Routing problem in IPv4/IPSec VPN environment

James Howard howardjp at well.com
Wed Jun 30 13:29:46 PDT 2004 

I sent the following to -questions yesterday and received no
response, so I thought I'd try a more specific venue for this post.

As a personal favor, I am building a VPN for a small business.  I
have chosen FreeBSD for this due to my greater familiarity.  The
project will consist of linking four sites, each with a FreeBSD
system providing DHCP, NAT, and VPN services.  I have built DHCP and
NAT servers before, but the IPSec and VPN is new to me.

Right now, the first two systems are nearly complete.  The two
machines are named goldengate and waltwhitman.  Here's the IP
config, currently:

  goldengate:  external 192.168.1.101 internal 10.1.1.1
  waltwhitman: external 192.168.1.102 internal 10.1.2.1

The external interfaces are in the reserved space because testing is
taking place behind a cable/DSL router providing NAT services.  The
output of "gifconfig -a; ifconfig -a; netstat -rn" for each will be
provided at the end of this message.

IPSec, with Racoon, is properly exchanging keys.  From goldengate, I
can ping 10.1.2.1 and from waltwhitman I can ping 10.1.1.1.

If a Windows computer is connected behind either system, they
receive an IP (10.1.x.254, where x is the network number).

The problem is, if behind the 10.1.2.1 firewall, I cannot ping
10.1.1.1 and vice-versa.  I assume, at this point, this is some type
of routing issue and not a problem with IPSec.  This seems to be
confirmed by the fact tracerouting to the local internal interface
goes through the *other* internal interface first:

waltwhitman$ ifconfig bge1; traceroute 10.1.2.1
bge1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        options=3<RXCSUM,TXCSUM>
        inet 10.1.2.1 netmask 0xffffff00 broadcast 10.1.2.255
        inet6 fe80::209:5bff:fe60:e508%bge1 prefixlen 64 scopeid 0x2
        ether 00:09:5b:60:e5:08
        media: Ethernet autoselect (10baseT/UTP <half-duplex>)
        status: active
traceroute to 10.1.2.1 (10.1.2.1), 64 hops max, 44 byte packets
 1  10.1.1.1 (10.1.1.1)  0.848 ms  0.736 ms  0.783 ms
 2  10.1.2.1 (10.1.2.1)  1.173 ms  1.262 ms  1.247 ms

The other machine behaves identically, except the numbers are
reversed.  At this point, I have reached the limits of my knowledge.
Any help would be appreciated.

Thank you, James

Notes on the output:  IPv6 info removed from netstat output.  There
is a third interface in WALTWHITMAN which may break off to a DMZ in
the future.  No descision has been made and won't be for some time.
The interface was given the IP 172.16.1.1.

GOLDENGATE:

goldengate$ gifconfig -a; ifconfig -a; netstat -rn
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
        inet 10.1.1.1 --> 10.1.2.1 netmask 0xffffffff
        inet6 fe80::209:5bff:fe62:714e%gif0  prefixlen 64
        physical address inet 192.168.1.101 --> 192.168.1.102
bge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        options=3<RXCSUM,TXCSUM>
        inet 10.1.1.1 netmask 0xffffff00 broadcast 10.1.1.255
        inet6 fe80::209:5bff:fe62:714e%bge0 prefixlen 64 scopeid 0x1
        ether 00:09:5b:62:71:4e
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        options=1<RXCSUM>
        inet6 fe80::2b0:d0ff:fe23:5b8d%xl0 prefixlen 64 scopeid 0x2
        inet 192.168.1.101 netmask 0xffffff00 broadcast
192.168.1.255
        ether 00:b0:d0:23:5b:8d
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
lp0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
        inet 127.0.0.1 netmask 0xff000000
faith0: flags=8002<BROADCAST,MULTICAST> mtu 1500
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
        tunnel inet 192.168.1.101 --> 192.168.1.102
        inet 10.1.1.1 --> 10.1.2.1 netmask 0xffffffff
        inet6 fe80::209:5bff:fe62:714e%gif0 prefixlen 64 scopeid 0x6
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif
Expire
default            192.168.1.1        UGSc        3     6082    xl0
10.1.1/24          link#1             UC          2        0   bge0
10.1.1.1           00:09:5b:62:71:4e  UHLW        0      306    lo0
10.1.1.254         link#1             UHLW        2    14933   bge0
10.1.2/24          10.1.2.0           UGSc        0    15578    xl0
10.1.2.1           10.1.1.1           UH          0     2060   gif0
127.0.0.1          127.0.0.1          UH          1       48    lo0
192.168.1          link#2             UC          3        0    xl0
192.168.1.1        00:0c:41:7f:8a:6e  UHLW        4        2    xl0
1042
192.168.1.100      00:30:65:2e:ae:f7  UHLW        0        0    xl0
1100
192.168.1.101      127.0.0.1          UGHS        0        0    lo0
192.168.1.102      00:b0:d0:a1:81:09  UHLW        3    13842    xl0
1054


