From owner-freebsd-questions Thu Jun 21 1:12:16 2001 Delivered-To: freebsd-questions@freebsd.org Received: from mail.datausa.com (mail.datausa.com [207.174.131.1]) by hub.freebsd.org (Postfix) with ESMTP id 7933337B406; Thu, 21 Jun 2001 01:12:08 -0700 (PDT) (envelope-from brad@wcubed.net) Received: from wcubed.net ([209.180.250.253]) by mail.datausa.com (8.9.3/8.9.1) with ESMTP id CAA49672; Thu, 21 Jun 2001 02:04:48 -0600 (MDT) Message-ID: <3B31AC8F.58022F53@wcubed.net> Date: Thu, 21 Jun 2001 02:13:03 -0600 From: Brad Waite X-Mailer: Mozilla 4.76 [en] (Win98; U) X-Accept-Language: en,ja,zh,zh-CN,en-GB MIME-Version: 1.0 To: freebsd-net@freebsd.org, freebsd-questions@freebsd.org Subject: Problems with IPsec tunnel Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hello, I'm having quite the time trying to set up a IPsec tunnel on 4.3-RELEASE. Host-to-host IPsec works fine - I can make connections all day long between my two gateways. But for the life of me, I can't get my windows boxen on each end to talk to the other. I've got identical psk.txt files (rw-------) on both gateways, but 10.0.1.2 can't ping 10.0.0.2 to save its life. I've told the PCs on each end to route the other's traffic through the near gate's inside addr, and still no go. IP forwarding is turned on and NAT is off on both gates as well as an "OPEN" fw ruleset. I've gone through the couple of HOW-TOs on the net, but while I understand exactly what they're saying, and I repeat the process, I can't get it working. I'm pulling my hair out. Here's a script I've borrowed from the net. The second set of spdadds for each host is for the host-to-host IPsec. HELP! #!/bin/ksh # GW1_OUT="206.140.250.252" GW1_IN="10.0.0.1" GW1_NET="10.0.0.0/24" GW2_NET="10.0.1.0/24" GW2_IN="10.0.1.1" GW2_OUT="206.140.251.252" NETMASK="255.255.255.0" HOSTNAME=`/bin/hostname` echo "\nStarting ipsec tunnel... " case $HOSTNAME in gw1.domain.com) /usr/sbin/gifconfig gif0 $GW1_OUT $GW2_OUT /sbin/ifconfig gif0 inet $GW1_IN $GW2_IN netmask $NETMASK /usr/sbin/setkey -FP /usr/sbin/setkey -F /usr/sbin/setkey -c << EOF spdadd $GW1_NET $GW2_NET any -P out ipsec esp/tunnel/${GW1_IN}-${GW2_IN}/require; spdadd $GW2_NET $GW1_NET any -P in ipsec esp/tunnel/${GW2_IN}-${GW1_IN}/require; spdadd ${GW1_OUT}/32 ${GW2_OUT}/32 any -P out ipsec esp/transport/${GW1_OUT}-${GW2_OUT}/require; spdadd ${GW2_OUT}/32 ${GW1_OUT}/32 any -P in ipsec esp/transport/${GW2_OUT}-${GW1_OUT}/require; EOF /sbin/route add $GW2_NET $GW1_IN ;; gw2.domain.com) /usr/sbin/gifconfig gif0 $GW2_OUT $GW1_OUT /sbin/ifconfig gif0 inet $GW2_IN $GW1_IN netmask $NETMASK /usr/sbin/setkey -FP /usr/sbin/setkey -F /usr/sbin/setkey -c << EOF spdadd $GW2_NET $GW1_NET any -P out ipsec esp/tunnel/${GW2_IN}-${GW1_IN}/require; spdadd $GW1_NET $GW2_NET any -P in ipsec esp/tunnel/${GW1_IN}-${GW2_IN}/require; spdadd ${GW2_OUT}/32 ${GW1_OUT}/32 any -P out ipsec esp/transport/${GW2_OUT}-${GW1_OUT}/require; spdadd ${GW1_OUT}/32 ${GW2_OUT}/32 any -P in ipsec esp/transport/${GW1_OUT}-${GW2_OUT}/require; EOF /sbin/route add $GW1_NET $GW2_IN ;; esac /usr/local/sbin/racoon -f /usr/local/etc/racoon/racoon.conf To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message