Date: Mon, 26 Mar 2007 13:07:16 -0500 (CDT) From: Robert Johannes <rjohanne@piper.hamline.edu> To: Tom Judge <info@plot.uz> Cc: freebsd-security@freebsd.org Subject: Re: freebsd vpn server behind nat dsl router Message-ID: <Pine.LNX.4.64.0703261244350.1577@wnk.hamline.edu> In-Reply-To: <45F8B01A.50106@tomjudge.com> References: <Pine.LNX.4.64.0703061251310.15938@wnk.hamline.edu> <20070307170617.GA2799@zen.inc> <Pine.LNX.4.64.0703071146580.3635@wnk.hamline.edu> <20070307212442.GA1384@jayce.zen.inc> <Pine.LNX.4.64.0703141353250.3246@wnk.hamline.edu> <45F8B01A.50106@tomjudge.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 15 Mar 2007, Tom Judge wrote: > Robert Johannes wrote: >> >> On Wed, 7 Mar 2007, VANHULLEBUS Yvan wrote: >> >> >> Ok, I have done quite a bit of work since my last email, but I still don't >> see visible progress. I did rebuild world and the kernel with the NAT-T >> patches/support that you recommended. I have been playing around with >> ipsec e.t.c. >> >> I have created an esp tunnel between my two sites, and I am sending some >> ping traffic to the remote end, but the packets don't seem to get through. >> Here's a snippet of what I see on tcpdump: >> >> 14:06:53.594241 IP 190.41.95.135 > client-201.240.165.191.speedy.net.pe: \ >> IP 192.168.1.254 > 192.168.0.254: ICMP echo request, id 5784, seq 1519, \ >> length 64 (ipip-proto-4) >> 14:06:54.595071 IP 190.41.95.135 > client-201.240.165.191.speedy.net.pe: \ >> IP 192.168.1.254 > 192.168.0.254: ICMP echo request, id 5784, seq 1520, \ >> length 64 (ipip-proto-4) > > Firstly have you set your DSL routers up to nat the ipencap protocol back to > your FreeBSD box? (IPencap is a IP payload protocol, not a TCP or UDP > payload, so you will probably need a prity advanced router to do this). The > packets you see here are not protected by IPSEC they are just plain old > IPENCAP packets. If they where IPSEC packets I would expect to see ESP as > the protocol and not see the encapsulated packet header (Again when you get > IPSEC working you are going to need to NAT these packets to your freebsd > boxes.) You are right that the dsl routers I have can't nat the ipencap protocol (or perhaps I just don't know how to configure them to.) I have configured them to do port forwarding of the 4500 port(NAT-T) to the freebsd vpn servers, and that works because I can do a tcpdump on that port and see traffic coming in from the internet, by simply telneting to that port. So, I don't have ipsec working. How do I debug ipsec to see where I am failing? >>> From what I can tell, the kernel knows that it is to send the ping request >> from 192.168.1.254 to 192.168.0.254 through the tunnel mouths 190.41.95.135 >> and 201.240.165.191. But, there's no request from the other end. Doing a >> tcpdump on the other side (192.168.0.254), nothing is coming in. I have >> also done a ping from the latter machine to the former, but with exactly >> the same problem. Nothing seems to get to the other end. >> >> The tunnel is not using racoon yet. I figure that I should be able to see >> some traffic going back and forth before I use racoon to manage keys. The >> tunnel was created by the following lines on one host, and reversed on the >> other: >> >> spdadd 192.168.1.0/24 192.168.0.0/24 any -P in ipsec >> esp/tunnel/190.41.95.135-201.240.151.15/require; >> spdadd 192.168.0.0/24 192.168.1.0/24 any -P out ipsec >> esp/tunnel/201.240.151.15-190.41.95.135/require; >> >> If any one can shed some more light on this, I would appreciate it. >> > > From what I can see your /etc/ipsec.conf should look like this: > > spdadd 190.41.95.135/32 201.240.151.15/32 ipencap -P in ipsec > esp/tunnel/190.41.95.135-201.240.151.15/require; > spdadd 201.240.151.15/32 190.41.95.135/32 ipencap -P out ipsec > esp/tunnel/201.240.151.15-190.41.95.135/require; > > These rules may be wrong but your tunnel seems to be an IP protocol 4 payload > which is ipencap (see /etc/protocols). > > Hope this helps. Yes, this helps me know where I am at. I don't have ipsec working, just plain-old ipencap, which is what I am trying to by-pass to begin with because my routers can't handle nating ipencap. So, in order to get ipsec and NAT-T working, which I did all the patch work to get NAT-T support, it is not enough to have the above entries in /etc/ipsec.conf? What else do I need to do? Must I configure racoon as well, otherwise ipsec doesn't work? And if I do get ipsec working, how do I know, because I have not seen any log entries related to ipsec, except for the ones at bootup {WARNING: debug.mpsafenet forced to 0 as ipsec requires Giant IPsec: Initialized Security Association Processing.} Thanks for your responses. robert > > Tom > > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.64.0703261244350.1577>