Re: VPN IPsec Help
On 2010.07.07 18:28, Matheus Weber da Conceição wrote: > Hello guys; > > I'm using a FreeBSD 7.0 in my firewall/gateway, and I have to connect > via VPN to a Cisco box. > > The scene here is: > > * Peer A (Cisco): 200.xxx.xxx.xxx >IPs that Peer B need to access: > - 192.168.10.24 > - 192.168.201.196 > - 10.115.90.236 > > * Peer B (FreeBSD 7.0): 187.yyy.yyy.yyy (me) > > > How can I configure this scene without using gif0 interface? It has been a long time since I've done IPSec on FBSD, but I'm willing to bet that this has to do with routing, possibly amongst other things. On peer 'B' (FBSD box), what internal IP range are you trying to access the A network from...the same ones (ie. are you trying to bridge the networks)? Do you have access to the Cisco gear? If so, on FreeBSD, post the output of: % netstat -rn ...and the output to the following on the Cisco: % sh ip route stat Steve ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: VPN IPsec Help
> It has been a long time since I've done IPSec on FBSD, but I'm willing > to bet that this has to do with routing, possibly amongst other things. > On peer 'B' (FBSD box), what internal IP range are you trying to access > the A network from...the same ones (ie. are you trying to bridge the > networks)? > The -peer A- doesn't need to access any -peer B- networks. > Do you have access to the Cisco gear? No. > If so, on FreeBSD, post the output of: > > % netstat -rn Notes: tun0 is my ppp pseudo-device tun5 is my openvpn tunel (192.168.5.0/24) # netstat -rn Routing tables Internet: DestinationGatewayFlagsRefs Use Netif Expire default201.zzz.zzz.zzzUGS 0 16087385 tun0 127.0.0.1 127.0.0.1 UH 0 357142lo0 187.yyy.yyy.yyy127.0.0.1 UH 0 120lo0 192.168.1.0ff:ff:ff:ff:ff:ff UHLWb 11vr1 => 192.168.1.0/24 link#3 UC 00vr1 192.168.1.100:19:5b:71:9b:ed UHLW1 237725lo0 192.168.1.800:21:97:7e:0c:2a UHLW127981vr1975 192.168.1.900:27:0e:10:8d:52 UHLW133571vr1956 192.168.1.11 00:16:3e:2a:38:2b UHLW1 255820vr1 1192 192.168.1.21 00:19:d1:7c:a2:90 UHLW124792vr1 1165 192.168.1.22 00:1c:c0:ac:8e:16 UHLW1 2306vr1 1179 192.168.1.28 00:1a:92:e2:ab:fa UHLW122897vr1269 192.168.1.30 00:11:d8:91:36:ff UHLW136286vr1543 192.168.1.31 00:e0:4c:51:b7:e0 UHLW1 4784vr1 1167 192.168.1.40 00:1c:c0:54:c1:de UHLW1 136462vr1 1159 192.168.1.43 00:16:76:17:68:9c UHLW18vr1838 192.168.1.44 00:1a:92:d7:4c:ce UHLW1 1746vr1715 192.168.1.48 00:1c:c0:a6:10:66 UHLW126086vr1681 192.168.1.53 00:16:76:86:cd:ba UHLW110230vr1 1167 192.168.1.56 00:1c:c0:98:cd:9c UHLW114848vr1911 192.168.1.62 00:16:76:45:04:03 UHLW142472vr1966 192.168.1.69 00:16:3e:46:6b:3a UHLW1 14vr1964 192.168.1.71 00:1c:c0:48:4c:7f UHLW1 105652vr1 1134 192.168.1.72 00:1c:c0:4e:da:d0 UHLW177087vr1287 192.168.1.76 00:1e:8c:95:ae:98 UHLW1 8366vr1940 192.168.1.77 00:1c:c0:7b:0d:74 UHLW137699vr1281 192.168.1.78 00:1a:92:d7:48:2c UHLW145100vr1567 192.168.1.79 00:1a:92:8a:b2:b2 UHLW1 4275vr1766 192.168.1.84 00:24:1d:f1:89:1f UHLW121246vr1960 192.168.1.87 00:19:d1:ff:0e:6e UHLW1 474vr1 1149 192.168.1.93 00:1c:c0:48:4c:58 UHLW137041vr1 1191 192.168.1.94 00:21:27:d1:ac:f3 UHLW1 25vr1879 192.168.1.95 00:1c:c0:54:c2:e6 UHLW120753vr1969 192.168.1.100 00:1a:92:cb:c9:26 UHLW1 256433vr1 1192 192.168.1.103 00:13:02:02:69:00 UHLW152018vr1 1199 192.168.1.108 00:1c:c0:7b:0d:c4 UHLW1 708959vr1973 192.168.1.112 00:1e:65:68:0c:32 UHLW1 2133vr1 1186 192.168.1.115 00:1c:c0:9e:23:74 UHLW1 583vr1367 192.168.1.120 00:18:8b:e1:96:c7 UHLW1 310668vr1 68 192.168.1.122 00:27:0e:15:9b:bc UHLW171300vr1 1169 192.168.1.123 6c:f0:49:f7:fa:87 UHLW1 5818vr1 1113 192.168.1.124 00:1c:c0:7b:0d:85 UHLW1 2473vr1633 192.168.1.126 00:1c:c0:a6:10:5a UHLW110526vr1954 192.168.1.131 00:1f:d0:fd:dd:66 UHLW1 184009vr1943 192.168.1.141 00:1b:fc:2b:99:fe UHLW1 435409vr1485 192.168.1.144 00:27:0e:10:5a:21 UHLW1 866092vr1957 192.168.1.146 00:1c:c0:9e:23:93 UHLW1 764742vr1 1168 192.168.1.149 00:16:3e:73:6b:e3 UHLW126347vr1 1139 192.168.1.150 00:1c:c0:48:4c:44 UHLW145845vr1966 192.168.1.158 00:01:6c:ff:88:c4 UHLW110017vr1 1033 192.168.1.168 00:19:d1:a1:da:8d UHLW122734vr1 1120 192.168.1.170 00:1c:c0:5b:36:4d UHLW1 475881vr1 1186 192.168.1.172 00:24:1d:fb:35:ed UHLW1 431062vr1 1182 192.168.1.173 00:1c:c0:54:bb:a8 UHLW16vr1 1058 192.168.1.174 6c:f0:49:f8:b6:bf UHLW1 297497vr1 1181 192.168.1.175 6c:f0:49:f7:f9:97 UHLW1 1809vr1 1132 192.168.1.177 00:1c:c0:71:8c:c1 UHLW122740vr1 1050 192.168.1.178 00:1e:8c:95:ad:cd UHLW1 136704vr1288 192.168.1.
