FreeBSD IPSec VPN routing problem

JoeJR joejr at bluebottle.com
Tue Feb 13 19:03:33 UTC 2007 

Hello list!

I've been playing around with IPSEC site-to-site VPN. The setup is as follows:

[Home cisco 871w, A] -> (internet) -> [FreeBSD IPsec VPN-server] -> (internet) -> [Buddy's Home cisco  871w, B].

A and B can both reach the FreeBSD IPSec server, on their VPN IPs:

A(10.10.10.1) to IPsec endpoint:
Pinging 10.3.2.1 with 32 bytes of data:

Reply from 10.3.2.1: bytes=32 time=84ms TTL=63
Reply from 10.3.2.1: bytes=32 time=85ms TTL=63

B(10.10.8.1) to IPsec endpoint:
PING 10.3.2.1 (10.3.2.1): 56 data bytes
64 bytes from 10.3.2.1: icmp_seq=0 ttl=63 time=74.705 ms
64 bytes from 10.3.2.1: icmp_seq=1 ttl=63 time=74.547 ms

This is what i use to setup the GIF interfaces:
ifconfig gif0 create
ifconfig gif0 tunnel A.B.C.D E.F.G.H
ifconfig gif0 inet 10.3.2.1 10.10.10.1 netmask 0xffffffff
route add 10.10.10.0/24 10.10.10.1

ifconfig gif1 create
ifconfig gif1 tunnel A.B.C.D I.J.K.L
ifconfig gif1 inet  10.3.2.1 10.10.8.1 netmask 0xffffffff
route add 10.10.8.0/24 10.10.8.1

And here is my IPsec policy setup:

#/usr/sbin/setkey -F

/usr/sbin/setkey -c << EOF
flush;
spdflush;

spdadd 10.3.2.0/24 10.10.8.0/24 any -P out ipsec esp/tunnel/A.B.C.D-I.J.K.L/unique;
spdadd 10.10.8.0/24 10.3.2.1/24 any -P in ipsec esp/tunnel/I.J.K.L-A.B.C.D/unique;

spdadd 10.3.2.0/24 10.10.10.0/24 any -P out ipsec esp/tunnel/A.B.C.D-E.F.G.H/unique;
spdadd 10.10.10.0/24 10.3.2.0/24 any -P in ipsec esp/tunnel/E.F.G.H-A.B.C.D/unique;
EOF

Everything seems nice and dandy, however:

Pinging 10.10.8.1 from 10.10.10.1 with 32 bytes of data:
Request timed out.
Request timed out.

It appears the server is not routing it between the interfaces.
I have net.inet.ip.forwarding: 1 with sysctl.

Can anyone shed some light on what I am missing here to have packets from 10.10.10.1 hit 10.10.8.1 directly? 
Both IPs are reachable and reply on ping from the VPN server.

----------------------------------------------------------------------
Click for second home mortgage, fast & free, no fees, approval today:
http://tags.bluebottle.com/fc/CAaCMPJkw6jI6BQN6DGBVISyCSRuFufs/

More information about the freebsd-questions mailing list