List Info

Thread: routing gif0 ipsec
routing gif0 ipsec
country flaguser name
Portugal		 2008-04-28 12:18:47 
Hi all, I am trying to all trafic from a gif0 interface used
for a vpn  
to an public IP on the same server that is like an alias

I have the following schema (FreeBSD 6.3)


gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu
1280
      tunnel inet 67.228.79.224 --> 74.86.163.16
      inet 172.16.224.1 --> 172.16.16.1 netmask
0xffffffff

em1:
flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu
1500
     
options=1b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING>
      inet 67.228.78.162 netmask 0xfffffff8 broadcast
67.228.78.167
      inet 67.228.79.224 netmask 0xffffffff broadcast
67.228.79.224


The VPN from point 172.16.224.1 --> 172.16.16.1 works, I
can ping/ 
telnet to 172.16.16.1 and get a response.

The jail is running on IP 67.228.79.224 (same IP used for
doing the  
VPN/IPSEC) but if I log int to that jail (jexec 1 csh) I can
not ping  
172.16.16.1

currently I  am trying this with pf
--
nat pass on gif0 from 67.228.79.224 to 172.16.16.1 ->
172.16.224.1
rdr pass on gif0 proto tcp from any to any port 80 ->
67.228.79.224

pass in log from any to any keep state
pass out log from any to any keep state
--
but is not working, from the jail (67.228.79.224) I can not
ping/ 
telnet the VPN 172.16.16.1

there is a tool call jumpgate with the one I can redirect
incoming tcp  
to gif0 and forward trafic to em1 with out problems, but
instead I  
would like to use pf

jumpgate -b 172.16.224.1 -l 80 -r 80 -a 67.228.79.224

with this i can telnet from the other end point to por 80
and i can  
forward the connection to the public IP of the jail through
the vpn  
tunnel.

any ideas on how to solve this issue using pf or maybe some
routing  
rules.

regards.

_______________________________________________
freebsd-pffreebsd.org mailing list

http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"
Re: routing gif0 ipsec
country flaguser name
Netherlands		 2008-04-28 12:59:33 
Hello Nicolas,

Would you mind stopping to send your (same) email to all
mailinglists, 
twice or more ?
I've seen your problem in 7 mails already,
I don't know a solution, but as you can see most people
don't know it.
It doesn't help resending it each time.

I'm sorry for acting like a list-operator, but I think I
speak for more 
people on the lists.

-- Jille


Nicolas de Bari Embriz Garcia Rojas schreef:
> Hi all, I am trying to all trafic from a gif0 interface
used for a vpn 
> to an public IP on the same server that is like an
alias
> 
> I have the following schema (FreeBSD 6.3)
> 
> 
> gif0:
flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
>      tunnel inet 67.228.79.224 --> 74.86.163.16
>      inet 172.16.224.1 --> 172.16.16.1 netmask
0xffffffff
> 
> em1:
flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu
1500
>     
options=1b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING>
>      inet 67.228.78.162 netmask 0xfffffff8 broadcast
67.228.78.167
>      inet 67.228.79.224 netmask 0xffffffff broadcast
67.228.79.224
> 
> 
> The VPN from point 172.16.224.1 --> 172.16.16.1
works, I can ping/telnet 
> to 172.16.16.1 and get a response.
> 
> The jail is running on IP 67.228.79.224 (same IP used
for doing the 
> VPN/IPSEC) but if I log int to that jail (jexec 1 csh)
I can not ping 
> 172.16.16.1
> 
> currently I  am trying this with pf
> -- 
> nat pass on gif0 from 67.228.79.224 to 172.16.16.1
-> 172.16.224.1
> rdr pass on gif0 proto tcp from any to any port 80
-> 67.228.79.224
> 
> pass in log from any to any keep state
> pass out log from any to any keep state
> -- 
> but is not working, from the jail (67.228.79.224) I can
not ping/telnet 
> the VPN 172.16.16.1
> 
> there is a tool call jumpgate with the one I can
redirect incoming tcp 
> to gif0 and forward trafic to em1 with out problems,
but instead I would 
> like to use pf
> 
> jumpgate -b 172.16.224.1 -l 80 -r 80 -a 67.228.79.224
> 
> with this i can telnet from the other end point to por
80 and i can 
> forward the connection to the public IP of the jail
through the vpn tunnel.
> 
> any ideas on how to solve this issue using pf or maybe
some routing rules.
> 
> regards.
> 
> _______________________________________________
> freebsd-pffreebsd.org mailing list
> 
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"
_______________________________________________
freebsd-pffreebsd.org mailing list

http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"
Re: routing gif0 ipsec
country flaguser name
Portugal		 2008-04-29 13:18:08 
Hi all, the solution to my problem was to recompile the
kernel with  
this option:

#options IPSEC_FILTERGIF

now i can route/nat trafic with pf with out any problems,
hope this  
can help some one.

regards


>
>
> Nicolas de Bari Embriz Garcia Rojas schreef:
>> Hi all, I am trying to all trafic from a gif0
interface used for a  
>> vpn to an public IP on the same server that is like
an alias
>> I have the following schema (FreeBSD 6.3)
>> gif0:
flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
>>     tunnel inet 67.228.79.224 --> 74.86.163.16
>>     inet 172.16.224.1 --> 172.16.16.1 netmask
0xffffffff
>> em1:
flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu
1500
>>    
options=1b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING>
>>     inet 67.228.78.162 netmask 0xfffffff8 broadcast
67.228.78.167
>>     inet 67.228.79.224 netmask 0xffffffff broadcast
67.228.79.224
>> The VPN from point 172.16.224.1 --> 172.16.16.1
works, I can ping/ 
>> telnet to 172.16.16.1 and get a response.
>> The jail is running on IP 67.228.79.224 (same IP
used for doing the  
>> VPN/IPSEC) but if I log int to that jail (jexec 1
csh) I can not  
>> ping 172.16.16.1
>> currently I  am trying this with pf
>> -- 
>> nat pass on gif0 from 67.228.79.224 to 172.16.16.1
-> 172.16.224.1
>> rdr pass on gif0 proto tcp from any to any port 80
-> 67.228.79.224
>> pass in log from any to any keep state
>> pass out log from any to any keep state
>> -- 
>> but is not working, from the jail (67.228.79.224) I
can not ping/ 
>> telnet the VPN 172.16.16.1
>> there is a tool call jumpgate with the one I can
redirect incoming  
>> tcp to gif0 and forward trafic to em1 with out
problems, but  
>> instead I would like to use pf
>> jumpgate -b 172.16.224.1 -l 80 -r 80 -a
67.228.79.224
>> with this i can telnet from the other end point to
por 80 and i can  
>> forward the connection to the public IP of the jail
through the vpn  
>> tunnel.
>> any ideas on how to solve this issue using pf or
maybe some routing  
>> rules.
>> regards.
>> _______________________________________________
>> freebsd-pffreebsd.org mailing list
>> 
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
>> To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"

_______________________________________________
freebsd-pffreebsd.org mailing list

http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"
[1-3]

about | contact  Other archives ( Real Estate discussion Medical topics )