routing gif0 ipsec

Jille jille at quis.cx
Mon Apr 28 18:26:31 UTC 2008 

Hello Nicolas,

Would you mind stopping to send your (same) email to all mailinglists, 
twice or more ?
I've seen your problem in 7 mails already,
I don't know a solution, but as you can see most people don't know it.
It doesn't help resending it each time.

I'm sorry for acting like a list-operator, but I think I speak for more 
people on the lists.

-- Jille


Nicolas de Bari Embriz Garcia Rojas schreef:
> Hi all, I am trying to all trafic from a gif0 interface used for a vpn 
> to an public IP on the same server that is like an alias
> 
> I have the following schema (FreeBSD 6.3)
> 
> 
> gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
>      tunnel inet 67.228.79.224 --> 74.86.163.16
>      inet 172.16.224.1 --> 172.16.16.1 netmask 0xffffffff
> 
> em1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>      options=1b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING>
>      inet 67.228.78.162 netmask 0xfffffff8 broadcast 67.228.78.167
>      inet 67.228.79.224 netmask 0xffffffff broadcast 67.228.79.224
> 
> 
> The VPN from point 172.16.224.1 --> 172.16.16.1 works, I can ping/telnet 
> to 172.16.16.1 and get a response.
> 
> The jail is running on IP 67.228.79.224 (same IP used for doing the 
> VPN/IPSEC) but if I log int to that jail (jexec 1 csh) I can not ping 
> 172.16.16.1
> 
> currently I  am trying this with pf
> -- 
> nat pass on gif0 from 67.228.79.224 to 172.16.16.1 -> 172.16.224.1
> rdr pass on gif0 proto tcp from any to any port 80 -> 67.228.79.224
> 
> pass in log from any to any keep state
> pass out log from any to any keep state
> -- 
> but is not working, from the jail (67.228.79.224) I can not ping/telnet 
> the VPN 172.16.16.1
> 
> there is a tool call jumpgate with the one I can redirect incoming tcp 
> to gif0 and forward trafic to em1 with out problems, but instead I would 
> like to use pf
> 
> jumpgate -b 172.16.224.1 -l 80 -r 80 -a 67.228.79.224
> 
> with this i can telnet from the other end point to por 80 and i can 
> forward the connection to the public IP of the jail through the vpn tunnel.
> 
> any ideas on how to solve this issue using pf or maybe some routing rules.
> 
> regards.
> 
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"

More information about the freebsd-jail mailing list