IPSec VPN issues

Chris Bowlby excalibur at accesswave.ca
Wed Jun 10 13:33:31 UTC 2009 

Hi Everyone,

I let this question sit in freebsd-questions overnight before posting
this here, as I did not get any responses. Any help would be appreciated.

--------------------------------

I'm in the process of configuring a VPN tunnel via IPSec to another
network to provide an easy means to manage both networks. I can get the
VPN established from my FreeBSD box to the server on the other side, but
I can't seem to route any traffic through the interface so that it goes
to the other side of the VPN.

I know I am missing a step, but I can't seem to find any information in
the documentation about what that step might be.

Here is what I have so far:

I have compiled my kernel with the following options:

# IP Sec Options
options         IPSEC                   # IP Security
options         IPSEC_DEBUG             # debug for IP security
options         IPSEC_FILTERTUNNEL      # To properly filter on the
inner packets (this was done in case I needed to expand some
fire-walling to this box)

And added the crypto device:

# IPSec
device          crypto

the kernel is installed and running with no issues as far as I can tell.

I have also installed security/ipsec-tools, though I did noticed that a
kernel patch was required for something related to NAT. As I am running
FreeBSD 7.2, I was not sure if that patch was still required, and I am
honestly not sure if NATing is what I need/require to get this running.

My interfaces are as follows:

amaethon# ifconfig
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=19b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4>
        inet 1xx.1xx.2xx.2xx netmask 0xffffff00 broadcast 1xx.1xx.2xx.255
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1280
        tunnel inet 1xx.1xx.2xx.2 --> xxx.2xx.1xx.1xx
        inet 1xx.1xx.2xx.2 --> 1xx.1xx.xxx.1 netmask 0xfffffc00


The routing tables are as follows:
default            1xx.1xx.2xx.1      UGS         0     1807    em0
127.0.0.1          127.0.0.1          UH          0        4    lo0
1xx.1xx.xxx.0/22   1xx.1xx.xxx.1      UGS         0        0   gif0
1xx.1xx.xxx.1      1xx.1xx.2xx.2      UH          1      327   gif0
1xx.1xx.2xx.0/24   link#1             UC          0        0    em0
1xx.1xx.2xx.1      00:13:10:09:5b:1f  UHLW        2        0    em0   1114
1xx.1xx.2xx.2      00:1c:c0:94:2c:0c  UHLW        1      924    lo0

Right now I am simply looking to have any local (to the host) pinging a
system on the other side.

As I don't have immediate access to the routing details of the other
end, and it's configured exactly the same as it has been for other
VPN's, I am inclined to believe the issue is on my side of the VPN.

The system I have, only has one NIC in it at this time, but can easily
be configured to have a second. The system is also behind another system
that is handling the local routing and fire-walling, and is NATing all
appropriate traffic to the various box's.

I have used the examples in the freebsd handbook to guide me as far as I
have gotten thus far (btw there is a step missing in there, forgetting
to tell you to run setkey -f /path/to/racoon/setkey.conf).

I have googled everything I can find, looked over freebsd.org and
freebsddiary.org (those articles are a bit out dated I think), and have
found no information to indicate what I am missing..

I suspect it might be that this system is not doing traffic NATing, or a
packet filter configuration is required, but I have tried every example
with no luck.

At this point I am stuck, and looking for some guidance.

More information about the freebsd-net mailing list