Company 2210 [EMAIL PROTECTED] writes:
My problem is this (and it's driving me nuts as I can't see the
solution). I have two freebsd boxes acting as routers, the layout is like
this:
Clients (12.20.78.0/25) -(eth0) ROUTER A (eth1)=== (eth1) ROUTER
B (eth0) (12.20.65.69) Upstream ISP Internet
Router A Configuration:
eth0: 12.20.78.1 Subnet 255.255.255.128
eth1: 10.0.0.1 Subnet 255.255.255.0
Router B Configuration:
eth0: 12.20.65.70 Subnet 255.255.255.252
eth1: 10.0.0.2 Subnet 255.255.255.0
The private IP's denote an IPSEC VPN connection (Wireless) between ROUTER A
B, all the client PC's are on public IP's. Now, the VPN works perfectly,
encrypting the packets over the wireless link, however ROUTER A's eth0
interface does not appear in the arp -a lookup:
? (10.0.0.1) at 00:05:5d:a6:15:78 on eth1 permanent [ethernet]
? (10.0.0.2) at 00:c0:dd:ea:ac:5c on eth1 [ethernet]
? (12.20.78.0) at ff:ff:ff:ff:ff:ff on eth0 permanent [ethernet]
? (12.20.78.2) at 00:0c:cd:53:d9:f3 on eth0 [ethernet]
? (12.20.78.42) at 00:9a:17:90:d3:b4 on eth0 [ethernet]
? (12.20.78.52) at 00:2b:18:2e:22:21 on eth0 [ethernet]
? (12.20.78.127) at ff:ff:ff:ff:ff:ff on eth0 permanent [ethernet]
Those look like entries for all the local nets...
If I try and force the entry, I receive the following error:
routera# arp -s 12.20.78.1 00:0c:5d:e6:16:75
set: can only proxy for 12.20.78.1
Router B shouldn't need that, because it isn't on that link, and
Router A shouldn't need it because it *is* 12.20.78.1. What are you
trying to do?
The big problem this is causing is that clients cannot ping the gateway, and
it responds to no requests (i.e I can't ssh into it), but it still forwards
packets perfectly. Basically it's like 12.20.78.1 was invisible. The other
strange thing is, that if I ssh into ROUTER B and ping 12.20.78.1 I receive
replies:
What host and gateway addresses are you referring to in the first
sentence, and why are you surprised by the second?
routerb# ping 12.20.78.1
PING 12.20.78.1 (12.20.78.1): 56 data bytes
64 bytes from 12.20.78.1: icmp_seq=0 ttl=64 time=3.577 ms
64 bytes from 12.20.78.1: icmp_seq=1 ttl=64 time=3.724 ms
64 bytes from 12.20.78.1: icmp_seq=2 ttl=64 time=3.817 ms
^C
--- 12.20.78.1 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 3.577/3.706/3.817/0.099 ms
The output of ROUTER B's arp table is displayed below:
? (10.0.0.1) at 00:05:5d:a6:15:78 on eth1 [ethernet]
? (10.0.0.2) at 00:c0:dd:ea:ac:5c on eth1 permanent [ethernet]
? (12.20.65.69) at 00:d0:03:ba:bb:fc on eth0 [ethernet]
I am completely at a loss as to how to get around this problem. Any help or
advice would be really great as I've spend the past 3 days, and the floor is
littered with tufts of hair ;) Just incase this is any help, this is the
output from setkey -DP (For encrypting the packets across the 10.0.0.x link)
on each router:
ROUTER A:
0.0.0.0/0[any] 12.20.78.0/25[any] any
in ipsec
esp/tunnel/10.0.0.2-10.0.0.1/require
spid=2 seq=1 pid=778
refcnt=1
12.20.78.0/25[any] 0.0.0.0/0[any] any
out ipsec
esp/tunnel/10.0.0.1-10.0.0.2/require
spid=1 seq=0 pid=778
refcnt=1
ROUTER B:
12.20.78.0/25[any] 0.0.0.0/0[any] any
in ipsec
esp/tunnel/10.0.0.1-10.0.0.2/require
spid=8 seq=1 pid=24377
refcnt=1
0.0.0.0/0[any] 12.20.78.0/25[any] any
out ipsec
esp/tunnel/10.0.0.2-10.0.0.1/require
spid=7 seq=0 pid=24377
refcnt=1
I don't really get the eth0 nomenclature, anyway; I've seen it on
Linux, where the device type is abstracted behind a common name, but I
don't know what it means in a FreeBSD setup...
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
