Date: Wed, 4 Sep 2002 16:21:47 -0600 From: Tillman Hodgson <tillman@seekingfire.com> To: freebsd-questions@FreeBSD.ORG Subject: IPSEC & routing w/o gif Message-ID: <20020904162147.D6553@seekingfire.com>
next in thread | raw e-mail | index | archive | help
Howdy, I'm trying to set up an IPSEC ESP tunnel between a gateway running FreeBSD 4.6-STABLE and a gateway running Mandrake 8.2 with FreeSWAN 1.98. I'm using pre-shared keys and the tunnel appears to be established ... here's some sample output from racoon: # /usr/local/sbin/racoon -F -f /usr/local/etc/racoon/racoon.conf <snip> 2002-09-04 16:06:53: DEBUG: pfkey.c:192:pfkey_handler(): get pfkey UPDATE message 2002-09-04 16:06:53: DEBUG: pfkey.c:1100:pk_recvupdate(): pfkey UPDATE succeeded: ESP/Tunnel 24.72.31.206->24.72.10.212 spi=181508844(0xad19aec) 2002-09-04 16:06:53: INFO: pfkey.c:1107:pk_recvupdate(): IPsec-SA established: ESP/Tunnel 24.72.31.206->24.72.10.212 spi=181508844(0xad19aec) 2002-09-04 16:06:53: DEBUG: pfkey.c:1145:pk_recvupdate(): === 2002-09-04 16:06:53: DEBUG: pfkey.c:192:pfkey_handler(): get pfkey ADD message 2002-09-04 16:06:53: INFO: pfkey.c:1319:pk_recvadd(): IPsec-SA established: ESP/Tunnel 24.72.10.212->24.72.31.206 spi=1469637767(0x5798e487) 2002-09-04 16:06:53: DEBUG: pfkey.c:1324:pk_recvadd(): === Unfortunately, routing doesn't seem to work: # ping 192.168.31.206 PING 192.168.31.206 (192.168.31.206): 56 data bytes ping: sendto: No route to host I understand how routing would work with 2 FreeBSD boxes running an IP-over-IP tunnel and then using transport mode IPSEC between the outside IP's ... that's reasonably traditional. How does one set up routing between the internal networks with regular ESP tunnels? I've tried: gifconfig gif0 24.72.10.212 24.72.31.206 ifconfig gif0 inet 192.168.23.2 192.168.31.206 netmask 255.255.255.0 But I had that same problem with that in place. I've tried: route -n add -net 192.168.31.0 192.168.31.206 route -n add 192.168.31.206 192.168.23.2 and the routes appear in my routing table: # netstat -r -n -f inet default 24.72.10.1 UGSc 309 623239 rl1 24.72.10/24 link#2 UC 3 119 rl1 24.72.10.212 00:50:bf:e1:f2:b7 UHLW 0 60 lo0 127.0.0.1 127.0.0.1 UH 0 53651 lo0 192.168.8 192.168.168.6 UGSc 0 0 lo0 192.168.23 link#1 UC 4 0 rl0 192.168.23.2 00:50:bf:e1:f4:33 UHLW 1 0 lo0 192.168.31 192.168.31.206 UGSc 0 0 rl1 192.168.31.206 192.168.23.2 UGHS 0 6 rl0 192.168.168.1 192.168.168.1 UH 0 2 lo0 192.168.168.5 192.168.168.5 UH 0 28 lo0 But I had that same problem with that in place. I don't want to use IP-over-IP tunnels as I want to be able to service cross-platform tunnels easily. How should I be configuring my routing? TIA, - Tillman Hodgson -- One uses power by grasping it lightly. To grasp with too much force is to be taken over by power, thus becoming its victim. - Bene Gesserit Axiom To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020904162147.D6553>