Problems with IPsec tunnel

Brad Waite Thu, 21 Jun 2001 00:49:13 -0700
Hello,

I'm having quite the time trying to set up a IPsec tunnel on 4.3-RELEASE. 
Host-to-host IPsec works fine - I can make connections all day long between my
two gateways.  But for the life of me, I can't get my windows boxen on each end
to talk to the other.  I've got identical psk.txt files (rw-------) on both
gateways, but 10.0.1.2 can't ping 10.0.0.2 to save its life.  I've told the PCs
on each end to route the other's traffic through the near gate's inside addr,
and still no go.  IP forwarding is turned on and NAT is off on both gates as
well as an "OPEN" fw ruleset.  I've gone through the couple of HOW-TOs on the
net, but while I understand exactly what they're saying, and I repeat the
process, I can't get it working.

I'm pulling my hair out.  

Here's a script I've borrowed from the net.  The second set of spdadds for each
host is for the host-to-host IPsec.

HELP!

#!/bin/ksh
#
GW1_OUT="206.140.250.252" 
GW1_IN="10.0.0.1" 
GW1_NET="10.0.0.0/24" 

GW2_NET="10.0.1.0/24" 
GW2_IN="10.0.1.1" 
GW2_OUT="206.140.251.252" 

NETMASK="255.255.255.0"
HOSTNAME=`/bin/hostname`

echo "\nStarting ipsec tunnel... "

case $HOSTNAME in
        gw1.domain.com)
                /usr/sbin/gifconfig gif0 $GW1_OUT $GW2_OUT  
                /sbin/ifconfig gif0 inet $GW1_IN $GW2_IN netmask $NETMASK  
                /usr/sbin/setkey -FP
                /usr/sbin/setkey -F
                /usr/sbin/setkey -c << EOF
                spdadd $GW1_NET $GW2_NET any -P out ipsec  
                 esp/tunnel/${GW1_IN}-${GW2_IN}/require;  
                spdadd $GW2_NET $GW1_NET any -P in ipsec  
                 esp/tunnel/${GW2_IN}-${GW1_IN}/require;  

                spdadd ${GW1_OUT}/32 ${GW2_OUT}/32 any -P out ipsec  
                 esp/transport/${GW1_OUT}-${GW2_OUT}/require;  
                spdadd ${GW2_OUT}/32 ${GW1_OUT}/32 any -P in ipsec  
                 esp/transport/${GW2_OUT}-${GW1_OUT}/require;  
EOF
                /sbin/route add $GW2_NET $GW1_IN  
                ;;

        gw2.domain.com)
                /usr/sbin/gifconfig gif0 $GW2_OUT $GW1_OUT  
                /sbin/ifconfig gif0 inet $GW2_IN $GW1_IN netmask $NETMASK  
                /usr/sbin/setkey -FP
                /usr/sbin/setkey -F
                /usr/sbin/setkey -c << EOF
                spdadd $GW2_NET $GW1_NET any -P out ipsec  
                 esp/tunnel/${GW2_IN}-${GW1_IN}/require;  
                spdadd $GW1_NET $GW2_NET any -P in ipsec  
                 esp/tunnel/${GW1_IN}-${GW2_IN}/require;  

                spdadd ${GW2_OUT}/32 ${GW1_OUT}/32 any -P out ipsec  
                 esp/transport/${GW2_OUT}-${GW1_OUT}/require;  
                spdadd ${GW1_OUT}/32 ${GW2_OUT}/32 any -P in ipsec  
                 esp/transport/${GW1_OUT}-${GW2_OUT}/require;  
EOF
                /sbin/route add $GW1_NET $GW2_IN  
                ;;
esac

/usr/local/sbin/racoon -f /usr/local/etc/racoon/racoon.conf

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message
Problems with IPsec tunnel

Reply via email to
