[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPSec / FreeSWAN (linux) - Question 'bout VPN

To: misc@openbsd.org
Subject: Re: IPSec / FreeSWAN (linux) - Question 'bout VPN
From: Anthony Schlemmer <aschlemm@comcast.net>
Date: Sun, 8 Feb 2004 13:14:37 -0800
Content-Disposition: inline
Organization: Comcast.Net
References: <200402081844.i18IiYtf003949@openbsd.cs.colorado.edu>
User-Agent: KMail/1.5.4

I don't know if you mentioned it in in your previous posts or not but 
have you enabled the ESP IPSec setting on your system? I made this 
mistake when I upgraded my firewall to 3.4 and I forgot to do this step 
myself and my VPN connection to the office would run anymore.

You should have the following in your /etc/sysctl.conf file:

net.inet.esp.enable=1           # 0=Disable the ESP IPsec protocol

Also if you have pf setup on your OpenBSD box you need to allow esp 
packets to pass to/from the remote VPN server...e.g.:

#
# Pass esp in/out from/to the vpn server
#
pass out quick on $ext_if proto esp from any to $vpn_server
pass in quick on $ext_if proto esp from $vpn_server to any

Tony

On Sunday 08 February 2004 10:43 am, Martín Marconcini wrote:
> > -----Original Message-----
> > From: Stephen J. Bevan [mailto:stephen@dino.dnsalias.com]
> >
> >
> > The only "bug/limitation" that stops you from being able to
> > ping from LINUXn to LINUXn is if you only setup a
> > subnet<->subnet tunnel forget to setup a gateway<->gateway
>
> Ok, thanks for the info. I didn't know and I didn't configure the
> linux side of the VPN. I've only been said: gws cannot see each
> other.
>
> > tunnel.  There are ways around having to setup the
> > (additional) gateway<->gateway tunnel that by using iproute2
> > to stuff packets down the subnet<->subnet tunnel but that's
> > not exactly a normal IPsec setup.
> >
> >
> > Without the config files, everyone has to guess what your
> > setup really is which make is pretty tough to help.  Since
> > FreeS/WAN barfs are pretty large the suggestion on that
> > FreeS/WAN list is to put them up on a web-site somewhere.
>
> I put them in the following URI:
>
> HTML version:
> http://www.jaskus.net/vpn/openbsd.htm
>
> TXT Version:
> http://www.jaskus.net/vpn/openbsdvpn.txt
>
> ZIP Version of the TXT:
> http://www.jaskus.net/vpn/openbsdvpn.zip
>
> ZIP Version of the HTML:
> http://www.jaskus.net/vpn/openbsd.zip
>
> Thanks in advance for reading them.
>
> Martin.

-- 
Anthony Schlemmer
aschlemm@comcast.net

Follow-Ups:
- Re: IPSec / FreeSWAN (linux) - Question 'bout VPN
  - From: "Conde Dracula" <conde@dracula.com.ar>

References:
- Re: IPSec / FreeSWAN (linux) - Question 'bout VPN
  - From: Martín Marconcini <martin@marconcini.com.ar>

Prev by Date: Re: Perm question
Next by Date: Re: OpenBSD howto
Prev by thread: Re: IPSec / FreeSWAN (linux) - Question 'bout VPN
Next by thread: Re: IPSec / FreeSWAN (linux) - Question 'bout VPN
Index(es):
- Date
- Thread