,

got a little understanding problem with my VPN connection.
I set up isakmpd. Connected from a static client ip.
Everything works fine.

10.0.1.0-------195.226.x.98--------[INTERNET]--------195.226.x.124-------10.0.0.0


gif0: flags=8050<POINTOPOINT,RUNNING,MULTICAST> mtu 1280
        tunnel inet 195.226.x.124 --> 195.226.x.98
        inet 10.0.0.124 --> 10.0.1.1 netmask 0xffffff00
        inet6 fe80::250:baff:fede:bb73%gif0 prefixlen 64 scopeid 0x9

the gif0 Interface i created myself with:
gifconfig gif0 195.226.65.124 195.226.65.98
ifconfig gif0 inet 10.0.0.124 10.0.1.1 netmask 255.255.255.0
setkey -FP
setkey -F
setkey -c << EOF
spdadd 10.0.0.0/24 10.0.1.0/24 any -P out ipsec
esp/tunnel/195.226.x.124-195.226.x.98/require;
spdadd 10.0.1.0/24 10.0.0.0/24 any -P in ipsec
esp/tunnel/195.226.x.98-195.226.x.124/require;
EOF

First I tried racoon, so do I need gif0 Interface when using isakmpd?
Anyway, heres my setkey -D output:

195.226.x.124 195.226.x.98
        esp mode=any spi=115684691(0x06e53553) reqid=0(0x00000000)
        E: 3des-cbc  f69579f2 ccee42f3 e046f2d3 ea44eaf0 0111da98 cf79ee9d
        A: hmac-md5  f7f015ab 8200c964 13332790 8fdc3591
        seq=0x0000002e replay=0 flags=0x00000000 state=mature
        created: Jun 17 16:54:38 2004   current: Jun 17 16:55:38 2004
        diff: 60(s)     hard: 90(s)     soft: 81(s)
        last: Jun 17 16:55:38 2004      hard: 0(s)      soft: 0(s)
        current: 6256(bytes)    hard: 0(bytes)  soft: 0(bytes)
        allocated: 46   hard: 0 soft: 0
        sadb_seq=1 pid=79990 refcnt=2

195.226.x.98 195.226.x.124
        esp mode=any spi=542689727(0x2058c9bf) reqid=0(0x00000000)
        E: 3des-cbc  935381d8 a9ccfc65 b82ab59d 4c2201fa c41adfc5 077cab63
        A: hmac-md5  be01afa0 884cb945 0d561298 d17b5fbf
        seq=0x0000002e replay=0 flags=0x00000000 state=mature
        created: Jun 17 16:54:38 2004   current: Jun 17 16:55:38 2004
        diff: 60(s)     hard: 90(s)     soft: 81(s)
        last: Jun 17 16:55:38 2004      hard: 0(s)      soft: 0(s)
        current: 3864(bytes)    hard: 0(bytes)  soft: 0(bytes)
        allocated: 46   hard: 0 soft: 0
        sadb_seq=0 pid=79990 refcnt=1

I added a route to the 10.0.1/24 net:
10.0.1/24          10.0.1.1           UGSc        0     2736   gif0

Now I set up a connection from a dynamic client.

192.168.10/30------Dynamic-IP--------[INTERNET]--------195.226.x.124-------10.0.0.0

setkey -D:
195.226.x.124 217.236.140.95
        esp mode=any spi=1631512562(0x613ee7f2) reqid=0(0x00000000)
        E: rijndael-cbc  ae65af22 6256a79a d37eb700 c7cd9917
        A: hmac-md5  3e378bc3 f7abd982 67d838d9 b678d18d
        seq=0x000001c6 replay=0 flags=0x00000000 state=mature
        created: Jun 17 16:57:06 2004   current: Jun 17 17:04:52 2004
        diff: 466(s)    hard: 2000(s)   soft: 1800(s)
        last: Jun 17 17:04:51 2004      hard: 0(s)      soft: 0(s)
        current: 69008(bytes)   hard: 204800000(bytes)  soft: 184320000(bytes)
        allocated: 454  hard: 0 soft: 0
        sadb_seq=3 pid=80022 refcnt=2
217.236.140.95 195.226.x.124
        esp mode=any spi=1382069086(0x5260b35e) reqid=0(0x00000000)
        E: rijndael-cbc  3e52567a 51306d35 e2333684 55b64a40
        A: hmac-md5  695a1b0a fb962e83 b38ff954 a2b4b4aa
        seq=0x000001c5 replay=0 flags=0x00000000 state=mature
        created: Jun 17 16:57:06 2004   current: Jun 17 17:04:52 2004
        diff: 466(s)    hard: 2000(s)   soft: 1800(s)
        last: Jun 17 17:04:51 2004      hard: 0(s)      soft: 0(s)
        current: 38052(bytes)   hard: 204800000(bytes)  soft: 184320000(bytes)
        allocated: 453  hard: 0 soft: 0
        sadb_seq=2 pid=80022 refcnt=1


>From the client I can ping 10.0.0.124. So I tried another host in this
net(10.0.0.1).

I gave 10.0.0.1 a route to the 192.168.10/30 net
192.168.10/30      10.0.0.124         UGSc        0      341    rl0

I'm able to ping 10.0.0.1 now from my vpnclient and ping the
vpnclient from 10.0.0.1 without any trouble.

The only problem I get, is to ping the vpnclient from the vpnserver.
It won't work.
So how should I setup the server to ping the client?
Am I just blind and don't see my mistake?


gruss/regards

Andre

-- 

"And some greetings from the Toaster"
"Plata Verata Nectu"



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040618121607.V64239>