From owner-freebsd-hackers Sat Sep 28 9:54:12 2002 Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C9C1A37B401 for ; Sat, 28 Sep 2002 09:54:10 -0700 (PDT) Received: from ip24-56-36-25.ph.ph.cox.net (ip24-56-36-25.ph.ph.cox.net [24.56.36.25]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9C3CF43E3B for ; Sat, 28 Sep 2002 09:54:08 -0700 (PDT) (envelope-from ian351c@cox.net) Received: from iansxp (iansxp.iansponderosa.org [192.168.0.102]) by ip24-56-36-25.ph.ph.cox.net (8.12.3/8.11.4) with ESMTP id g8SGs8Vp008081 for ; Sat, 28 Sep 2002 09:54:08 -0700 (MST) (envelope-from ian351c@cox.net) From: "Ian Cartwright" To: Subject: VPN Routing through gif (4) tunnel Date: Sat, 28 Sep 2002 09:54:11 -0700 Message-ID: <003b01c2670f$ab21bac0$6600a8c0@iansxp> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Greetings: I am trying to construct a "B2B" mode VPN tunnel between my house and my work using FreeBSD. My work uses Checkpoint VPN-1 and I have a FreeBSD firewall that is running ipfilter to do firewall/NAT duties. I have so far been successful in creating a tunnel between the FreeBSD box and my work VPN server using /usr/ports/security/racoon, gif (4), and the IPSEC kernel module. I am able to establish a tunnel and pass packets from my FreeBSD firewall to my work network. I have not been able to pass packets from the rest of my home network to my work over the VPN tunnel. The packets seem to never make it into the tunnel, and also do not pass out to the Internet via my firewall. Here is my current configuration (IPs changed to protect the guilty): fxp0: flags=8843 mtu 1500 inet6 fe80::2a0:c9ff:fe5c:c37b%fxp0 prefixlen 64 scopeid 0x1 inet 100.100.100.1 netmask 0xffffff00 broadcast 68.3.250.255 ether 00:a0:c9:5c:c3:7b media: Ethernet autoselect (10baseT/UTP) status: active fxp1: flags=8843 mtu 1500 inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255 inet6 fe80::2a0:c9ff:fe76:4764%fxp1 prefixlen 64 scopeid 0x2 ether 00:a0:c9:76:47:64 media: Ethernet autoselect (100baseTX ) status: active lo0: flags=8049 mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 inet 127.0.0.1 netmask 0xff000000 faith0: flags=8002 mtu 1500 gif0: flags=8051 mtu 1280 tunnel inet 68.3.250.5 --> 199.64.13.20 inet6 fe80::2a0:c9ff:fe5c:c37b%gif0 prefixlen 64 scopeid 0x5 inet 192.168.0.1 --> 200.200.200.1 netmask 0xffffff00 fxp0 is my external network adapter, connected to the Internet and assigned "100.100.100.1" by my ISP. gif0 is the tunnel adapter and ties my network to my work's network. The ip 200.200.200.1 is the inside interface of my work's VPN server. The commands used to create the gif tunnel are as follows: ifconfig gif0 create tunnel 100.100.100.1 200.200.201.1 ifconfig gif0 inet 192.168.0.1 200.200.200.1 netmask 255.255.255.0 100.100.100.1 is my external address again 200.200.201.1 is the external interface on my work's VPN server 200.200.200.1 is the internal interface on my works VPN server again As you can see, I am using the same IP for my internal interface on my firewall (fxp1) as I am for the local termination of the gif tunnel. I have also tried using a different IP address with the same results. As far as I can tell, the routing is set up correctly with all routes to my work's netowrk pointing at the gif tunnel (either 192.168.0.1 or 192.168.0.2depending on my configuration). I guess my main questions are: why aren't packets from my inside network entering the gif tunnel? Why is it that only packets that originate on the firewall itself seem to enter the gif tunnel? Is this fixable? If so how? Cheers, Ian Cartwright To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message