Надумал обьединить две сетки через нет посредством 2-x FreeBSD (на одной нат). Включаю поддержку ipsec в ядро, добавляю в rc.conf строчки
ipsec_enable="YES"                                                      
gif_interfaces="gif0"
Ставлю racoon, пишу скрипты по типу                                          

#!/bin/sh
killall racoon
   /usr/local/sbin/racoon -f /usr/local/etc/racoon/racoon.conf -l /var/log/racoon.log

#   BSD1=host1   BSD2=host2
BSD1_IP="192.168.100.101"
BSD1_PUB_IP="111.111.111.111"
BSD1_NET="192.168.100.0/24"
BSD2_IP="192.168.102.101"
BSD2_PUB_IP="222.222.222.222"
BSD2_NET="192.168.102.0/24"
GIF0="gif0 inet"
GIFCONFIG="/usr/sbin/gifconfig"
IFCONFIG="/sbin/ifconfig"
HOSTNAME=`/bin/hostname`
NETMASK="255.255.255.0"

echo "\nStarting ipsec tunnel... "

case $HOSTNAME in
    host1)
            $GIFCONFIG $GIF0 $BSD1_PUB_IP $BSD2_PUB_IP
            $IFCONFIG $GIF0 $BSD1_IP $BSD2_IP $NETMASK
            /usr/sbin/setkey -FP
            /usr/sbin/setkey -F
            /usr/sbin/setkey -c << EOF
            spdadd $BSD1_NET $BSD2_NET any -P out ipsec
            esp/tunnel/${BSD1_IP}-${BSD2_IP}/require;
            spdadd $BSD2_NET $BSD1_NET any -P in ipsec
            esp/tunnel/${BSD2_IP}-${BSD1_IP}/require;
EOF
    /sbin/route delete $BSD2_NET
    /sbin/route add $BSD2_NET $BSD1_IP
    ;;
    host2)
    $GIFCONFIG $GIF0 $BSD2_PUB_IP $BSD1_PUB_IP
    $IFCONFIG $GIF0 $BSD2_IP $BSD1_IP $NETMASK
    /usr/sbin/setkey -FP
    /usr/sbin/setkey -F
    /usr/sbin/setkey -c << EOF
    spdadd $BSD2_NET $BSD1_NET any -P out ipsec
    esp/tunnel/${BSD2_IP}-${BSD1_IP}/require;
    spdadd $BSD1_NET $BSD2_NET any -P in ipsec
    esp/tunnel/${BSD1_IP}-${BSD2_IP}/require;
EOF
    /sbin/route delete $BSD1_NET
    /sbin/route add $BSD1_NET $BSD2_IP
    ;;
esac

Запускаю gifconfig gif0 даёт примерно следующие
flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280          
   inet6 fe80::204:76ff:fe96:9f57%gif0  prefixlen 64            
   inet 192.168.100.101 --> 255.255.255.0 netmask 0xffffff00    
   physical address inet 111.111.111.111 --> 222.222.222.222
На второй машине аналогично,
тюе вроде работает, но пинг с из левых сетей друг на друга не идёт.          
Да racoon.log выглядит так

d as isakmp port (fd=6)                                                        
2002-09-02 13:33:41: INFO: isakmp.c:1357:isakmp_open(): fe80::204:76ff:fed1:7cb
[500] used as isakmp port (fd=7)                                              
2002-09-02 13:33:41: INFO: isakmp.c:1357:isakmp_open(): 192.168.102.101[500] us
d as isakmp port (fd=8)                                                        
2002-09-02 13:33:41: INFO: isakmp.c:1357:isakmp_open(): fe80::204:76ff:fed1:7cb
[500] used as isakmp port (fd=9)                                              
2002-09-02 13:33:41: INFO: isakmp.c:1357:isakmp_open(): 127.0.0.1[500] used as
sakmp port (fd=10)                                                            
2002-09-02 13:33:41: INFO: isakmp.c:1357:isakmp_open(): fe80::1[500] used as is
kmp port (fd=11)                                                              
2002-09-02 13:33:41: INFO: isakmp.c:1357:isakmp_open(): ::1[500] used as isakmp
port (fd=12)                                                                  
2002-09-02 13:33:41: INFO: isakmp.c:1357:isakmp_open(): 222.222.222.222[500] use
as isakmp port (fd=13)                                                        
Собственно вопрос на каие грабли я наступил?

• RE: Обьясните про IPsec м/д FreeBSD, anton, 14:32 , 02-Сен-02, (1)
  • RE: Обьясните про IPsec м/д FreeBSD, anton, 17:20 , 02-Сен-02, (2)