Date: Thu, 21 Jun 2001 02:13:03 -0600 From: Brad Waite <brad@wcubed.net> To: freebsd-net@freebsd.org, freebsd-questions@freebsd.org Subject: Problems with IPsec tunnel Message-ID: <3B31AC8F.58022F53@wcubed.net>
next in thread | raw e-mail | index | archive | help
Hello,
I'm having quite the time trying to set up a IPsec tunnel on 4.3-RELEASE.
Host-to-host IPsec works fine - I can make connections all day long between my
two gateways. But for the life of me, I can't get my windows boxen on each end
to talk to the other. I've got identical psk.txt files (rw-------) on both
gateways, but 10.0.1.2 can't ping 10.0.0.2 to save its life. I've told the PCs
on each end to route the other's traffic through the near gate's inside addr,
and still no go. IP forwarding is turned on and NAT is off on both gates as
well as an "OPEN" fw ruleset. I've gone through the couple of HOW-TOs on the
net, but while I understand exactly what they're saying, and I repeat the
process, I can't get it working.
I'm pulling my hair out.
Here's a script I've borrowed from the net. The second set of spdadds for each
host is for the host-to-host IPsec.
HELP!
#!/bin/ksh
#
GW1_OUT="206.140.250.252"
GW1_IN="10.0.0.1"
GW1_NET="10.0.0.0/24"
GW2_NET="10.0.1.0/24"
GW2_IN="10.0.1.1"
GW2_OUT="206.140.251.252"
NETMASK="255.255.255.0"
HOSTNAME=`/bin/hostname`
echo "\nStarting ipsec tunnel... "
case $HOSTNAME in
gw1.domain.com)
/usr/sbin/gifconfig gif0 $GW1_OUT $GW2_OUT
/sbin/ifconfig gif0 inet $GW1_IN $GW2_IN netmask $NETMASK
/usr/sbin/setkey -FP
/usr/sbin/setkey -F
/usr/sbin/setkey -c << EOF
spdadd $GW1_NET $GW2_NET any -P out ipsec
esp/tunnel/${GW1_IN}-${GW2_IN}/require;
spdadd $GW2_NET $GW1_NET any -P in ipsec
esp/tunnel/${GW2_IN}-${GW1_IN}/require;
spdadd ${GW1_OUT}/32 ${GW2_OUT}/32 any -P out ipsec
esp/transport/${GW1_OUT}-${GW2_OUT}/require;
spdadd ${GW2_OUT}/32 ${GW1_OUT}/32 any -P in ipsec
esp/transport/${GW2_OUT}-${GW1_OUT}/require;
EOF
/sbin/route add $GW2_NET $GW1_IN
;;
gw2.domain.com)
/usr/sbin/gifconfig gif0 $GW2_OUT $GW1_OUT
/sbin/ifconfig gif0 inet $GW2_IN $GW1_IN netmask $NETMASK
/usr/sbin/setkey -FP
/usr/sbin/setkey -F
/usr/sbin/setkey -c << EOF
spdadd $GW2_NET $GW1_NET any -P out ipsec
esp/tunnel/${GW2_IN}-${GW1_IN}/require;
spdadd $GW1_NET $GW2_NET any -P in ipsec
esp/tunnel/${GW1_IN}-${GW2_IN}/require;
spdadd ${GW2_OUT}/32 ${GW1_OUT}/32 any -P out ipsec
esp/transport/${GW2_OUT}-${GW1_OUT}/require;
spdadd ${GW1_OUT}/32 ${GW2_OUT}/32 any -P in ipsec
esp/transport/${GW1_OUT}-${GW2_OUT}/require;
EOF
/sbin/route add $GW1_NET $GW2_IN
;;
esac
/usr/local/sbin/racoon -f /usr/local/etc/racoon/racoon.conf
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3B31AC8F.58022F53>