From owner-freebsd-questions@FreeBSD.ORG Tue Jun 3 13:39:43 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 64C911065675 for ; Tue, 3 Jun 2008 13:39:43 +0000 (UTC) (envelope-from nvass@teledomenet.gr) Received: from wmail.teledomenet.gr (wmail.teledomenet.gr [213.142.128.16]) by mx1.freebsd.org (Postfix) with ESMTP id DB18A8FC0A for ; Tue, 3 Jun 2008 13:39:42 +0000 (UTC) (envelope-from nvass@teledomenet.gr) Received: by wmail.teledomenet.gr (Postfix, from userid 1002) id C76151C807A; Tue, 3 Jun 2008 16:39:41 +0300 (EEST) X-Spam-Checker-Version: SpamAssassin 3.1.7-deb (2006-10-05) on wmail.teledomenet.gr X-Spam-Level: X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00 autolearn=ham version=3.1.7-deb Received: from iris.teledomenet.local (unknown [192.168.1.71]) by wmail.teledomenet.gr (Postfix) with ESMTP id D06E21C8063; Tue, 3 Jun 2008 16:39:30 +0300 (EEST) From: Nikos Vassiliadis To: freebsd-questions@freebsd.org Date: Tue, 3 Jun 2008 16:37:59 +0300 User-Agent: KMail/1.9.7 References: <6ae50c2d0805311649p14863af3y43af39fb4aa2cc8a@mail.gmail.com> In-Reply-To: <6ae50c2d0805311649p14863af3y43af39fb4aa2cc8a@mail.gmail.com> X-NCC-RegID: gr.telehouse MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200806031638.00027.nvass@teledomenet.gr> Cc: alexus Subject: Re: VPN (IPSEC) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Jun 2008 13:39:43 -0000 On Sunday 01 June 2008 02:49:22 alexus wrote: > Hello, > > I'm trying to establish a VPN tunnel over internet, I read a > http://www.freebsd.org/doc/en/books/handbook/ipsec.html on how to set > it up, I'm some what strangeling if my setup will work at all. > > i have box #1 that have 1 primary IP, which is private IP but in front > of my box, I have a device that translate a public IP address into > private IP, so "technicaly" its a public IP not a private, yet system > sees it as private, yet my box #2 has interface with real public ip > and another interface with private ip, i created GIF0 interface, yet i > can't ping private range on other box. > > > box#1 > > fxp0: flags=8843 metric 0 mtu > 1500 options=8 > ether 00:0f:fe:aa:f4:61 > inet 192.168.1.251 netmask 0xffffff00 broadcast 192.168.1.255 > inet 172.16.172.16 netmask 0xffffffff broadcast 172.16.172.16 > media: Ethernet autoselect (100baseTX ) > status: active > plip0: flags=108810 metric 0 > mtu 1500 lo0: flags=8049 metric 0 mtu > 16384 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 > inet6 ::1 prefixlen 128 > inet 127.0.0.1 netmask 0xff000000 > gif0: flags=8051 metric 0 mtu 1280 > tunnel inet 38.96.123.42 --> 74.2.252.194 > inet 192.168.1.251 --> 192.168.2.252 netmask 0xffffffff You said that the router in front of box#1 is willing to NAT your rfc1918 address to a "public" one. Yet, you seem to have configured gif0 with your exterior peer address 38.96.123.42, which is not your address, but seems like the "public" one. Example configuration: box#1 ifconfig fxp0 1.1.1.1 box#2 ifconfig fxp0 2.2.2.2 ## let's set up the endpoints of tunnel box#1 ifconfig gif0 tunnel 1.1.1.1 2.2.2.2 box#2 ifconfig gif0 tunnel 2.2.2.2 1.1.1.1 ## let's set up the interior addresses box#1 ifconfig gif0 10.234.78.1 10.234.78.2 netmask 255.255.255.255 box#2 ifconfig gif0 10.234.78.2 10.234.78.1 netmask 255.255.255.255 You should be able to ping remote peer addresses at this time. box#1 ping 10.234.78.2 Set up some routes and it will be fine. Nevertheless, in case it doesn't be sure that the NAT device: 1) is willing to NAT IPIP and 2) will do 1:1 NAT HTH, Nikos