Date: Wed, 15 Jul 2009 18:17:03 +0200 From: Gergely CZUCZY <phoemix@harmless.hu> To: freebsd-net@freebsd.org Subject: IPsec tunnel help Message-ID: <20090715181703.00006c68@unknown>
next in thread | raw e-mail | index | archive | help
Hello, I'd like to ask for a bit of a help. I'd like to set up an IPSec VPN between two hosts, and I'm facing an issue I can't solve myself. The setup is the following: It's a site-to-host VPN, from A to B. At A side there's the fbsd gateway, it's a 7.2 box, everything is built into the kernel, and ipsec-tools is up and running. I've got a /24 range here. Site B is a Zywall 2 Plus device. A: pub: 217.150.138.138, local: 192.168.0.0/24 B: pub: 217.150.130.163, local box: 192.168.1.64/32 C: 192.168.0.248 Phase 1 and 2 are completed. I'm trying to ping a box from the B site behind the fbsd box, let's call it C. The icmp-echo-request reaches C, reply is generated. The icmp-echo-reply appears on the local interface of the fbsd box, but at that point it's lost I can't find a trace of it. It's not on the gif0 IF and neither there are any outgoing ESP packets on the public interface. Configs: --- rc.conf -- # IPSec VPN ipsec_enable="YES" ipsec_file="/etc/ipsec.conf" ipsec_program="/usr/local/sbin/setkey" racoon_enable="YES" racoon_flags="-d -l /var/log/racoon.log" --- rc.conf --- (i've put up the gif0 by hand) gif0: gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1280 tunnel inet 217.150.138.138 --> 217.150.130.163 inet 192.168.0.0 --> 192.168.1.64 netmask 0xffffffff (I've also tried with 192.168.0.251->192.168.1.64/32, no luck, same results) --- ipsec.conf --- spdflush; spdadd 192.168.1.64/32 192.168.0.0/24 any -P in ipsec esp/tunnel/217.150.130.163-217.150.138.138/unique; spdadd 192.168.0.0/24 192.168.1.64/32 any -P in ipsec esp/tunnel/217.150.138.138-217.150.130.163/unique; --- ipsec.conf --- --- racoon.conf --- log debug; path pre_shared_key "/usr/local/etc/ipsec.keys"; path pidfile "/var/run/racoon.pid"; listen { isakmp 217.150.138.138; adminsock "/var/db/racoon/racoon.sock"; } remote 217.150.130.163 { exchange_mode main; my_identifier address 217.150.138.138; peers_identifier address 217.150.130.163; verify_identifier on; # lifetime time 40000 sec; proposal_check claim; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 2; lifetime time 40000 seconds; } } sainfo address 192.168.1.64/32 any address 192.168.0.0/24 any { lifetime time 40000 seconds; encryption_algorithm 3des; authentication_algorithm hmac_sha1; compression_algorithm deflate; } sainfo address 192.168.0.0/24 any address 192.168.1.64/32 any { lifetime time 40000 seconds; encryption_algorithm 3des; authentication_algorithm hmac_sha1; compression_algorithm deflate; } --- racoon.conf --- I've got the tunnel up: # racoonctl show-sa isakmp Destination Cookies Created 217.150.130.163.500 60566fd9f22997f0:368679084fb0bf3e 2009-07-15 17:47:00 # racoonctl show-sa esp 217.150.138.138 217.150.130.163 ... 217.150.130.163 217.150.138.138 ... (if i should show anything out of it tell me) I'm pinging the C box, on the local if i see the traffic: IP 192.168.1.64 > 192.168.0.248: ICMP echo request, id 1547, seq 3777, length 64 IP 192.168.0.248 > 192.168.1.64: ICMP echo reply, id 1547, seq 3777, length 64 on the gif0 i only see: IP 192.168.1.64 > 192.168.0.248: ICMP echo request, id 1547, seq 3802, length 64 and on the public IF i see the following traffic: IP 217.150.130.163 > 217.150.138.138: ESP(spi=0x022aff56,seq=0x627), length 116 No ESP packets from the fbsd box to the zyxel (A->B). Practically traffic comes in, reaches the box on the local net, but any traffic going outside is being lost somewhere. In the pf.conf I allow the traffic to go through: --- pf.conf snippet --- pass in quick on $if_inetfw proto udp from any to ($if_inetfw:0) port 500 keep state pass in quick on $if_inetfw proto {esp,ah,ipencap} from any to ($if_inetfw:0) keep state pass out quick on $if_inetfw proto {esp,ah,ipencap} from any to any keep state --- pf.conf snippet --- So the question is, what is wrong, why do I don't have any traffic going to the B host out of the fbsd box? And how can this be fixed? Thanks in advance -- Sincerely, Gergely CZUCZY +36-30-9702963
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090715181703.00006c68>