From owner-freebsd-questions Thu Sep 5 21:50:46 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D0A2E37B400 for ; Thu, 5 Sep 2002 21:50:42 -0700 (PDT) Received: from mail.seekingfire.com (coyote.seekingfire.com [24.72.10.212]) by mx1.FreeBSD.org (Postfix) with ESMTP id 49E8C43E6E for ; Thu, 5 Sep 2002 21:50:42 -0700 (PDT) (envelope-from tillman@seekingfire.com) Received: from blues.seekingfire.prv (blues.seekingfire.prv [192.168.23.211]) by mail.seekingfire.com (Postfix) with ESMTP id 8121A1CF; Thu, 5 Sep 2002 22:50:41 -0600 (CST) Received: (from tillman@localhost) by blues.seekingfire.prv (8.11.6/8.11.6) id g864ooE13267; Thu, 5 Sep 2002 22:50:50 -0600 Date: Thu, 5 Sep 2002 22:50:49 -0600 From: Tillman Hodgson To: Mike Tancsa Cc: questions@FreeBSD.ORG Subject: Re: IPSEC & routing w/o gif Message-ID: <20020905225049.A13151@seekingfire.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: ; from mike@sentex.net on Fri, Sep 06, 2002 at 12:01:25AM -0400 X-Urban-Legend: There is lots of hidden information in headers Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > One of the things I dont like about how IPSec works is that it doesnt work > like you would expect in terms of routes and interfaces. So when you do a > netstat -nr, you dont see a route to the other side. The packets, just get > there "magically" which is fine in Windows world, but irks people in the > land of UNIX as most admins like to have a bit of understanding.... In > your example, it looks like the ESP tunnel is setup, but you need to > specify your soruce address. So, if your internal interface is > 192.168.23.2, try the following ping instead > > ping -S 192.168.32.2 192.168.31.206 > > Otherwise, the IP stack will automatically chose the source address based > upon the next hop. That explains my discovery that the tunnel *does* work, from workstations behind the gateway. Thanks! How does this interact with and affect dynamic routing (i.e., OSPF via zebra)? > You dont need any of that. I wrote a quick howto on creating an ESP tunnel > between FreeBSD and a Cisco that someone posted at > > http://www.ezunix.org/modules.php?op=modload&name=Sections&file=index&req=viewarticle&artid=34&page=1 > > You should be able to get it up and running against LINUX as well. If you > do, perhaps post the LINUX config here. We've now got a mostly-working config, and an NFS mount works across it :-) The remaining problem is that after a period of time the FreeBSD box can't access the other side ("sendto: No route to host"). However, if at that point the FreeS/WAN box initiates any traffic then everything comes back to normal. IOW, the FreeS/WAN box will always appear to work, the FreeBSD box will "go away" after a while and will have to wait until the other side initiates. We have identical lifetime values (lifetime 52 min in the remote section, lifetiem 30 min in the sainfo section in my racoon.conf and ikelifetime=52m, keylife=30m in the other ends ipsec.conf), which I initially thought might have been the problem. Any ideas on what I should be looking for? Thanks muchly, -T -- Why look for meaning where there is none? Would you follow a path you know leads nowhere? - Query of the Mentat School To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message