ipsec vpn - gif_if connection problem
claudiu vasadi
claudiu.vasadi at gmail.com
Fri Oct 15 20:53:20 UTC 2010
Hello guys,
I have 3x 8.1-RELEASE i386 machines with a custom kernel that consists of
the GENERIC kernel plus:
options IPSEC
options IPSEC_DEBUG
device crypto
the 3 extra options needed for IPSEC/racoon VPN. All the setup was made
according to [URL="http://www.freebsd.org/doc/handbook/ipsec.html"]
http://www.freebsd.org/doc/handbook/ipsec.html[/URL] and it worked. I got to
the racoon/setkey part and after I managed to get that working too, at some
point, the gif interfaces stopped communicating (a.k.a no more connection
between the 3 machines).
At first, I thought it's a routing problem but I didn't see anything weird;
then I turned to the firewall (pf) and I disabled it but with no effect.
Step by step I disabled racoon, setkey and recreated the gif interfaces but
still, no effect.
For the sake of sanity, I will detail below only 2 machines:
machine 1 (192.168.1.0/24 gw 192.168.1.1):
[root at mainserver1 ~]# ifconfig gif2
gif2: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1280
tunnel inet 79.113.55.0 --> 79.113.90.52
inet 192.168.1.1 --> 192.168.2.1 netmask 0xffffff00
options=1<ACCEPT_REV_ETHIP_VER>
[root at mainserver1 ~]# netstat -f inet -rn
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 79.113.48.1 UGS 0 123132 tun0
79.113.48.1 link#5 UHS 0 0 tun0
79.113.55.0 link#5 UHS 0 16 lo0
127.0.0.1 link#4 UH 0 1287 lo0
192.168.0.0/24 192.168.10.1 UGS 0 277 tap0
192.168.1.0/24 link#2 U 0 3249916 rl0
192.168.1.1 link#2 UHS 1 1 lo0
192.168.2.0/24 192.168.2.1 UGS 0 0 gif2
192.168.2.1 link#9 UH 0 3 gif2
192.168.10.0/24 link#8 U 0 0 tap0
192.168.10.2 link#8 UHS 0 0 lo0
machine 2 (192.168.2.0/24 gw 192.168.2.1):
[root at mainserver2 ~]# ifconfig gif1
gif1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1280
tunnel inet 79.113.90.52 --> 79.113.55.0
inet 192.168.2.1 --> 192.168.1.1 netmask 0xffffff00
options=1<ACCEPT_REV_ETHIP_VER>
[root at mainserver2 ~]# netstat -f inet -rn
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 10.100.144.12 UGS 0 811847 tun0
10.100.144.12 link#5 UHS 0 0 tun0
79.113.90.52 link#5 UHS 0 175 lo0
127.0.0.1 link#4 UH 0 1043 lo0
192.168.0.0/24 192.168.0.1 UGS 0 16 gif0
192.168.0.1 link#6 UH 0 19 gif0
192.168.1.0/24 192.168.1.1 UGS 0 0 gif1
192.168.1.1 link#7 UH 0 4 gif1
192.168.2.0/24 link#2 U 0 5702099 rl0
192.168.2.1 link#2 UHS 2 0 lo0
machine 1 uses gif2 (as it goes to machine2) and machine 2 uses gif1 (as it
goes to machine 1)
Scenario:
Both gif_if created. I run ping from machine 1 to ext_IP of machine 2 =
works; but if I ping the internal IP of any machine from the other one, it
does not.
I started tcpdump on machine1 and started pinging from machine2. I can see
the echo_reply if I ping the external_IP but not if I do the same with the
internal_IP. From this, I am thinking there is a problem with the routing
table but tbh, I cannot see it. If this would not be the case however, I
would assume the firewall is blocking something (but the firewall is
disabled).
What am I missing here ?
--
Best regards,
Claudiu Vasadi
More information about the freebsd-questions
mailing list