Date: Wed, 15 Nov 2000 14:49:50 -0700 (MST) From: Nick Rogness <nick@rapidnet.com> To: "James E. Quick" <jq@quick.com> Cc: freebsd-net@freebsd.org Subject: Re: I need help with IPSEC Message-ID: <Pine.BSF.4.21.0011151434070.37760-100000@rapidnet.com> In-Reply-To: <200011151654.eAFGsCC24802@papoose.quick.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 15 Nov 2000, James E. Quick wrote: > I am in desperate need of help with IPSEC. > I have a pair of firewalls configured with: > IPSEC > IPSEC_ESP > IPSEC_DEBUG > > I started with an attempt using raccoon, then backed off > to using manually added entries via skey. > I do not see anything in racoon output that looks like an > error. > > The remote end of the gateway is a box running 4.1.1-STABLE. > It has a single public IP address via a cable modem with > 172.16.1.x addresses behind it. > My endpoint is running 4.2-BETA and has an ISP provided /30 > subnet externally, with my publicly routable Class C behind. > > I note that when I try to reach any 172.16.1 address > with either form of IPSEC configured I get 'No route to host' > errors. This suggests that IPSEC is not encapsulating anything. > You know I have had the same problems. I haven't quite figured out the tunnelling part of IPSEC yet. So what I did, as a work around, was to add a tunnel interface (gif) and then add IPSEC on top of that in transparent mode (tunnel mode still works). See below. > I would appreciate hearing from anyone who has set up esp > style tunnels between either 2 FreeBSDs or between FreeBSD and > anything else. I used gif interfaces to build a packet tunnel (IPv4 -> IPv4). I then added the appropriate routes for each network, so I could affectively ping across the tunnels. Tested the connection between the 2 using ssh. Everything fine at this point. I then proceeded to add the IPSEC options in the kernel, like you have above. Added the SAD entries with setkey. Added the SPD policies with setkey also. Verified connectivity. Ran a packet sniffer between the 2 networks, seen packet type ESP. Everything worked OK. It did add about 2->4 ms of latency to a 10BaseT connection but that seems logical. > We are both running ipfilt on our ends. > The remote site is also running simple ipnat configuration. I have not added NAT into the equation yet. Nick Rogness - Drive defensively. Buy a tank. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0011151434070.37760-100000>