From owner-freebsd-net@FreeBSD.ORG Wed Jul 9 17:31:38 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B82731065678 for ; Wed, 9 Jul 2008 17:31:38 +0000 (UTC) (envelope-from zaphod@fsklaw.com) Received: from thor-new.fsklaw.com (thor-new.fsklaw.com [64.174.116.34]) by mx1.freebsd.org (Postfix) with ESMTP id 7BA148FC16 for ; Wed, 9 Jul 2008 17:31:38 +0000 (UTC) (envelope-from zaphod@fsklaw.com) Received: from localhost (localhost [127.0.0.1]) by thor-new.fsklaw.com (Postfix) with ESMTP id D7E8516C1AE1; Wed, 9 Jul 2008 10:31:37 -0700 (PDT) Received: from thor-new.fsklaw.com ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 08065-08; Wed, 9 Jul 2008 10:31:34 -0700 (PDT) Received: from cor (unknown [192.168.61.119]) by thor-new.fsklaw.com (Postfix) with ESMTP id E267F16C1AB4; Wed, 9 Jul 2008 10:31:33 -0700 (PDT) Received: from 192.168.62.153 (SquirrelMail authenticated user zaphod) by cor with HTTP; Wed, 9 Jul 2008 10:30:09 -0700 (PDT) Message-ID: In-Reply-To: <200807091545.m69FjcP4031350@lava.sentex.ca> References: <8f7879db41dbaecc479a017110e8f32f.squirrel@cor> <200807040155.m641tl8s000607@lava.sentex.ca> <7904ac587e71a42fb86c2bbe77bde0ae.squirrel@cor> <200807091545.m69FjcP4031350@lava.sentex.ca> Date: Wed, 9 Jul 2008 10:30:09 -0700 (PDT) From: zaphod@fsklaw.com To: "Mike Tancsa" , freebsd-net@freebsd.org User-Agent: SquirrelMail/1.4.15 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-Virus-Scanned: by amavisd-new at fsklaw.com Cc: Subject: Re: Tunneling issues X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jul 2008 17:31:38 -0000 > At 11:21 AM 7/9/2008, zaphod@fsklaw.com wrote: > >>I agree it should work. But it's not. With respect to the next two >>questions, yes and yes. > > Can you post some of the configs you are using for 3 of the sites so > we can perhaps spot the problem(s) you are having ? I have a similar > setup with 5 sites, all talking to each other via IPSEC tunnels. Its > a lot of policies, but they work just fine. > > > > >>I'm not a huge fan of OpenVPN, but the bigger issue is that the gif >>tunnels come up at boot up. As well as routes. Given the client server >>nature of OpenVPN it is suitable, because if a server reboots, I'm not >>certain a client would auto re-connect. > > We have ~ 400 sites running OpenVPN across Canada that all reconnect > just fine after reboots / power cycles etc. We dont let the clients > talk to each other, but that would just be a config change to allow > that to work. > > ---Mike > Last first. Well that's good info on OpenVPN. As to the first, I'm not even at the ipsec stage yet. I'm just trying to get tunnels up. I wrote a couple of shell scripts to bring them up for testing. Server1 orange# more mkgif #/bin/sh ifconfig gif1 create ifconfig gif1 1.1.1.1 2.2.2.2 ifconfig gif1 inet 192.168.72.1 192.168.70.1 netmask 255.255.255.0 ifconfig gif1 tunnel 1.1.1.1 2.2.2.2 ifconfig gif1 mtu 1500 route change 192.168.70.0 192.168.70.1 255.255.255.0 route change 192.168.71.0 192.168.70.1 255.255.255.0 Server2 to# more mkgif #/bin/sh ifconfig gif1 create ifconfig gif1 2.2.2.2 1.1.1.1 ifconfig gif1 inet 192.168.70.1 192.168.72.1 netmask 255.255.255.0 ifconfig gif1 tunnel 2.2.2.2 1.1.1.1 ifconfig gif1 mtu 1500 route change 192.168.72.0 192.168.72.1 255.255.255.0 Seems pretty straight forward a tunnel. But nothing heads out. Can't ping a thing. I even tried a gre, when I did that I got a ping error. Unfortunately I can't find my note on the exact error. Cheers, Zaphod > >