WALTWHITMAN:

waltwhitman$ gifconfig -a; ifconfig -a; netstat -rn
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
        inet 10.1.2.1 --> 10.1.1.1 netmask 0xffffffff
        inet6 fe80::209:5bff:fe62:1ab2%gif0  prefixlen 64
        physical address inet 192.168.1.102 --> 192.168.1.101
bge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        options=3<RXCSUM,TXCSUM>
        inet 172.16.1.1 netmask 0xffffff00 broadcast 172.16.1.255
        inet6 fe80::209:5bff:fe62:1ab2%bge0 prefixlen 64 scopeid 0x1
        ether 00:09:5b:62:1a:b2
        media: Ethernet autoselect (none)
        status: no carrier
bge1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        options=3<RXCSUM,TXCSUM>
        inet 10.1.2.1 netmask 0xffffff00 broadcast 10.1.2.255
        inet6 fe80::209:5bff:fe60:e508%bge1 prefixlen 64 scopeid 0x2
        ether 00:09:5b:60:e5:08
        media: Ethernet autoselect (10baseT/UTP <half-duplex>)
        status: active
xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        options=1<RXCSUM>
        inet6 fe80::2b0:d0ff:fea1:8109%xl0 prefixlen 64 scopeid 0x3
        inet 192.168.1.102 netmask 0xffffff00 broadcast
192.168.1.255
        ether 00:b0:d0:a1:81:09
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
lp0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
        inet 127.0.0.1 netmask 0xff000000
faith0: flags=8002<BROADCAST,MULTICAST> mtu 1500
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
        tunnel inet 192.168.1.102 --> 192.168.1.101
        inet 10.1.2.1 --> 10.1.1.1 netmask 0xffffffff
        inet6 fe80::209:5bff:fe62:1ab2%gif0 prefixlen 64 scopeid 0x7
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif
Expire
default            192.168.1.1        UGSc        1     1416    xl0
10.1.1/24          10.1.1.1           UGSc        0     9633   gif0
10.1.1.1           10.1.2.1           UH          1     1986   gif0
10.1.2/24          link#2             UC          2        0   bge1
10.1.2.1           00:09:5b:60:e5:08  UHLW        0       14    lo0
10.1.2.254         link#2             UHLW        2      883   bge1
127.0.0.1          127.0.0.1          UH          1       48    lo0
172.16.1/24        link#1             UC          0        0   bge0
192.168.1          link#3             UC          2        0    xl0
192.168.1.1        00:0c:41:7f:8a:6e  UHLW        3        2    xl0
192
192.168.1.101      00:b0:d0:23:5b:8d  UHLW        5    12307    xl0
204
192.168.1.102      127.0.0.1          UGHS        0        0    lo0

--
James P. Howard, II  --  howardjp at vocito.com
http://www.jameshoward.us/  --  202-390-4933

More information about the freebsd-ipfw mailing list