Date: Wed, 27 Jun 2001 12:29:46 -0400 From: Jim Mock <jim@compete.com> To: questions@FreeBSD.org Subject: VPN setup Message-ID: <20010627122946.A2121@cartman.boston.geekhouse.net>
next in thread | raw e-mail | index | archive | help
Howdy,
I've been trying to get a VPN set up between our Boston and SF offices,
and have made about as much progress as I would trying to ram my head
through a brick wall.
In the following, aa.aaa.aaa.aa and bb.bbb.bbb.bbb are the IP addresses
of the two machines. aa.aaa.aaa.aa is the machine here in Boston,
bb.bbb.bbb.bbb is the machine in San Francisco. Also, in the firewall
rules, ${vpn} is gif0, ${sfip} is bb.bbb.bbb.bbb, and ${oip} is
aa.aaa.aaa.aa. IPSEC is compiled into the kernel on each machine.
Boston firewall
---------------
In /etc/rc.conf:
ipsec_enable="YES"
ipsec_file="/etc/ipsec.conf"
gif_interfaces="gif0"
gifconfig_gif0="aa.aaa.aaa.aa bb.bbb.bbb.bbb"
I've also brought up gif0:
ifconfig gif0 172.16.1.1 172.16.2.1 netmask 255.255.255.252
In /etc/ipsec.conf:
spdadd aa.aaa.aaa.aa/32 bb.bbb.bbb.bbb/32 any -P out ipsec
esp/tunnel/aa.aaa.aaa.aa-bb.bbb.bbb.bbb/require;
spdadd bb.bbb.bbb.bbb/32 aa.aaa.aaa.aa/32 any -P in ipsec
esp/tunnel/bb.bbb.bbb.bb-aa.aaa.aaa.aa/require;
ifconfig output for gif0:
gif0: flags=8011<UP,POINTOPOINT,MULTICAST> mtu 1280
inet 172.16.1.1 --> 172.16.2.1 netmask 0xfffffffc
I've also added the following firewall rules:
${fwcmd} add allow esp from ${oip} to ${sfip}
${fwcmd} add allow esp from ${sfip} to ${oip}
${fwcmd} add allow udp from ${oip} isakmp to ${sfip} isakmp
${fwcmd} add allow udp from ${sfip} isakmp to ${oip} isakmp
${fwcmd} add allow ipencap from ${oip} to ${sfip}
${fwcmd} add allow ipencap from ${sfip} to ${oip}
${fwcmd} add allow ip from any to any via ${vpn}
SF Firewall
-----------
In /etc/rc.conf:
ipsec_enable="YES"
ipsec_file="/etc/ipsec.conf"
gif_interfaces="gif0"
gifconfig_gif0="bb.bbb.bbb.bbb aa.aaa.aaa.aa"
I've also brought up gif0 on this end:
ifconfig gif0 172.16.2.1 172.16.1.1 netmask 255.255.255.252
In /etc/ipsec.conf:
spdadd bb.bbb.bbb.bbb/32 aa.aaa.aaa.aa/32 any -P out ipsec
esp/tunnel/bb.bbb.bbb.bbb-aa.aaa.aaa.aa/require;
spdadd aa.aaa.aaa.aa/32 bb.bbb.bbb.bbb/32 any -P in ipsec
esp/tunnel/aa.aaa.aaa.aa-bb.bbb.bbb.bbb/require;
ifconfig output for gif0:
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
inet 172.16.2.1 --> 172.16.1.1 netmask 0xfffffffc
Here are the firewall rules on that machine:
${fwcmd} add allow esp from ${oip} to ${bosip}
${fwcmd} add allow esp from ${bosip} to ${oip}
${fwcmd} add allow udp from ${oip} isakmp to ${bosip} isakmp
${fwcmd} add allow udp from ${bosip} isakmp to ${oip} isakmp
${fwcmd} add allow ipencap from ${oip} to ${bosip}
${fwcmd} add allow ipencap from ${bosip} to ${oip}
${fwcmd} add allow ip from any to any via ${vpn}
If I try to ping 172.16.2.1 (the SF side) from the Boston machine, this
happens:
% ping 172.16.2.1
PING 172.16.2.1 (172.16.2.1): 56 data bytes
ping: sendto: Network is down
ping: sendto: Network is down
ping: sendto: Network is down
ping: sendto: Network is down
ping: sendto: Network is down
^C
--- 172.16.2.1 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss
%
If I try to ping 172.16.1.1 (the Boston side) from the SF machine, this
happens:
% ping 172.16.1.1
^C
--- 172.16.1.1 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss
%
I get no "Network is down" messages, but the end result is the same.
There is nothing in the firewall logs on either machine saying the
packets were denied. The only info "ipfw show" on the Boston machine
provides is this:
03900 7 588 allow ip from any to any via gif0
None of the other rules have any counts, and none of the deny rules are
matching. However, on the SF machine, I see this:
02900 54 5616 allow ipencap from 66.122.112.198 to 64.211.217.66
03100 54 4536 allow ip from any to any via gif0
Those are the only two rules WRT to the VPN that are being matched on
that machine.
What am I missing? Is there an easier way to do this?
- jim
--
- jim mock <jim@compete.com> www.compete.com - jim@FreeBSD.org -
- senior systems administrator - Compete, Inc. - ph: 1.617.867.7035 -
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010627122946.A2121>