Hub & Spoke VPN Routinig

G

g8wcn

Hi I wonder if anyone can help?

I have configured two Racoon VPN IPSec tunnels and used the following script below to set up the Setkey parameters and basic routing. I also have
Code: 
gateway_enable="YES"
set in the /etc/rc.config file.

I can ping from hub1 to the spoke & and back again, and also from hub2 to the spoke and back again, but I can not ping from hub1 to hub2, or from hub2 to hub1 which I really want to be able to do! So for example from source 7.7.3.254 on hub 2 to 7.7.1.254. My issue appears to be one of the packets not routing through the hub as I can see them reaching the hub, and your ideas would be greatly appreciated.
Code: 
#!/bin/sh
# Tunnel 1
BSD1_IP="7.7.2.254"
BSD1_PUB_IP="192.168.22.18"
BSD1_NET="7.7.2.0/24"
BSD2_IP="7.7.1.254"
BSD2_PUB_IP="192.168.22.23"
BSD2_NET="7.7.1.0/24"

# Tunnel 2
BSD3_IP="7.7.5.254"
BSD3_PUB_IP="192.168.22.18"
BSD3_NET="7.7.5.0/24"
BSD4_IP="7.7.3.254"
BSD4_PUB_IP="192.168.22.24"
BSD4_NET="7.7.3.0/24"

GIF0="gif0"
GIF1="gif1"
GIF0_INET="$GIF0 inet"
GIF1_INET="$GIF1 inet"
GIFCONFIG="/sbin/ifconfig"
HOSTNAME=`/bin/hostname`
NETMASK="255.255.255.0"

echo "\nStarting ipsec tunnel... "
echo $GIF0_INET
echo $GIF1_INET

$GIFCONFIG $GIF0 destroy
$GIFCONFIG $GIF0 create

$GIFCONFIG $GIF1 destroy
$GIFCONFIG $GIF1 create

case $HOSTNAME in
    FreeBSD-x64-2)
            echo $HOSTNAME
            $GIFCONFIG $GIF0 tunnel $BSD1_PUB_IP $BSD2_PUB_IP
            $GIFCONFIG $GIF0_INET $BSD1_IP $BSD2_IP netmask $NETMASK


            $GIFCONFIG $GIF1 tunnel $BSD3_PUB_IP $BSD4_PUB_IP
            $GIFCONFIG $GIF1_INET $BSD3_IP $BSD4_IP netmask $NETMASK


            /sbin/setkey -FP
            /sbin/setkey -F
            /sbin/setkey -c << EOF
            spdadd $BSD1_NET $BSD2_NET any -P out ipsec
            esp/tunnel/${BSD1_PUB_IP}-${BSD2_PUB_IP}/require;
            spdadd $BSD2_NET $BSD1_NET any -P in ipsec
            esp/tunnel/${BSD2_PUB_IP}-${BSD1_PUB_IP}/require;
            spdadd $BSD3_NET $BSD4_NET any -P out ipsec
            esp/tunnel/${BSD3_PUB_IP}-${BSD4_PUB_IP}/require;
            spdadd $BSD4_NET $BSD3_NET any -P in ipsec
            esp/tunnel/${BSD4_PUB_IP}-${BSD3_PUB_IP}/require;
EOF
            /sbin/route add $BSD2_NET $BSD1_IP
            /sbin/route add $BSD4_NET $BSD3_IP
            ;;
esac
Code: 
Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            192.168.22.1       UGS         0       23    em0
7.7.1.0/24         7.7.2.254          US          0        0   gif0
7.7.1.254          link#6             UH          0      451   gif0
7.7.2.254          link#6             UHS         0        2    lo0
7.7.3.0/24         7.7.5.254          US          0        5   gif1
7.7.3.254          link#7             UH          0      133   gif1
7.7.5.254          link#7             UHS         0       67    lo0
127.0.0.1          link#5             UH          0        4    lo0
192.168.22.0/24    link#2             U           0     2171    em0
192.168.22.18      link#2             UHS         0        0    lo0

