Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 4 Sep 2002 16:21:47 -0600
From:      Tillman Hodgson <tillman@seekingfire.com>
To:        freebsd-questions@FreeBSD.ORG
Subject:   IPSEC & routing w/o gif
Message-ID:  <20020904162147.D6553@seekingfire.com>

next in thread | raw e-mail | index | archive | help
Howdy,

I'm trying to set up an IPSEC ESP tunnel between a gateway running
FreeBSD 4.6-STABLE and a gateway running Mandrake 8.2 with FreeSWAN
1.98. I'm using pre-shared keys and the tunnel appears to be established
...  here's some sample output from racoon:

# /usr/local/sbin/racoon -F -f /usr/local/etc/racoon/racoon.conf
<snip>
2002-09-04 16:06:53: DEBUG: pfkey.c:192:pfkey_handler(): get pfkey UPDATE message
2002-09-04 16:06:53: DEBUG: pfkey.c:1100:pk_recvupdate(): pfkey UPDATE succeeded: ESP/Tunnel 24.72.31.206->24.72.10.212 spi=181508844(0xad19aec)
2002-09-04 16:06:53: INFO: pfkey.c:1107:pk_recvupdate(): IPsec-SA established: ESP/Tunnel 24.72.31.206->24.72.10.212 spi=181508844(0xad19aec)
2002-09-04 16:06:53: DEBUG: pfkey.c:1145:pk_recvupdate(): ===
2002-09-04 16:06:53: DEBUG: pfkey.c:192:pfkey_handler(): get pfkey ADD message
2002-09-04 16:06:53: INFO: pfkey.c:1319:pk_recvadd(): IPsec-SA established: ESP/Tunnel 24.72.10.212->24.72.31.206 spi=1469637767(0x5798e487)
2002-09-04 16:06:53: DEBUG: pfkey.c:1324:pk_recvadd(): ===

Unfortunately, routing doesn't seem to work:

# ping 192.168.31.206
PING 192.168.31.206 (192.168.31.206): 56 data bytes
ping: sendto: No route to host

I understand how routing would work with 2 FreeBSD boxes running an
IP-over-IP tunnel and then using transport mode IPSEC between the
outside IP's ... that's reasonably traditional. How does one set up
routing between the internal networks with regular ESP tunnels?

I've tried:

       gifconfig gif0 24.72.10.212 24.72.31.206
       ifconfig gif0 inet 192.168.23.2 192.168.31.206 netmask 255.255.255.0

But I had that same problem with that in place.

I've tried:
        
        route -n add -net 192.168.31.0 192.168.31.206
        route -n add 192.168.31.206 192.168.23.2

and the routes appear in my routing table:

# netstat -r -n -f inet
default            24.72.10.1         UGSc      309   623239    rl1
24.72.10/24        link#2             UC          3      119    rl1
24.72.10.212       00:50:bf:e1:f2:b7  UHLW        0       60    lo0
127.0.0.1          127.0.0.1          UH          0    53651    lo0
192.168.8          192.168.168.6      UGSc        0        0    lo0
192.168.23         link#1             UC          4        0    rl0
192.168.23.2       00:50:bf:e1:f4:33  UHLW        1        0    lo0
192.168.31         192.168.31.206     UGSc        0        0    rl1
192.168.31.206     192.168.23.2       UGHS        0        6    rl0
192.168.168.1      192.168.168.1      UH          0        2    lo0
192.168.168.5      192.168.168.5      UH          0       28    lo0

But I had that same problem with that in place.

I don't want to use IP-over-IP tunnels as I want to be able to service
cross-platform tunnels easily. How should I be configuring my routing?

TIA,

- Tillman Hodgson


-- 
One uses power by grasping it lightly.  To grasp with too much force is
to be taken over by power, thus becoming its victim.
	- Bene Gesserit Axiom

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020904162147.D6553>