IPSEC (can't ping ip at loopback device)

Wed Oct 4 16:11:21 PDT 2006

Hi,

Thank you for your concern. This configuraiton can ping all internal networks (by static route), but it still can't ping the address at the loopback device (lo).

>From HQ office:
# Dynamic VPN setup script
#!/bin/sh
LOCAL_OUTSIDE=60.225.5.1
REMOTE_OUTSIDE=203.33.16.1
LOCAL_INSIDE=10.1.1.1  (local ip at loopback device)
REMOTE_INSIDE=10.1.2.1 (assigned to remote loopback device)

/sbin/ifconfig lo0 inet $LOCAL_INSIDE/24 alias

setkey -FP
setkey -F

# Tunnel to Ric office
/sbin/ifconfig gif102 destroy
/sbin/ifconfig gif102 create
/sbin/ifconfig gif102 tunnel $LOCAL_OUTSIDE $REMOTE_OUTSIDE
/sbin/ifconfig gif102 $LOCAL_INSIDE $REMOTE_INSIDE netmask 255.255.255.255
/sbin/route delete $REMOTE_INSIDE/24
/sbin/route delete 10.1.100.1/24
/sbin/route delete 172.17.4.1/24
/sbin/route add $REMOTE_INSIDE/24 $REMOTE_INSIDE
/sbin/route add 10.1.100.1/24 $REMOTE_INSIDE
/sbin/route add 172.17.4.1/24 $REMOTE_INSIDE

setkey -c << EOF

# Tunnel to Ric office
spdadd $LOCAL_INSIDE $REMOTE_INSIDE any -P out ipsec esp/tunnel/$LOCAL_OUTSIDE-$REMOTE_OUTSIDE/require ;
spdadd $REMOTE_INSIDE $LOCAL_INSIDE any -P in  ipsec esp/tunnel/$REMOTE_OUTSIDE-$LOCAL_OUTSIDE/require ;
add $LOCAL_OUTSIDE $REMOTE_OUTSIDE esp 2744 -m tunnel -E blowfish-cbc 0xC0AD6D1F390BBECD431A75A3461C2FD62433DD1D947804CAD75133DABF
2F25C4B6F928521AECE611218C007CE917CC986CF36382DB29D11B -A hmac-sha1 0xB4D3FBE932C36E1D09BA4827F78A542D37C936BE ;
add $REMOTE_OUTSIDE $LOCAL_OUTSIDE esp 3944 -m tunnel -E blowfish-cbc 0xB4E4556530711A5831A8289B4A8DB9334F62A878E6FAAF889A243FEA7B
DEEE3058A4E8220289C02A09321BEFE0619AA641006F3C02230B3B -A hmac-sha1 0xAFB28AABC10B4B704A730CB070A719ED93254AB6 ;

EOF

>From Ric's office:
#!/bin/sh
LOCAL_OUTSIDE=203.33.16.1
REMOTE_OUTSIDE=60.225.5.1
LOCAL_INSIDE=10.1.2.1  (local ip at loopback device)
REMOTE_INSIDE=10.1.1.1 (assigned to remote loopback device)

/sbin/ifconfig lo0 inet $LOCAL_INSIDE/24 alias

setkey -FP
setkey -F

# Tunnel to HQ office
/sbin/ifconfig gif102 destroy
/sbin/ifconfig gif102 create
/sbin/ifconfig gif102 tunnel $LOCAL_OUTSIDE $REMOTE_OUTSIDE
/sbin/ifconfig gif102 $LOCAL_INSIDE $REMOTE_INSIDE netmask 255.255.255.255
#/sbin/route delete $REMOTE_INSIDE/24
/sbin/route delete 10.1.1.0/24
/sbin/route delete 10.1.10.0/24
/sbin/route delete 172.17.3.0/24
#/sbin/route add $REMOTE_INSIDE/24 $REMOTE_INSIDE
/sbin/route add 10.1.1.0/24 $REMOTE_INSIDE
/sbin/route add 10.1.10.0/24 $REMOTE_INSIDE
/sbin/route add 172.17.3.0/24 $REMOTE_INSIDE

setkey -c << EOF

# Tunnel to HQ office
spdadd $LOCAL_INSIDE $REMOTE_INSIDE any -P out ipsec esp/tunnel/$LOCAL_OUTSIDE-$REMOTE_OUTSIDE/require ;
spdadd $REMOTE_INSIDE $LOCAL_INSIDE any -P in  ipsec esp/tunnel/$REMOTE_OUTSIDE-$LOCAL_OUTSIDE/require ;
add $LOCAL_OUTSIDE $REMOTE_OUTSIDE esp 2744 -m tunnel -E blowfish-cbc 0xC0AD6D1F390BBECD431A75A3461C2FD62433DD1D947804CAD75133DABF2F25C4B6F928521AECE611218C007CE
917CC986CF36382DB29D11B -A hmac-sha1 0xB4D3FBE932C36E1D09BA4827F78A542D37C936BE ;
add $REMOTE_OUTSIDE $LOCAL_OUTSIDE esp 3944 -m tunnel -E blowfish-cbc 0xB4E4556530711A5831A8289B4A8DB9334F62A878E6FAAF889A243FEA7BDEEE3058A4E8220289C02A09321BEFE
0619AA641006F3C02230B3B -A hmac-sha1 0xAFB28AABC10B4B704A730CB070A719ED93254AB6 ;

EOF

HQ's routing table:

hqrouter:~ # netstat -rn | less
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            60.225.51.9        UGS         1    21433   sis0
10.1.1.1           10.1.1.1           UH          0        0    lo0
10.1.2/24          10.1.2.1           UGS         0        0 gif102
10.1.2.1           10.1.1.1           UH         22       31 gif102
10.1.10/24         link#2             UC          0        0   sis1
10.1.100/24        10.1.2.1           UGS         0        2 gif102
127.0.0.1          127.0.0.1          UH          0      546    lo0
172.17.3/24        link#3             UC          0        0   ath0
172.17.4/24        10.1.2.1           UGS         0        2 gif102

Ric's routing table:
ric:~ # netstat -rn | less
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            203.17.10.8      UGS         1   858822   tun0
10.1.1/24          10.1.1.1           UGS         0        0 gif102
10.1.1.1           10.1.2.1           UH          5        4 gif102
10.1.2.1           10.1.2.1           UH          0        0    lo0
10.1.10/24         10.1.1.1           UGS         0        0 gif102
10.1.100/24        link#2             UC          0        0   sis1
172.17.3/24        10.1.1.1           UGS         0        2 gif102
172.17.4/24        link#3             UC          0        0   ath0

Thanks
S 