Re: VPN IPsec Help
On 2010.07.08 10:00, Matheus Weber da Conceição wrote: >> It has been a long time since I've done IPSec on FBSD, but I'm willing >> to bet that this has to do with routing, possibly amongst other things. >> On peer 'B' (FBSD box), what internal IP range are you trying to access >> the A network from...the same ones (ie. are you trying to bridge the >> networks)? >> > The -peer A- doesn't need to access any -peer B- networks. > >> Do you have access to the Cisco gear? > No. > >> If so, on FreeBSD, post the output of: >> >> % netstat -rn > > Notes: > tun0 is my ppp pseudo-device > tun5 is my openvpn tunel (192.168.5.0/24) > > # netstat -rn > Routing tables [ big snip ] IIRC, you don't need a gre tunnel through IPSec, as you are simply routing between two dissimilar networks. Don't quote me on this though, as I said earlier, it has been a very long time. On the FreeBSD box, assuming that you *only* want to access the three specific IPs you stated, do this: % route add 192.168.10.24/32 200.x.x.x % route add 192.168.201.196/32 200.x.x.x % route add 10.115.90.236/32 200.x.x.x On the Cisco side: % ip route 192.168.5.0 255.255.255.0 187.x.x.x.x If that works, on the FBSD side of things, add the following to /etc/rc.conf to make them persistent across reboots: static_routes="host1 host2 host3" route_host1="192.168.10.24/32 200.x.x.x" route_host2="192.168.201.196/32 200.x.x.x" route_host3="10.115.90.236/32 200.x.x.x" Steve ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: VPN IPsec Help
On 2010.07.08 10:51, Steve Bertrand wrote: > On 2010.07.08 10:00, Matheus Weber da Conceição wrote: >>> It has been a long time since I've done IPSec on FBSD, but I'm willing >>> to bet that this has to do with routing, possibly amongst other things. >>> On peer 'B' (FBSD box), what internal IP range are you trying to access >>> the A network from...the same ones (ie. are you trying to bridge the >>> networks)? >>> >> The -peer A- doesn't need to access any -peer B- networks. >> >>> Do you have access to the Cisco gear? >> No. >> >>> If so, on FreeBSD, post the output of: >>> >>> % netstat -rn >> >> Notes: >> tun0 is my ppp pseudo-device >> tun5 is my openvpn tunel (192.168.5.0/24) >> >> # netstat -rn >> Routing tables > > [ big snip ] > > IIRC, you don't need a gre tunnel through IPSec, as you are simply > routing between two dissimilar networks. Don't quote me on this though, > as I said earlier, it has been a very long time. > > On the FreeBSD box, assuming that you *only* want to access the three > specific IPs you stated, do this: > > % route add 192.168.10.24/32 200.x.x.x > % route add 192.168.201.196/32 200.x.x.x > % route add 10.115.90.236/32 200.x.x.x > > On the Cisco side: D'oh! I wasn't paying enough attention! > % ip route 192.168.5.0 255.255.255.0 187.x.x.x.x This.^^^ should read 192.168.1.0 (by the looks of things). Steve ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: VPN IPsec Help
On 2010.07.08 10:54, Steve Bertrand wrote: > On 2010.07.08 10:51, Steve Bertrand wrote: >> On 2010.07.08 10:00, Matheus Weber da Conceição wrote: It has been a long time since I've done IPSec on FBSD, but I'm willing to bet that this has to do with routing, possibly amongst other things. On peer 'B' (FBSD box), what internal IP range are you trying to access the A network from...the same ones (ie. are you trying to bridge the networks)? >>> The -peer A- doesn't need to access any -peer B- networks. >>> Do you have access to the Cisco gear? >>> No. >>> If so, on FreeBSD, post the output of: % netstat -rn >>> >>> Notes: >>> tun0 is my ppp pseudo-device >>> tun5 is my openvpn tunel (192.168.5.0/24) >>> >>> # netstat -rn >>> Routing tables >> >> [ big snip ] >> >> IIRC, you don't need a gre tunnel through IPSec, ...and, I meant to say gif interface, not gre tunnel. Steve ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: VPN IPsec Help
> % route add 192.168.10.24/32 200.x.x.x > % route add 192.168.201.196/32 200.x.x.x > % route add 10.115.90.236/32 200.x.x.x add net 192.168.10.24: gateway 200.x.x.x: Network is unreachable -- Matheus Weber da Conceição ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: VPN IPsec Help
>> % route add 192.168.10.24/32 200.x.x.x >> % route add 192.168.201.196/32 200.x.x.x >> % route add 10.115.90.236/32 200.x.x.x > add net 192.168.10.24: gateway 200.x.x.x: Network is unreachable > -- The kernel will not create routes automatically? -- Matheus Weber da Conceição ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
