Subject: Re: Questions about VPN with IPsec
To: Allen D. Ball <email@example.com>
From: Bill Studenmund <firstname.lastname@example.org>
Date: 07/31/2001 10:47:20
On Fri, 27 Jul 2001, Allen D. Ball wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> I have previously posted these questions to netbsd-users but got no
> Even though I am running 1.5.1, I hope I might get some help here.
> I have set up a configuration similar to the one described at
> http://www.netbsd.org/Documentation/network/ipsec/#sample_vpn. The link
> comes up and I can run TCP between the two machines. However, I am still
> having trouble seeing the remote machines on the local network and vice
> versa. I am running 1.5.1 and I am using gif(4) as the endpoints of my
> tunnel. I am also running routed(8) on each of the machines. I did not
> assign IPv6 addresses to the gif(4) interfaces nor the physical NICs. The
> two address clouds are -net 10.1.0.0/16 and -net 10.254.0.0/16 and the
> endpoints of the tunnel are 10.0.0.1 and 10.0.0.254, respectively.
Why are the endpoints not public internet addresses?
> My questions are:
> Do I need to do any IPv6 configuration to make this work?
> Is gif(4) the right hammer for this nail?
> The sited web page says to set up the routes in advance. Does this mean in
> advance of setkey being executed in the /etc/rc.d/ipsec script? Or in
> advance of ifconfig gif0? Or in advance of using the link? I have
> to set up the routes in the /etc/ifconfig.gif0 script before and after
> running ifconfig, but the route command to provide the route from the remote
> NIC to the remote cloud fails. (However, I can run it manually *after*
> booting and *after* the link has come up, and the route is installed, but I
> still can't get to the remote machines.) Is there a proper incantation of
> the route command that will let me set it up in /etc/ifconfig.gif0?
> There is a third box doing NAT in front of one of the machines, but it is a
> straight redirect of one of our internet CIDR block address to its
> corresponding internal address (and I addressed this in setting up the
> Because I can bring the link up, I don't think this is coming into play but
> I mention it in the interest of full disclosure.
Ahhh, that's why you are using internal addresses.
Here's the setup I'm using (the numbers have been tweaked a little):
I have one firewal box running both IPSec and NAT. I have an internal
address space on the local wire, 172.18.0.16/28. The border box is
172.18.0.17. I also have a gif interface set up tunneling the external IP
to the external IP of the gateway at work. It's config is:
tunnel inet <my external> --> <work's external>
inet 172.18.0.17 --> 172.17.255.1 netmask 0xfffffff0
I have IPSec configured between my external IP and work's external IP, and
it's set for require ESP.
I'm using manual routes. There's a route for 172.18.0.16/28 to the
internal ethernet, and a route for 172.17.255.1 pointing to the gif, and a
route for 172.16/12 pointing at 172.17.255.1.
The machines inside have routes for 172.18.0.16/28 for the ethernet, and
routes for 172.16/12 pointing to 172.18.0.17.