VPN (IPSEC)

Nikos Vassiliadis nvass at teledomenet.gr
Tue Jun 3 13:39:43 UTC 2008 

On Sunday 01 June 2008 02:49:22 alexus wrote:
> Hello,
>
> I'm trying to establish a VPN tunnel over internet, I read a
> http://www.freebsd.org/doc/en/books/handbook/ipsec.html on how to set
> it up, I'm some what strangeling if my setup will work at all.
>
> i have box #1 that have 1 primary IP, which is private IP but in front
> of my box, I have a device that translate a public IP address into
> private IP, so "technicaly" its a public IP not a private, yet system
> sees it as private, yet my box #2 has interface with real public ip
> and another interface with private ip, i created GIF0 interface, yet i
> can't ping private range on other box.
>
>
> box#1
>
> fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu
> 1500 options=8<VLAN_MTU>
>         ether 00:0f:fe:aa:f4:61
>         inet 192.168.1.251 netmask 0xffffff00 broadcast 192.168.1.255
>         inet 172.16.172.16 netmask 0xffffffff broadcast 172.16.172.16
>         media: Ethernet autoselect (100baseTX <full-duplex>)
>         status: active
> plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT> metric 0
> mtu 1500 lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu
> 16384 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
>         inet6 ::1 prefixlen 128
>         inet 127.0.0.1 netmask 0xff000000
> gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1280
>         tunnel inet 38.96.123.42 --> 74.2.252.194
>         inet 192.168.1.251 --> 192.168.2.252 netmask 0xffffffff

You said that the router in front of box#1 is willing to NAT
your rfc1918 address to a "public" one. Yet, you seem to have
configured gif0 with your exterior peer address 38.96.123.42,
which is not your address, but seems like the "public" one.

Example configuration:
box#1 ifconfig fxp0 1.1.1.1
box#2 ifconfig fxp0 2.2.2.2

## let's set up the endpoints of tunnel
box#1 ifconfig gif0 tunnel 1.1.1.1 2.2.2.2
box#2 ifconfig gif0 tunnel 2.2.2.2 1.1.1.1

## let's set up the interior addresses
box#1 ifconfig gif0 10.234.78.1 10.234.78.2 netmask 255.255.255.255
box#2 ifconfig gif0 10.234.78.2 10.234.78.1 netmask 255.255.255.255

You should be able to ping remote peer addresses at this time.
box#1 ping 10.234.78.2
Set up some routes and it will be fine.

Nevertheless, in case it doesn't be sure that the NAT device:
1) is willing to NAT IPIP
and 2) will do 1:1 NAT

HTH, Nikos

More information about the freebsd-questions mailing list