IPSec VPN issues
excalibur at accesswave.ca
Wed Jun 10 13:33:31 UTC 2009
I let this question sit in freebsd-questions overnight before posting
this here, as I did not get any responses. Any help would be appreciated.
I'm in the process of configuring a VPN tunnel via IPSec to another
network to provide an easy means to manage both networks. I can get the
VPN established from my FreeBSD box to the server on the other side, but
I can't seem to route any traffic through the interface so that it goes
to the other side of the VPN.
I know I am missing a step, but I can't seem to find any information in
the documentation about what that step might be.
Here is what I have so far:
I have compiled my kernel with the following options:
# IP Sec Options
options IPSEC # IP Security
options IPSEC_DEBUG # debug for IP security
options IPSEC_FILTERTUNNEL # To properly filter on the
inner packets (this was done in case I needed to expand some
fire-walling to this box)
And added the crypto device:
the kernel is installed and running with no issues as far as I can tell.
I have also installed security/ipsec-tools, though I did noticed that a
kernel patch was required for something related to NAT. As I am running
FreeBSD 7.2, I was not sure if that patch was still required, and I am
honestly not sure if NATing is what I need/require to get this running.
My interfaces are as follows:
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
inet 1xx.1xx.2xx.2xx netmask 0xffffff00 broadcast 1xx.1xx.2xx.255
media: Ethernet autoselect (100baseTX <full-duplex>)
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1280
tunnel inet 1xx.1xx.2xx.2 --> xxx.2xx.1xx.1xx
inet 1xx.1xx.2xx.2 --> 1xx.1xx.xxx.1 netmask 0xfffffc00
The routing tables are as follows:
default 1xx.1xx.2xx.1 UGS 0 1807 em0
127.0.0.1 127.0.0.1 UH 0 4 lo0
1xx.1xx.xxx.0/22 1xx.1xx.xxx.1 UGS 0 0 gif0
1xx.1xx.xxx.1 1xx.1xx.2xx.2 UH 1 327 gif0
1xx.1xx.2xx.0/24 link#1 UC 0 0 em0
1xx.1xx.2xx.1 00:13:10:09:5b:1f UHLW 2 0 em0 1114
1xx.1xx.2xx.2 00:1c:c0:94:2c:0c UHLW 1 924 lo0
Right now I am simply looking to have any local (to the host) pinging a
system on the other side.
As I don't have immediate access to the routing details of the other
end, and it's configured exactly the same as it has been for other
VPN's, I am inclined to believe the issue is on my side of the VPN.
The system I have, only has one NIC in it at this time, but can easily
be configured to have a second. The system is also behind another system
that is handling the local routing and fire-walling, and is NATing all
appropriate traffic to the various box's.
I have used the examples in the freebsd handbook to guide me as far as I
have gotten thus far (btw there is a step missing in there, forgetting
to tell you to run setkey -f /path/to/racoon/setkey.conf).
I have googled everything I can find, looked over freebsd.org and
freebsddiary.org (those articles are a bit out dated I think), and have
found no information to indicate what I am missing..
I suspect it might be that this system is not doing traffic NATing, or a
packet filter configuration is required, but I have tried every example
with no luck.
At this point I am stuck, and looking for some guidance.
More information about the freebsd-net