Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 31 Jan 2013 11:25:10 -0500
From:      Jack Carrozzo <jack@crepinc.com>
To:        freebsd-isp@freebsd.org
Cc:        Alexander Grant <agrant917@gmail.com>
Subject:   IPsec dynamic client config
Message-ID:  <CAJ__M-14XU7hW1vykivUe8uwW6n6_cKcApk%2BMuA2Q03LurvoyA@mail.gmail.com>
next in thread | raw e-mail | index | archive | help 
Hi,

I'm running 9.1-RELEASE. I began by following this tutorial to get IPsec
working with iPhones and laptops:
http://wiki.polymorf.fr/index.php?title=Howto:FreeBSD_Roadwarrior_IPSec

In short, racoon is happy and the clients connect successfully and ipsec
tunnels come up. However packets mysteriously disappear:
- route -rn doesn't show any additional routes when the client is connected
- arp -an doesn't list the private IPs
- pings to the client ip (10.10.0.1 in this case) simply disappear...
tcpdump on the external interface don't show the ICMPs themselves nor any
ipsec packets (though lots of ipsec traffic is seen during a connection)
while ICMP to any other IP behaves as expected

Since I'm running ipsec in tunnel mode (ie not transport), do I need to
configure a local gif interface to tie the private IPs to? I can't find
anything in racoon's conf that allows you to set the local private IP, only
the IP pool and netmask.

Configs:

racoon.conf: http://pastebin.com/VUC0gDMM
# cat setkey.conf
flush;
spdflush;
# cat psk.txt
* moose
# grep -e ipsec -e racoon /etc/rc.conf
ipsec_enable="YES"
ipsec_program="/usr/local/sbin/setkey"
ipsec_file="/usr/local/etc/racoon/setkey.conf"
racoon_enable="YES"
racoon_flags="-l /var/log/racoon.log"
# ipfw show
65535 236592 53425760 allow ip from any to any

Kernel options:

options IPDIVERT
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPFORWARD
options IPSEC_ESP
options IPSEC_DEBUG

Logs:

IPsec tunnels: http://pastebin.com/X3ymAaUT and http://pastebin.com/EJ9Y6hXV
racoon.log (with DEBUGs, 2185 lines): http://pastebin.com/pibMc53k
racoon.log (just INFOs, 38 lines): http://pastebin.com/K9cyUe5t

Thanks,

-Jack

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAJ__M-14XU7hW1vykivUe8uwW6n6_cKcApk%2BMuA2Q03LurvoyA>