Subject: Re: Questions about VPN with IPsec
To: Allen D. Ball <>
From: Bill Studenmund <>
List: current-users
Date: 07/31/2001 10:47:20
On Fri, 27 Jul 2001, Allen D. Ball wrote:

> Hash: SHA1
> Hello,
> I have previously posted these questions to netbsd-users but got no
> response.
>  Even though I am running 1.5.1, I hope I might get some help here.
> I have set up a configuration similar to the one described at
>  The link
> comes up and I can run TCP between the two machines.  However, I am still
> having trouble seeing the remote machines on the local network and vice
> versa.  I am running 1.5.1 and I am using gif(4) as the endpoints of my
> tunnel.  I am also running routed(8) on each of the machines.  I did not
> assign IPv6 addresses to the gif(4) interfaces nor the physical NICs.  The
> two address clouds are -net and -net and the
> endpoints of the tunnel are and, respectively.

Why are the endpoints not public internet addresses?

> My questions are:
> Do I need to do any IPv6 configuration to make this work?


> Is gif(4) the right hammer for this nail?
> The sited web page says to set up the routes in advance.  Does this mean in
> advance of setkey being executed in the /etc/rc.d/ipsec script?  Or in
> advance of ifconfig gif0?  Or in advance of using the link?  I have
> attempted
> to set up the routes in the /etc/ifconfig.gif0 script before and after
> running ifconfig, but the route command to provide the route from the remote
> NIC to the remote cloud fails.  (However, I can run it manually *after*
> booting and *after* the link has come up, and the route is installed, but I
> still can't get to the remote machines.)  Is there a proper incantation of
> the route command that will let me set it up in /etc/ifconfig.gif0?
> There is a third box doing NAT in front of one of the machines, but it is a
> straight redirect of one of our internet CIDR block address to its
> corresponding internal address (and I addressed this in setting up the
> SPDs).
> Because I can bring the link up, I don't think this is coming into play but
> I mention it in the interest of full disclosure.

Ahhh, that's why you are using internal addresses.

Here's the setup I'm using (the numbers have been tweaked a little):

I have one firewal box running both IPSec and NAT. I have an internal
address space on the local wire, The border box is I also have a gif interface set up tunneling the external IP
to the external IP of the gateway at work. It's config is:
	tunnel inet <my external> --> <work's external>
	inet --> netmask 0xfffffff0

I have IPSec configured between my external IP and work's external IP, and
it's set for require ESP.

I'm using manual routes. There's a route for to the
internal ethernet, and a route for pointing to the gif, and a
route for 172.16/12 pointing at

The machines inside have routes for for the ethernet, and
routes for 172.16/12 pointing to

Works fine.

Take care,