From owner-freebsd-questions Thu Sep 5 21: 1:32 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AFDAE37B401 for ; Thu, 5 Sep 2002 21:01:26 -0700 (PDT) Received: from smtp2.sentex.ca (smtp2.sentex.ca [199.212.134.9]) by mx1.FreeBSD.org (Postfix) with ESMTP id CAA8043E4A for ; Thu, 5 Sep 2002 21:01:25 -0700 (PDT) (envelope-from mike@sentex.net) Received: from house (cage.simianscience.com [64.7.134.1]) by smtp2.sentex.ca (8.12.5/8.12.5) with SMTP id g8641JgO027543; Fri, 6 Sep 2002 00:01:24 -0400 (EDT) (envelope-from mike@sentex.net) From: Mike Tancsa To: Tillman Hodgson Cc: questions@freebsd.org Subject: Re: IPSEC & routing w/o gif Date: Fri, 06 Sep 2002 00:01:25 -0400 Message-ID: References: In-Reply-To: X-Mailer: Forte Agent 1.8/32.548 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Wed, 4 Sep 2002 16:21:47 -0600, in sentex.lists.freebsd.questions you wrote: >Howdy, > >I'm trying to set up an IPSEC ESP tunnel between a gateway running >FreeBSD 4.6-STABLE and a gateway running Mandrake 8.2 with FreeSWAN >1.98. I'm using pre-shared keys and the tunnel appears to be established >... here's some sample output from racoon: > ># /usr/local/sbin/racoon -F -f /usr/local/etc/racoon/racoon.conf > >2002-09-04 16:06:53: DEBUG: pfkey.c:192:pfkey_handler(): get pfkey = UPDATE message >2002-09-04 16:06:53: DEBUG: pfkey.c:1100:pk_recvupdate(): pfkey UPDATE = succeeded: ESP/Tunnel 24.72.31.206->24.72.10.212 = spi=3D181508844(0xad19aec) >2002-09-04 16:06:53: INFO: pfkey.c:1107:pk_recvupdate(): IPsec-SA = established: ESP/Tunnel 24.72.31.206->24.72.10.212 = spi=3D181508844(0xad19aec) >2002-09-04 16:06:53: DEBUG: pfkey.c:1145:pk_recvupdate(): =3D=3D=3D >2002-09-04 16:06:53: DEBUG: pfkey.c:192:pfkey_handler(): get pfkey ADD = message >2002-09-04 16:06:53: INFO: pfkey.c:1319:pk_recvadd(): IPsec-SA = established: ESP/Tunnel 24.72.10.212->24.72.31.206 = spi=3D1469637767(0x5798e487) >2002-09-04 16:06:53: DEBUG: pfkey.c:1324:pk_recvadd(): =3D=3D=3D > >Unfortunately, routing doesn't seem to work: > ># ping 192.168.31.206 >PING 192.168.31.206 (192.168.31.206): 56 data bytes >ping: sendto: No route to host One of the things I dont like about how IPSec works is that it doesnt = work like you would expect in terms of routes and interfaces. So when you do = a netstat -nr, you dont see a route to the other side. The packets, just = get there "magically" which is fine in Windows world, but irks people in the land of UNIX as most admins like to have a bit of understanding.... In your example, it looks like the ESP tunnel is setup, but you need to specify your soruce address. So, if your internal interface is 192.168.23.2, try the following ping instead ping -S 192.168.32.2 192.168.31.206 Otherwise, the IP stack will automatically chose the source address based upon the next hop. > >I understand how routing would work with 2 FreeBSD boxes running an >IP-over-IP tunnel and then using transport mode IPSEC between the >outside IP's ... that's reasonably traditional. How does one set up >routing between the internal networks with regular ESP tunnels? > >I've tried: > > gifconfig gif0 24.72.10.212 24.72.31.206 > ifconfig gif0 inet 192.168.23.2 192.168.31.206 netmask = 255.255.255.0 You dont need any of that. I wrote a quick howto on creating an ESP = tunnel between FreeBSD and a Cisco that someone posted at=20 http://www.ezunix.org/modules.php?op=3Dmodload&name=3DSections&file=3Dind= ex&req=3Dviewarticle&artid=3D34&page=3D1 You should be able to get it up and running against LINUX as well. If = you do, perhaps post the LINUX config here. =20 ---Mike Mike Tancsa (mdtancsa@sentex.net) =09 Sentex Communications Corp, =09 Waterloo, Ontario, Canada "Given enough time, 100 monkeys on 100 routers=20 could setup a national IP network." (KDW2) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message