ARP Problem on VPN Gateway
Company 2210
company2210 at hotmail.com
Mon Jul 28 07:33:23 PDT 2003
Right, I don't know if this is the right place to post, so apologies in
advance if I've got it wrong, but as I've received no response on other
mailing lists, and by following a particuar set of actions causes the kernel
to panic with a page fault, I presumed this might be the place:
The Setup: (Both Gateways - ROUTER A & ROUTER B use FreeBSD 5.0) - The IKE
Daemon is Racoon. IPSEC/IPSEC_ESP/IPSEC_DEBUG functionality is compiled into
the kernel.
Clients (12.20.78.0/25) <----->(eth0) ROUTER A (eth1)<=======> (eth1) ROUTER
B (eth0) <----> (12.20.65.69) Upstream ISP & Internet
Router A Configuration:
eth0: 12.20.78.1 Subnet 255.255.255.128
eth1: 10.0.0.1 Subnet 255.255.255.0
Router B Configuration:
eth0: 12.20.65.70 Subnet 255.255.255.252
eth1: 10.0.0.2 Subnet 255.255.255.0
The private IP's denote an IPSEC VPN connection (Wireless) between ROUTER A
& B, all the client PC's are on public IP's. Now, the VPN works perfectly,
encrypting the packets over the wireless link, however ROUTER A's eth0
interface does not appear in the arp -a lookup:
? (10.0.0.1) at 00:05:5d:a6:15:78 on eth1 permanent [ethernet]
? (10.0.0.2) at 00:c0:dd:ea:ac:5c on eth1 [ethernet]
? (12.20.78.0) at ff:ff:ff:ff:ff:ff on eth0 permanent [ethernet]
? (12.20.78.2) at 00:0c:cd:53:d9:f3 on eth0 [ethernet]
? (12.20.78.42) at 00:9a:17:90:d3:b4 on eth0 [ethernet]
? (12.20.78.52) at 00:2b:18:2e:22:21 on eth0 [ethernet]
? (12.20.78.127) at ff:ff:ff:ff:ff:ff on eth0 permanent [ethernet]
If I try and force the entry, I receive the following error:
routera# arp -s 12.20.78.1 00:0c:5d:e6:16:75
set: can only proxy for 12.20.78.1
The big problem this is causing is that clients cannot ping the gateway, and
it responds to no requests (i.e I can't ssh into it), but it still forwards
packets perfectly. Basically it's like 12.20.78.1 was invisible. The other
strange thing is, that if I ssh into ROUTER B and ping 12.20.78.1 I receive
replies:
routerb# ping 12.20.78.1
PING 12.20.78.1 (12.20.78.1): 56 data bytes
64 bytes from 12.20.78.1: icmp_seq=0 ttl=64 time=3.577 ms
64 bytes from 12.20.78.1: icmp_seq=1 ttl=64 time=3.724 ms
64 bytes from 12.20.78.1: icmp_seq=2 ttl=64 time=3.817 ms
^C
--- 12.20.78.1 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 3.577/3.706/3.817/0.099 ms
The output of ROUTER B's arp table is displayed below:
? (10.0.0.1) at 00:05:5d:a6:15:78 on eth1 [ethernet]
? (10.0.0.2) at 00:c0:dd:ea:ac:5c on eth1 permanent [ethernet]
? (12.20.65.69) at 00:d0:03:ba:bb:fc on eth0 [ethernet]
The output from setkey -DP (For encrypting the packets across the 10.0.0.x
link)
on each router:
ROUTER A:
0.0.0.0/0[any] 12.20.78.0/25[any] any
in ipsec
esp/tunnel/10.0.0.2-10.0.0.1/require
spid=2 seq=1 pid=778
refcnt=1
12.20.78.0/25[any] 0.0.0.0/0[any] any
out ipsec
esp/tunnel/10.0.0.1-10.0.0.2/require
spid=1 seq=0 pid=778
refcnt=1
ROUTER B:
12.20.78.0/25[any] 0.0.0.0/0[any] any
in ipsec
esp/tunnel/10.0.0.1-10.0.0.2/require
spid=8 seq=1 pid=24377
refcnt=1
0.0.0.0/0[any] 12.20.78.0/25[any] any
out ipsec
esp/tunnel/10.0.0.2-10.0.0.1/require
spid=7 seq=0 pid=24377
refcnt=1
Now, the next logical step was, in my mind, to reboot ROUTER A, comment out
the ipsec.conf so no SPD policies are loaded, and force the arp entry before
configuring the gif0 VPN tunnel. I took these steps (gif0 has only it's
internal IP's configured - 10.0.0.1->10.0.0.2 - external IP's are not
configured):
Steps on ROUTER A:
arp -S 12.20.78.1 00:05:5d:a6:15:78 pub permanent
ifconfig gif0 12.20.78.1 12.20.65.70 netmask 255.255.255.252
Kernel Panic.
Any ideas?
Many Thanks
Colin
More information about the freebsd-bugs
mailing list