Routing problem in IPv4/IPSec VPN environment

From: James Howard (howardjp_at_well.com)
Date: 06/30/04

  • Next message: Richard Stevenson: "Re: SASL and Sendmail" 
    Date: Tue, 29 Jun 2004 16:48:49 -0700 (PDT)
To: freebsd-questions@freebsd.org

    (This message may reappear in the future, it was rejected by the
    lists from my webhost.)

    As a personal favor, I am building a VPN for a small business. I
    have chosen FreeBSD for this due to my greater familiarity. The
    project will consist of linking four sites, each with a FreeBSD
    system providing DHCP, NAT, and VPN services. I have built DHCP and
    NAT servers before, but the IPSec and VPN is new to me.

    Right now, the first two systems are nearly complete. The two
    machines are named goldengate and waltwhitman. Here's the IP
    config, currently:

      goldengate: external 192.168.1.101 internal 10.1.1.1
      waltwhitman: external 192.168.1.102 internal 10.1.2.1

    The external interfaces are in the reserved space because testing is
    taking place behind a cable/DSL router providing NAT services. The
    output of "gifconfig -a; ifconfig -a; netstat -rn" for each will be
    provided at the end of this message.

    IPSec, with Racoon, is properly exchanging keys. From goldengate, I
    can ping 10.1.2.1 and from waltwhitman I can ping 10.1.1.1.

    If a Windows computer is connected behind either system, they
    receive an IP (10.1.x.254, where x is the network number).

    The problem is, if behind the 10.1.2.1 firewall, I cannot ping
    10.1.1.1 and vice-versa. I assume, at this point, this is some type
    of routing issue and not a problem with IPSec. This seems to be
    confirmed by the fact tracerouting to the local internal interface
    goes through the *other* internal interface first:

    waltwhitman$ ifconfig bge1; traceroute 10.1.2.1
    bge1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
            options=3<RXCSUM,TXCSUM>
            inet 10.1.2.1 netmask 0xffffff00 broadcast 10.1.2.255
            inet6 fe80::209:5bff:fe60:e508%bge1 prefixlen 64 scopeid 0x2
            ether 00:09:5b:60:e5:08
            media: Ethernet autoselect (10baseT/UTP <half-duplex>)
            status: active
    traceroute to 10.1.2.1 (10.1.2.1), 64 hops max, 44 byte packets
     1 10.1.1.1 (10.1.1.1) 0.848 ms 0.736 ms 0.783 ms
     2 10.1.2.1 (10.1.2.1) 1.173 ms 1.262 ms 1.247 ms

    The other machine behaves identically, except the numbers are
    reversed. At this point, I have reached the limits of my knowledge.
    Any help would be appreciated.

    Thank you, James

    Notes on the output: IPv6 info removed from netstat output. There
    is a third interface in WALTWHITMAN which may break off to a DMZ in
    the future. No descision has been made and won't be for some time.
    The interface was given the IP 172.16.1.1.

    GOLDENGATE:

    goldengate$ gifconfig -a; ifconfig -a; netstat -rn
    gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
            inet 10.1.1.1 --> 10.1.2.1 netmask 0xffffffff
            inet6 fe80::209:5bff:fe62:714e%gif0 prefixlen 64
            physical address inet 192.168.1.101 --> 192.168.1.102
    bge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
            options=3<RXCSUM,TXCSUM>
            inet 10.1.1.1 netmask 0xffffff00 broadcast 10.1.1.255
            inet6 fe80::209:5bff:fe62:714e%bge0 prefixlen 64 scopeid 0x1
            ether 00:09:5b:62:71:4e
            media: Ethernet autoselect (100baseTX <full-duplex>)
            status: active
    xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
            options=1<RXCSUM>
            inet6 fe80::2b0:d0ff:fe23:5b8d%xl0 prefixlen 64 scopeid 0x2
            inet 192.168.1.101 netmask 0xffffff00 broadcast
    192.168.1.255
            ether 00:b0:d0:23:5b:8d
            media: Ethernet autoselect (100baseTX <full-duplex>)
            status: active
    lp0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500
    lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
            inet6 ::1 prefixlen 128
            inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
            inet 127.0.0.1 netmask 0xff000000
    faith0: flags=8002<BROADCAST,MULTICAST> mtu 1500
    gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
            tunnel inet 192.168.1.101 --> 192.168.1.102
            inet 10.1.1.1 --> 10.1.2.1 netmask 0xffffffff
            inet6 fe80::209:5bff:fe62:714e%gif0 prefixlen 64 scopeid 0x6
    Routing tables

    Internet:
    Destination Gateway Flags Refs Use Netif
    Expire
    default 192.168.1.1 UGSc 3 6082 xl0
    10.1.1/24 link#1 UC 2 0 bge0
    10.1.1.1 00:09:5b:62:71:4e UHLW 0 306 lo0
    10.1.1.254 link#1 UHLW 2 14933 bge0
    10.1.2/24 10.1.2.0 UGSc 0 15578 xl0
    10.1.2.1 10.1.1.1 UH 0 2060 gif0
    127.0.0.1 127.0.0.1 UH 1 48 lo0
    192.168.1 link#2 UC 3 0 xl0
    192.168.1.1 00:0c:41:7f:8a:6e UHLW 4 2 xl0
    1042
    192.168.1.100 00:30:65:2e:ae:f7 UHLW 0 0 xl0
    1100
    192.168.1.101 127.0.0.1 UGHS 0 0 lo0
    192.168.1.102 00:b0:d0:a1:81:09 UHLW 3 13842 xl0
    1054