Internet6:
Destination                       Gateway                       Flags      Netif Expire
::/96                             ::1                           UGRS        lo0
::1                               link#5                        UH          lo0
::ffff:0.0.0.0/96                 ::1                           UGRS        lo0
fe80::/10                         ::1                           UGRS        lo0
fe80::%em0/64                     link#2                        U           em0
fe80::20c:29ff:fea3:1b14%em0      link#2                        UHS         lo0
fe80::%lo0/64                     link#5                        U           lo0
fe80::1%lo0                       link#5                        UHS         lo0
fe80::%gif0/64                    link#6                        U          gif0
fe80::20c:29ff:fea3:1b14%gif0     link#6                        UHS         lo0
fe80::%gif1/64                    link#7                        U          gif1
fe80::20c:29ff:fea3:1b14%gif1     link#7                        UHS         lo0
ff01::%em0/32                     fe80::20c:29ff:fea3:1b14%em0  U           em0
ff01::%lo0/32                     ::1                           U           lo0
ff01::%gif0/32                    fe80::20c:29ff:fea3:1b14%gif0 U          gif0
ff01::%gif1/32                    fe80::20c:29ff:fea3:1b14%gif1 U          gif1
ff02::/16                         ::1                           UGRS        lo0
ff02::%em0/32                     fe80::20c:29ff:fea3:1b14%em0  U           em0
ff02::%lo0/32                     ::1                           U           lo0
ff02::%gif0/32                    fe80::20c:29ff:fea3:1b14%gif0 U          gif0
ff02::%gif1/32                    fe80::20c:29ff:fea3:1b14%gif1 U          gif1
root@FreeBSD-x64-2:~ #
Code: 
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
        ether 00:0c:29:a3:1b:14
        inet6 fe80::20c:29ff:fea3:1b14%em0 prefixlen 64 scopeid 0x2
        inet 192.168.22.18 netmask 0xffffff00 broadcast 192.168.22.255
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
plip0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> metric 0 mtu 1500
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
        inet 127.0.0.1 netmask 0xff000000
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1280
        tunnel inet 192.168.22.18 --> 192.168.22.23
        inet 7.7.2.254 --> 7.7.1.254 netmask 0xffffff00
        inet6 fe80::20c:29ff:fea3:1b14%gif0 prefixlen 64 scopeid 0x6
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        options=1<ACCEPT_REV_ETHIP_VER>
gif1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1280
        tunnel inet 192.168.22.18 --> 192.168.22.24
        inet 7.7.5.254 --> 7.7.3.254 netmask 0xffffff00
        inet6 fe80::20c:29ff:fea3:1b14%gif1 prefixlen 64 scopeid 0x7
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        options=1<ACCEPT_REV_ETHIP_VER>
 
For anyone that is interested I worked out the problem. The problem was that I limited the encryption tunnels to just the source and destination address, whereas what I really needed was any source, see below!
Code: 
#!/bin/shhttps://forums.freebsd.org/posting.php?mode=reply&f=7&t=43557&sid=3d6d272089fb2454df8b2fec45259dbd#
# Tunnel 1
BSD1_IP="7.7.2.254"
BSD1_PUB_IP="192.168.22.18"
BSD1_NET="7.7.2.0/24"
BSD2_IP="7.7.1.254"
BSD2_PUB_IP="192.168.22.23"
BSD2_NET="7.7.1.0/24"

# Tunnel 2
BSD3_IP="7.7.5.254"
BSD3_PUB_IP="192.168.22.18"
BSD3_NET="7.7.5.0/24"
BSD4_IP="7.7.3.254"
BSD4_PUB_IP="192.168.22.24"
BSD4_NET="7.7.3.0/24"

GIF0="gif0"
GIF1="gif1"
GIF0_INET="$GIF0 inet"
GIF1_INET="$GIF1 inet"
GIFCONFIG="/sbin/ifconfig"
HOSTNAME=`/bin/hostname`
NETMASK="255.255.255.0"

echo "\nStarting ipsec tunnel... "
echo $GIF0_INET
echo $GIF1_INET

$GIFCONFIG $GIF0 destroy
$GIFCONFIG $GIF0 create

$GIFCONFIG $GIF1 destroy
$GIFCONFIG $GIF1 create

case $HOSTNAME in
    FreeBSD-x64-2)
            echo $HOSTNAME
            $GIFCONFIG $GIF0 tunnel $BSD1_PUB_IP $BSD2_PUB_IP
            $GIFCONFIG $GIF0_INET $BSD1_IP $BSD2_IP netmask $NETMASK

            $GIFCONFIG $GIF1 tunnel $BSD3_PUB_IP $BSD4_PUB_IP
            $GIFCONFIG $GIF1_INET $BSD3_IP $BSD4_IP netmask $NETMASK

            /sbin/setkey -FP
            /sbin/setkey -F
            /sbin/setkey -c << EOF
            spdadd 0.0.0.0/0 $BSD2_NET any -P out ipsec
            esp/tunnel/${BSD1_PUB_IP}-${BSD2_PUB_IP}/require;
            spdadd 0.0.0.0/0 $BSD1_NET any -P in ipsec
            esp/tunnel/${BSD2_PUB_IP}-${BSD1_PUB_IP}/require;
            spdadd 0.0.0.0/0 $BSD4_NET any -P out ipsec
            esp/tunnel/${BSD3_PUB_IP}-${BSD4_PUB_IP}/require;
            spdadd 0.0.0.0/0 $BSD3_NET any -P in ipsec
            esp/tunnel/${BSD4_PUB_IP}-${BSD3_PUB_IP}/require;
EOF
            /sbin/route add $BSD2_NET $BSD1_IP
            /sbin/route add $BSD4_NET $BSD3_IP
            ;;
esac
 
You must log in or register to reply here.
Back
Top