Date: Mon, 26 Mar 2007 13:07:16 -0500 (CDT) From: Robert Johannes <rjohanne@piper.hamline.edu> To: Tom Judge <info@plot.uz> Cc: freebsd-security@freebsd.org Subject: Re: freebsd vpn server behind nat dsl router Message-ID: <Pine.LNX.4.64.0703261244350.1577@wnk.hamline.edu> In-Reply-To: <45F8B01A.50106@tomjudge.com> References: <Pine.LNX.4.64.0703061251310.15938@wnk.hamline.edu> <20070307170617.GA2799@zen.inc> <Pine.LNX.4.64.0703071146580.3635@wnk.hamline.edu> <20070307212442.GA1384@jayce.zen.inc> <Pine.LNX.4.64.0703141353250.3246@wnk.hamline.edu> <45F8B01A.50106@tomjudge.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 15 Mar 2007, Tom Judge wrote:
> Robert Johannes wrote:
>>
>> On Wed, 7 Mar 2007, VANHULLEBUS Yvan wrote:
>>
>>
>> Ok, I have done quite a bit of work since my last email, but I still don't
>> see visible progress. I did rebuild world and the kernel with the NAT-T
>> patches/support that you recommended. I have been playing around with
>> ipsec e.t.c.
>>
>> I have created an esp tunnel between my two sites, and I am sending some
>> ping traffic to the remote end, but the packets don't seem to get through.
>> Here's a snippet of what I see on tcpdump:
>>
>> 14:06:53.594241 IP 190.41.95.135 > client-201.240.165.191.speedy.net.pe: \
>> IP 192.168.1.254 > 192.168.0.254: ICMP echo request, id 5784, seq 1519, \
>> length 64 (ipip-proto-4)
>> 14:06:54.595071 IP 190.41.95.135 > client-201.240.165.191.speedy.net.pe: \
>> IP 192.168.1.254 > 192.168.0.254: ICMP echo request, id 5784, seq 1520, \
>> length 64 (ipip-proto-4)
>
> Firstly have you set your DSL routers up to nat the ipencap protocol back to
> your FreeBSD box? (IPencap is a IP payload protocol, not a TCP or UDP
> payload, so you will probably need a prity advanced router to do this). The
> packets you see here are not protected by IPSEC they are just plain old
> IPENCAP packets. If they where IPSEC packets I would expect to see ESP as
> the protocol and not see the encapsulated packet header (Again when you get
> IPSEC working you are going to need to NAT these packets to your freebsd
> boxes.)
You are right that the dsl routers I have can't nat the ipencap protocol
(or perhaps I just don't know how to configure them to.) I have
configured them to do port forwarding of the 4500 port(NAT-T) to the
freebsd vpn servers, and that works because I can do a tcpdump on that
port and see traffic coming in from the internet, by simply telneting to
that port.
So, I don't have ipsec working. How do I debug ipsec to see where I am
failing?
>>> From what I can tell, the kernel knows that it is to send the ping request
>> from 192.168.1.254 to 192.168.0.254 through the tunnel mouths 190.41.95.135
>> and 201.240.165.191. But, there's no request from the other end. Doing a
>> tcpdump on the other side (192.168.0.254), nothing is coming in. I have
>> also done a ping from the latter machine to the former, but with exactly
>> the same problem. Nothing seems to get to the other end.
>>
>> The tunnel is not using racoon yet. I figure that I should be able to see
>> some traffic going back and forth before I use racoon to manage keys. The
>> tunnel was created by the following lines on one host, and reversed on the
>> other:
>>
>> spdadd 192.168.1.0/24 192.168.0.0/24 any -P in ipsec
>> esp/tunnel/190.41.95.135-201.240.151.15/require;
>> spdadd 192.168.0.0/24 192.168.1.0/24 any -P out ipsec
>> esp/tunnel/201.240.151.15-190.41.95.135/require;
>>
>> If any one can shed some more light on this, I would appreciate it.
>>
>
> From what I can see your /etc/ipsec.conf should look like this:
>
> spdadd 190.41.95.135/32 201.240.151.15/32 ipencap -P in ipsec
> esp/tunnel/190.41.95.135-201.240.151.15/require;
> spdadd 201.240.151.15/32 190.41.95.135/32 ipencap -P out ipsec
> esp/tunnel/201.240.151.15-190.41.95.135/require;
>
> These rules may be wrong but your tunnel seems to be an IP protocol 4 payload
> which is ipencap (see /etc/protocols).
>
> Hope this helps.
Yes, this helps me know where I am at. I don't have ipsec working, just
plain-old ipencap, which is what I am trying to by-pass to begin with
because my routers can't handle nating ipencap.
So, in order to get ipsec and NAT-T working, which I did all the patch
work to get NAT-T support, it is not enough to have the above entries in
/etc/ipsec.conf? What else do I need to do? Must I configure racoon as
well, otherwise ipsec doesn't work? And if I do get ipsec working, how do
I know, because I have not seen any log entries related to ipsec, except
for the ones at bootup {WARNING: debug.mpsafenet forced to 0 as ipsec
requires Giant IPsec: Initialized Security Association Processing.}
Thanks for your responses.
robert
>
> Tom
>
>
> _______________________________________________
> freebsd-security@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
>
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.64.0703261244350.1577>