Problem with Racoon/IPSec/Setkey - Routing to/from multiple networks

Jamie Heckford jamie at tridentmicrosystems.co.uk
Mon Nov 17 07:47:16 PST 2003 

Hi,

Seem to be having a strange problem routing to some of our nets over
here using setkey and racoon. Setkey adds all of the below lines fine,
and racoon doesn't complain.

However, I can only route to the network that I initate the connection
to/from first... For example:

If I ping 192.168.100.254 from 192.168.102.254 then the tunnel is
established after a couple of seconds and it works fine. I can then ping
any other 192.168.0.0/16 address as this is what the setkey entry is
for. If I then try and ping 194.207.93.254 then I get no reponse in
either direction.

However, if I restart racoon and ping 194.207.93.254 first, it works
fine... But then 192.168.100.254 does not!

Could anyone shed any light on why this is happening.. Do I need to do
it slightly differently if I am specifying multiple policies with
setkey?

Any help would be greatly appreciated... Config file and version info
below (router at 192.168.102.254 is a Cisco 827 ADSL)

FreeBSD 4.9-RELEASE #0: Tue Nov  4 14:10:37 GMT 2003

v 17 12:57:11 perry-gw-vpn1 racoon: INFO: main.c:172:main(): @(#)package
version freebsd-20030826a
Nov 17 12:57:11 perry-gw-vpn1 racoon: INFO: main.c:174:main():
@(#)internal version 20001216 sakane at kame.net
Nov 17 12:57:11 perry-gw-vpn1 racoon: INFO: main.c:175:main(): @(#)This
product linked OpenSSL 0.9.7c 30 Sep 2003 (http://www.openssl.org/)


#!/bin/sh
####################################################################

LOCAL_NETWORK=194.207.93.0/24
ALLNET_1=192.168.0.0/16

LOCAL_INSIDE=194.207.93.251
LOCAL_OUTSIDE=81.3.89.53

STJUST_NETWORK=192.168.106.0/24
STJUST_INSIDE=192.168.106.254
STJUST_OUTSIDE=81.17.79.72

BENELUX_NETWORK=192.168.102.0/24
BENELUX_INSIDE=192.168.102.254
BENELUX_OUTSIDE=80.126.6.130

####################################################################


/usr/local/sbin/racoon

# ST JUST

/sbin/ifconfig gif0 destroy
/sbin/ifconfig gif0 create
/sbin/ifconfig gif0 tunnel ${LOCAL_OUTSIDE} ${STJUST_OUTSIDE}
/sbin/ifconfig gif0 inet ${LOCAL_INSIDE} ${STJUST_INSIDE} netmask
255.255.255.255
/sbin/route add -net ${STJUST_NETWORK} ${STJUST_INSIDE}

# BENELUX

/sbin/ifconfig gif1 destroy
/sbin/ifconfig gif1 create
/sbin/ifconfig gif1 tunnel ${LOCAL_OUTSIDE} ${BENELUX_OUTSIDE}
/sbin/ifconfig gif1 inet ${LOCAL_INSIDE} ${BENELUX_INSIDE} netmask
255.255.255.255
/sbin/route add -net ${BENELUX_NETWORK} ${BENELUX_INSIDE}


/usr/sbin/setkey -c << EOF
flush;
spdflush;
spdadd ${LOCAL_NETWORK} ${STJUST_NETWORK} any -P out ipsec
esp/tunnel/${LOCAL_OUTSIDE}-${STJUST_OUTSIDE}/require;
spdadd ${STJUST_NETWORK} ${LOCAL_NETWORK} any -P in  ipsec
esp/tunnel/${STJUST_OUTSIDE}-${LOCAL_OUTSIDE}/require;
spdadd ${ALLNET_1} ${STJUST_NETWORK} any -P out ipsec
esp/tunnel/${LOCAL_OUTSIDE}-${STJUST_OUTSIDE}/require;
spdadd ${STJUST_NETWORK} ${ALLNET_1} any -P in  ipsec
esp/tunnel/${STJUST_OUTSIDE}-${LOCAL_OUTSIDE}/require;
spdadd ${LOCAL_NETWORK} ${BENELUX_NETWORK} any -P out ipsec
esp/tunnel/${LOCAL_OUTSIDE}-${BENELUX_OUTSIDE}/require;
spdadd ${BENELUX_NETWORK} ${LOCAL_NETWORK} any -P in ipsec
esp/tunnel/${BENELUX_OUTSIDE}-${LOCAL_OUTSIDE}/require;
spdadd ${ALLNET_1} ${BENELUX_NETWORK} any -P out ipsec
esp/tunnel/${LOCAL_OUTSIDE}-${BENELUX_OUTSIDE}/require;
spdadd ${BENELUX_NETWORK} ${ALLNET_1} any -P in ipsec
esp/tunnel/${BENELUX_OUTSIDE}-${LOCAL_OUTSIDE}/require;
EOF





--
Jamie Heckford
Network Manager
Trident Microsystems Ltd.

t: +44(0)1737-780790
f: +44(0)1737-771908
w: http://www.tridentmicrosystems.co.uk/

More information about the freebsd-net mailing list