ipsec vpn - gif_if connection problem

[da1]

Hello guys,

I have 3x 8.1-RELEASE i386 machines with a custom kernel that consists of the GENERIC kernel plus:

options IPSEC
options IPSEC_DEBUG
device crypto

the 3 extra options needed for IPSEC/racoon VPN. All the setup was made according to http://www.freebsd.org/doc/handbook/ipsec.html and it worked. I got to the racoon/setkey part and after I managed to get that working too, at some point, the gif interfaces stopped communicating (a.k.a no more connection between the 3 machines).

At first, I thought it's a routing problem but I didn't see anything weird; then I turned to the firewall (pf) and I disabled it but with no effect. Step by step I disabled racoon, setkey and recreated the gif interfaces but still, no effect.

For the sake of sanity, I will detail below only 2 machines:

machine 1 (192.168.1.0/24 gw 192.168.1.1):

[root@mainserver1 ~]# ifconfig gif2
gif2: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1280
        tunnel inet 79.113.55.0 --> 79.113.90.52
        inet 192.168.1.1 --> 192.168.2.1 netmask 0xffffff00
        options=1<ACCEPT_REV_ETHIP_VER>
[root@mainserver1 ~]# netstat -f inet -rn
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            79.113.48.1        UGS         0   123132   tun0
79.113.48.1        link#5             UHS         0        0   tun0
79.113.55.0        link#5             UHS         0       16    lo0
127.0.0.1          link#4             UH          0     1287    lo0
192.168.0.0/24     192.168.10.1       UGS         0      277   tap0
192.168.1.0/24     link#2             U           0  3249916    rl0
192.168.1.1        link#2             UHS         1        1    lo0
192.168.2.0/24     192.168.2.1        UGS         0        0   gif2
192.168.2.1        link#9             UH          0        3   gif2
192.168.10.0/24    link#8             U           0        0   tap0
192.168.10.2       link#8             UHS         0        0    lo0

machine 2 (192.168.2.0/24 gw 192.168.2.1):

[root@mainserver2 ~]# ifconfig gif1
gif1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1280
        tunnel inet 79.113.90.52 --> 79.113.55.0
        inet 192.168.2.1 --> 192.168.1.1 netmask 0xffffff00
        options=1<ACCEPT_REV_ETHIP_VER>
[root@mainserver2 ~]# netstat -f inet -rn
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            10.100.144.12      UGS         0   811847   tun0
10.100.144.12      link#5             UHS         0        0   tun0
79.113.90.52       link#5             UHS         0      175    lo0
127.0.0.1          link#4             UH          0     1043    lo0
192.168.0.0/24     192.168.0.1        UGS         0       16   gif0
192.168.0.1        link#6             UH          0       19   gif0
192.168.1.0/24     192.168.1.1        UGS         0        0   gif1
192.168.1.1        link#7             UH          0        4   gif1
192.168.2.0/24     link#2             U           0  5702099    rl0
192.168.2.1        link#2             UHS         2        0    lo0

machine 1 uses gif2 (as it goes to machine2) and machine 2 uses gif1 (as it goes to machine 1)


Scenario:
Both gif_if created. I run ping from machine 1 to ext_IP of machine 2 = works; but if I ping the internal IP of any machine from the other one, it does not.

I started tcpdump on machine1 and started pinging from machine2. I can see the echo_reply if I ping the external_IP but not if I do the same with the internal_IP. From this, I am thinking there is a problem with the routing table but tbh, I cannot see it. If this would not be the case however, I would assume the firewall is blocking something (but the firewall is disabled).

What am I missing here ?

 

[da1]

UPDATE: I did a reboot of all 3 machines and commented out

ipsec_enable="YES"

in rc.conf.

I have dynamic IP's on all of the servers and I had to write a couple of scripts to handle that. Since I am new to this VPN/IPSEC/racoon stuff, I am testing different behavior in different cases.

Tunnel working now.

The real problem was a typo error in the ipsec.conf file (in which I have the SPD rules). After reboot, since ipsec was not activated in rc.conf, the tunnel started working.