Re: IPSEC config

From: Michael Proto (echo.ranger@corp.earthlink.net)
Date: 09/13/01


Date: Thu, 13 Sep 2001 15:54:09 -0400 (EDT)
From: Michael Proto <echo.ranger@corp.earthlink.net>
To: Paul Root <proot@iaces.com>

Paul,

Have you used ifconfig to setup the inside points of your gif tunnel?
gifconfig only sets the outside IP addresses of your security gateways.
You still need to use ifconfig to set the point-to-point link on the
inside.

for ex:

Gateway A:
public IP: 199.54.21.1
private net IP: 10.0.0.1

Gateway B:
public IP: 199.54.85.4
private net IP: 10.0.10.1

on Gateway A:
gifconfig gif0 199.54.21.1 199.54.85.4
ifconfig gif0 inet 10.0.0.1 10.0.10.1 netmask 255.255.0.0

and vice versa on Gateway B.

From the looks of it, you seem to be missing the 'inside IP' configuration
of your gif tunnels.

Good luck,
Michael Proto

On Thu, 13 Sep 2001, Paul Root wrote:

> Hi,
> I'm trying to setup a IPSec tunnel and am having trouble.
> Both machines are 4.4 RC3 (I think, last week). And when I set it up
> for a transport between the two machines it works fine, so racoon
> must be fine.
>
> I'm following the IPsec mini-HOWTO from January 2001 daemonnews.
> Here's my config on one end:
>
> #!/bin/sh
> # These commands need to be run on acesfbsd to
> # connect to lorax, in a IPSEC test
> #
> # Setup the tunnel device.
> gifconfig gif0 10.20.30.4 172.28.56.82
> #
> # The next 2 lines delete all existing entries
> # from the SPD and SAD
> setkey -FP
> setkey -F
> # Add the policy
> setkey -c <<EOF
> spdadd 10.20.30.0/24 172.28.56.0/23 any -P out ipsec
> esp/tunnel/10.20.30.4-172.28.56.82/require;
> spdadd 172.28.56.0/23 10.20.30.0/24 any -P in ipsec
> esp/tunnel/172.28.56.82-10.20.30.4/require;
> EOF
>
>
>
> The man page on gif and gifconfig are vague to me, but I think I've
> got it, those are the actual addresses of the boxes right? Also, the
> howto had transport instead of tunnel in the spdadd lines but
> the man page suggests tunnel.
>
> I'm sure I'm doing something horribly wrong.
>
> Thanks,
> Paul.
>
>

-- 
Michael Proto                      | echo.ranger@corp.earthlink.net
Security Engineer, EarthLink Inc.  | (404)815-0770 x22114
-------------------------------------------------------------------
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message


Relevant Pages

  • Re: can internet gateway be on opposite side of a tunnel?
    ... > Can a machine use a host on the opposite side of an ipip tunnel as its ... > I have 2 LANs, a gateway in each, and an ipip tunnel between the ... A host in either LAN designates its local tunnel endpoint as ...
    (comp.os.linux.networking)
  • Re: Problem with: OSPF thru netgraph & Gif Tunnels
    ... > Iím trying to setup a network between two locations over a WAN and Iím ... > multicasts its route advertisements thru the GIF tunnel to the other side. ...
    (freebsd-hackers)
  • Re: Multiple vpn tunnels
    ... so I have the following rule on Gateway B: ... so I can't verify if the packets get to Gateway A. ... the visibility of the subnets to the other end of the tunnel. ... tauno voipio iki fi ...
    (comp.os.linux.networking)
  • Re: Tunneling through ssh
    ... I would like to tunnel ALL my traffic ... through ssh through that gateway. ... would you really trust it any more than you trust your current ... (You do realize that all the protocols you named will then go in cleartext ...
    (SSH)
  • Re: Who is using ipv6 ... where to start.
    ... can one get a routable IPv6 address? ... to get to your tunnel broker. ... gateway and the transport protocol happens to be IPv4, ... when someone tries to claim "but IPv4 is doing the routing") and you've ...
    (Fedora)