Date: Thu, 22 Aug 2002 21:02:52 +0200 (CEST) From: stable22aug02@oldach.net (Helge Oldach) To: maikel@ladot.com (Maikel Verheijen) Cc: stable@FreeBSD.ORG Subject: Re: Racoon ipsec to multiple VLAN's behind a cisco PIX question Message-ID: <200208221902.g7MJ2qpc027047@sep.oldach.net> In-Reply-To: <410777FC7A66D511911500B0D0783455013CF285@nlladot05.intern.ladot.com> from Maikel Verheijen at "Aug 22, 2002 1:52:38 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
Maikel Verheijen:
> I have a VPN connection running from my (home) freebsd gateway, to our
> company Cisco PIX firewall.
>
> My network setup is as following:
>
> 10.0.0.x/24 - [Freebsd] -- { inet cloud } -- [Pix] - 10.31.0.0 / 16 -
> [router] - 172.31.0.0 /16
>
> I can make a vpn connection from my freebsd box to the pix, but I can ONLY
> connect to 1 of the 2 subnets. If my connection to the 172.31.0.0/16 network
> is set up (using a policy), I cannot connect to the 10.31.0.0/16 network,
> and vice-versa. If I put in a policy for BOTH subnets, only one will become
> active, and I cannot connect to the other subnet.
I have a similar setup active, however for several remote subnets. I am
using a global policy, i.e. I am routing any destination address that
isn't local to the company. For example:
10.0.0.0/24[any] 0.0.0.0/0[any] any
out ipsec
esp/tunnel/194.5.5.5-194.4.4.4/unique#16385
spid=1 seq=0 pid=26902
refcnt=1
0.0.0.0/0[any] 10.0.0.0/24[any] any
in ipsec
esp/tunnel/194.4.4.4-194.5.5.5/unique#16386
spid=2 seq=1 pid=26902
refcnt=1
The racoon config is correspondingly:
listen
{
isakmp 194.5.5.5 [500];
}
remote 194.4.4.4
{
...
}
sainfo address 10.0.0.0/24 any address 0.0.0.0/0 any
{
...
}
This works perfectly.
> We tried using "multiple" tunnels (on both the PIX and the FreeBSD box), and
> using a route for the 172.31.0.0/16 range over the 10.31.0.0/16 vlan.
I don't understand what you mean by "multiple" tunnels. IPsec tunnels
(correctly: security associations) are unidirectional, so you already
have two of them with the global policy above (one for either
direction). You can of course further divide the policy and create
additional SAs, e.g.
10.31.0.0/16[any] 10.0.0.0/24[any] any
10.0.0.0/24[any] 10.31.0.0/16[any] any
172.31.0.0/16[any] 10.0.0.0/24[any] any
10.0.0.0/24[any] 172.31.0.0/16[any] any
I haven't tested such a setup however I am quite sure that it will work
as well.
My FreeBSD setup works against an IOS router and not against a PIX,
however the code base for IOS and PIX is very close, as is the
configuration.
If this doesn't help, can you please provide your configuration files
via private email?
Helge
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200208221902.g7MJ2qpc027047>