    WALTWHITMAN:

    waltwhitman$ gifconfig -a; ifconfig -a; netstat -rn
    gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
            inet 10.1.2.1 --> 10.1.1.1 netmask 0xffffffff
            inet6 fe80::209:5bff:fe62:1ab2%gif0 prefixlen 64
            physical address inet 192.168.1.102 --> 192.168.1.101
    bge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
            options=3<RXCSUM,TXCSUM>
            inet 172.16.1.1 netmask 0xffffff00 broadcast 172.16.1.255
            inet6 fe80::209:5bff:fe62:1ab2%bge0 prefixlen 64 scopeid 0x1
            ether 00:09:5b:62:1a:b2
            media: Ethernet autoselect (none)
            status: no carrier
    bge1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
            options=3<RXCSUM,TXCSUM>
            inet 10.1.2.1 netmask 0xffffff00 broadcast 10.1.2.255
            inet6 fe80::209:5bff:fe60:e508%bge1 prefixlen 64 scopeid 0x2
            ether 00:09:5b:60:e5:08
            media: Ethernet autoselect (10baseT/UTP <half-duplex>)
            status: active
    xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
            options=1<RXCSUM>
            inet6 fe80::2b0:d0ff:fea1:8109%xl0 prefixlen 64 scopeid 0x3
            inet 192.168.1.102 netmask 0xffffff00 broadcast
    192.168.1.255
            ether 00:b0:d0:a1:81:09
            media: Ethernet autoselect (100baseTX <full-duplex>)
            status: active
    lp0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500
    lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
            inet6 ::1 prefixlen 128
            inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
            inet 127.0.0.1 netmask 0xff000000
    faith0: flags=8002<BROADCAST,MULTICAST> mtu 1500
    gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
            tunnel inet 192.168.1.102 --> 192.168.1.101
            inet 10.1.2.1 --> 10.1.1.1 netmask 0xffffffff
            inet6 fe80::209:5bff:fe62:1ab2%gif0 prefixlen 64 scopeid 0x7
    Routing tables

    Internet:
    Destination Gateway Flags Refs Use Netif
    Expire
    default 192.168.1.1 UGSc 1 1416 xl0
    10.1.1/24 10.1.1.1 UGSc 0 9633 gif0
    10.1.1.1 10.1.2.1 UH 1 1986 gif0
    10.1.2/24 link#2 UC 2 0 bge1
    10.1.2.1 00:09:5b:60:e5:08 UHLW 0 14 lo0
    10.1.2.254 link#2 UHLW 2 883 bge1
    127.0.0.1 127.0.0.1 UH 1 48 lo0
    172.16.1/24 link#1 UC 0 0 bge0
    192.168.1 link#3 UC 2 0 xl0
    192.168.1.1 00:0c:41:7f:8a:6e UHLW 3 2 xl0
    192
    192.168.1.101 00:b0:d0:23:5b:8d UHLW 5 12307 xl0
    204
    192.168.1.102 127.0.0.1 UGHS 0 0 lo0 

    --
James P. Howard, II  --  howardjp@vocito.com
http://www.jameshoward.us/  --  202-390-4933
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
  • Next message: Richard Stevenson: "Re: SASL and Sendmail"

    Relevant Pages

    • RE: Routing problem in IPv4/IPSec VPN environment
      ... add an additional route for the specific gif interface from each server ... machines are named goldengate and waltwhitman. ... bge1: flags=8843mtu 1500 ... Internet: ...
      (freebsd-questions)
    • Re: Page cannot be displayed
      ... Temporary Internet Files ... If you use the PPPoE protocol (or some other Internet link protocol that ... router or ICS (Internet Connection Sharing), you may have to reduce the MTU ...
      (microsoft.public.windowsxp.network_web)
    • Routing problem in IPv4/IPSec VPN environment
      ... machines are named goldengate and waltwhitman. ... confirmed by the fact tracerouting to the local internal interface ... bge1: flags=8843mtu 1500 ... Internet: ...
      (freebsd-questions)
    • Re: Problem with some network connections
      ... Posting on MS newsgroup will benefit all readers and you may get more help. ... Networking, Internet, Routing, VPN, Anti-Virus, Tips & Troubleshooting on ... > Path MTU Discovery - Yes. ... 1) The problem occurs because many web servers block ICMP ...
      (microsoft.public.windowsxp.network_web)
    • Re: Cannot open all websites.
      ... I am using a Bluetooth dongle in my Laptop to access internet by connecting ... Therefore I tried to lower down my MTU size to 1452, ...
      (microsoft.public.windowsxp.network_web)