Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 06 Nov 2001 13:01:08 -0800
From:      Lars Eggert <larse@ISI.EDU>
To:        Erik Norvelle <norvelle@Ag.arizona.edu>
Cc:        freebsd-net@FreeBSD.ORG
Subject:   Re: 4.4-CURRENT problems getting IPSec to function
Message-ID:  <3BE84F94.1060304@isi.edu>
References:  <JOENJHIIFAGEJMMJCHKFMEAGCDAA.norvelle@ag.arizona.edu>
next in thread | previous in thread | raw e-mail | index | archive | help 
Erik Norvelle wrote:

> My setup is as follows:
> 
> Network #1 (192.168.1.0/24)
>             |
>             |
> Gateway #1 (inner interface [xl0] = 192.168.1.1)
>            (outer interface [fxp0] = xxx.yyy.40.122)
>             |
>             |
>         (internet)
>             |
>             |
> Gateway #2 (outer interface [fxp0] = xxx.yyy.40.135)
>            (inner interface [xl0] = 10.20.0.1)
>             |
>             |
> Network #2 (10.20.0.0/24)
> 
> The result of my setup is that I get the gif0 interface created and
> configured properly (in tunnel mode, using ESP), and I setup my policy
> database using setkey.


You want to use *either* IPIP tunnels (i.e. gif interfaces) and IPsec 
transport mode *or* IPsec tunnel mode. Don't mix them. I'd recommend 
using the former.

If you use IPIP + IPsec transport, you will need to set up routes so 
that traffic for the remote network is routed into the tunnel. If you 
use IPsec tunnel mode, the SAs will do the encapsulation for you.

Also see http://www.isi.edu/~touch/pubs/draft-touch-ipsec-vpn-01.txt 
(expired, -02 is in preparation for the next IETF).


> netstat -sn reveals that there is some UDP key exchange traffic going on
> (at least, once I start racoon).  However, there is *no* ESP traffic --
> all the counters are zero.


If you use racoon, you should read the KAME IMPLEMENTATION file on how 
to use IKE with IPIP tunnels and IPsec.


> * Installed and setup IPFILTER and IPNAT.  These are working great on
> their own, however there may be conflicts with IPSec that are caused by
> how I have filtering/NAT setup.  IPFILTER is set up to allow ISAKMP
> traffic,


I'd recommend doing this step by step. The first step would be to get IPsec working between your gateways. Once that works, I'd go on and set up NAT. Doing both at the same time means you have many variables in your setup.


Lars
-- 
Lars Eggert <larse@isi.edu>               Information Sciences Institute
http://www.isi.edu/larse/              University of Southern California


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3BE84F94.1060304>