netbsd-users: Questions about VPN with IPsec

Subject: Questions about VPN with IPsec
To: None <netbsd-users@netbsd.org>
From: Allen D. Ball <ball@iprotium.com>
List: netbsd-users
Date: 07/25/2001 19:05:35
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

Please CC me on any replies because I am not a regular subscriber to this
list.

I have set up a configuration similar to the one described at
http://www.netbsd.org/Documentation/network/ipsec/#sample_vpn.  The link
comes up and I can run TCP between the two machines.  However, I am still
having trouble seeing the remote machines on the local network and vice
versa.  I am running 1.5.1 and I am using gif(4) as the endpoints of my
tunnel.  I am also running routed(8) on each of the machines.  I did not
assign IPv6 addresses to the gif(4) interfaces nor the physical NICs.  The
two address clouds are -net 10.1.0.0/16 and -net 10.254.0.0/16 and the
endpoints of the tunnel are 10.0.0.1 and 10.0.0.254, respectively.

My questions are:

Do I need to do any IPv6 configuration to make this work?

Is gif(4) the right hammer for this nail?

The sited web page says to set up the routes in advance.  Does this mean in
advance of setkey being executed in the /etc/rc.d/ipsec script?  Or in
advance of ifconfig gif0?  Or in advance of using the link?  I have
attempted
to set up the routes in the /etc/ifconfig.gif0 script before and after
running ifconfig, but the route command to provide the route from the remote
NIC to the remote cloud fails.  (However, I can run it manually *after*
booting and *after* the link has come up, and the route is installed, but I
still can't get to the remote machines.)  Is there a proper incantation of
the route command that will let me set it up in /etc/ifconfig.gif0?

There is a third box doing NAT in front of one of the machines, but it is a
straight redirect of one of our internet CIDR block address to its
corresponding internal address (and I addressed this in setting up the
SPDs).
 Because I can bring the link up, I don't think this is coming into play but
I mention it in the interest of full disclosure.

I appreciate any help.  Thank you.

Allen

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.8

iQA/AwUBO1966NtAFf3qaxFUEQKfGgCfRrPFxwdO5dEzNjIOpog6AMRENDcAoPHn
ce/4bH1Nb641lrnnJQ7NSKJb
=19t3
-----END PGP SIGNATURE-----