Date: Sat, 28 Sep 2002 09:54:11 -0700 From: "Ian Cartwright" <ian351c@cox.net> To: <freebsd-hackers@freebsd.org> Subject: VPN Routing through gif (4) tunnel Message-ID: <003b01c2670f$ab21bac0$6600a8c0@iansxp>
next in thread | raw e-mail | index | archive | help
Greetings:
I am trying to construct a "B2B" mode VPN tunnel between my house and my
work using FreeBSD. My work uses Checkpoint VPN-1 and I have a FreeBSD
firewall that is running ipfilter to do firewall/NAT duties. I have so
far been successful in creating a tunnel between the FreeBSD box and my
work VPN server using /usr/ports/security/racoon, gif (4), and the IPSEC
kernel module. I am able to establish a tunnel and pass packets from my
FreeBSD firewall to my work network. I have not been able to pass
packets from the rest of my home network to my work over the VPN tunnel.
The packets seem to never make it into the tunnel, and also do not pass
out to the Internet via my firewall.
Here is my current configuration (IPs changed to protect the guilty):
fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet6 fe80::2a0:c9ff:fe5c:c37b%fxp0 prefixlen 64 scopeid 0x1
inet 100.100.100.1 netmask 0xffffff00 broadcast 68.3.250.255
ether 00:a0:c9:5c:c3:7b
media: Ethernet autoselect (10baseT/UTP)
status: active
fxp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
inet6 fe80::2a0:c9ff:fe76:4764%fxp1 prefixlen 64 scopeid 0x2
ether 00:a0:c9:76:47:64
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
inet 127.0.0.1 netmask 0xff000000
faith0: flags=8002<BROADCAST,MULTICAST> mtu 1500
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
tunnel inet 68.3.250.5 --> 199.64.13.20
inet6 fe80::2a0:c9ff:fe5c:c37b%gif0 prefixlen 64 scopeid 0x5
inet 192.168.0.1 --> 200.200.200.1 netmask 0xffffff00
fxp0 is my external network adapter, connected to the Internet and
assigned "100.100.100.1" by my ISP. gif0 is the tunnel adapter and ties
my network to my work's network. The ip 200.200.200.1 is the inside
interface of my work's VPN server.
The commands used to create the gif tunnel are as follows: ifconfig gif0
create tunnel 100.100.100.1 200.200.201.1 ifconfig gif0 inet 192.168.0.1
200.200.200.1 netmask 255.255.255.0
100.100.100.1 is my external address again
200.200.201.1 is the external interface on my work's VPN server
200.200.200.1 is the internal interface on my works VPN server again
As you can see, I am using the same IP for my internal interface on my
firewall (fxp1) as I am for the local termination of the gif tunnel. I
have also tried using a different IP address with the same results. As
far as I can tell, the routing is set up correctly with all routes to my
work's netowrk pointing at the gif tunnel (either 192.168.0.1 or
192.168.0.2depending on my configuration).
I guess my main questions are: why aren't packets from my inside network
entering the gif tunnel? Why is it that only packets that originate on
the firewall itself seem to enter the gif tunnel? Is this fixable? If so
how?
Cheers,
Ian Cartwright
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?003b01c2670f$ab21bac0$6600a8c0>