Date: Wed, 15 Jul 2009 18:17:03 +0200 From: Gergely CZUCZY <phoemix@harmless.hu> To: freebsd-net@freebsd.org Subject: IPsec tunnel help Message-ID: <20090715181703.00006c68@unknown>
next in thread | raw e-mail | index | archive | help
Hello,
I'd like to ask for a bit of a help.
I'd like to set up an IPSec VPN between two hosts, and I'm facing an
issue I can't solve myself.
The setup is the following:
It's a site-to-host VPN, from A to B.
At A side there's the fbsd gateway, it's a 7.2 box, everything is built
into the kernel, and ipsec-tools is up and running. I've got a /24
range here.
Site B is a Zywall 2 Plus device.
A: pub: 217.150.138.138, local: 192.168.0.0/24
B: pub: 217.150.130.163, local box: 192.168.1.64/32
C: 192.168.0.248
Phase 1 and 2 are completed. I'm trying to ping a box from the B site
behind the fbsd box, let's call it C. The icmp-echo-request reaches C,
reply is generated. The icmp-echo-reply appears on the local interface
of the fbsd box, but at that point it's lost I can't find a trace of
it. It's not on the gif0 IF and neither there are any outgoing ESP
packets on the public interface.
Configs:
--- rc.conf --
# IPSec VPN
ipsec_enable="YES"
ipsec_file="/etc/ipsec.conf"
ipsec_program="/usr/local/sbin/setkey"
racoon_enable="YES"
racoon_flags="-d -l /var/log/racoon.log"
--- rc.conf ---
(i've put up the gif0 by hand)
gif0:
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1280
tunnel inet 217.150.138.138 --> 217.150.130.163
inet 192.168.0.0 --> 192.168.1.64 netmask 0xffffffff
(I've also tried with 192.168.0.251->192.168.1.64/32, no luck, same
results)
--- ipsec.conf ---
spdflush;
spdadd 192.168.1.64/32 192.168.0.0/24 any -P in ipsec
esp/tunnel/217.150.130.163-217.150.138.138/unique;
spdadd 192.168.0.0/24 192.168.1.64/32 any -P in ipsec
esp/tunnel/217.150.138.138-217.150.130.163/unique;
--- ipsec.conf ---
--- racoon.conf ---
log debug;
path pre_shared_key "/usr/local/etc/ipsec.keys";
path pidfile "/var/run/racoon.pid";
listen {
isakmp 217.150.138.138;
adminsock "/var/db/racoon/racoon.sock";
}
remote 217.150.130.163 {
exchange_mode main;
my_identifier address 217.150.138.138;
peers_identifier address 217.150.130.163;
verify_identifier on;
# lifetime time 40000 sec;
proposal_check claim;
proposal
{
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
lifetime time 40000 seconds;
}
}
sainfo address 192.168.1.64/32 any address 192.168.0.0/24 any {
lifetime time 40000 seconds;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
sainfo address 192.168.0.0/24 any address 192.168.1.64/32 any {
lifetime time 40000 seconds;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
--- racoon.conf ---
I've got the tunnel up:
# racoonctl show-sa isakmp
Destination Cookies Created
217.150.130.163.500 60566fd9f22997f0:368679084fb0bf3e 2009-07-15
17:47:00
# racoonctl show-sa esp
217.150.138.138 217.150.130.163
...
217.150.130.163 217.150.138.138
...
(if i should show anything out of it tell me)
I'm pinging the C box, on the local if i see the traffic:
IP 192.168.1.64 > 192.168.0.248: ICMP echo request, id 1547, seq 3777,
length 64 IP 192.168.0.248 > 192.168.1.64: ICMP echo reply, id 1547,
seq 3777, length 64
on the gif0 i only see:
IP 192.168.1.64 > 192.168.0.248: ICMP echo request, id 1547, seq 3802,
length 64
and on the public IF i see the following traffic:
IP 217.150.130.163 > 217.150.138.138: ESP(spi=0x022aff56,seq=0x627),
length 116
No ESP packets from the fbsd box to the zyxel (A->B). Practically
traffic comes in, reaches the box on the local net, but any traffic
going outside is being lost somewhere.
In the pf.conf I allow the traffic to go through:
--- pf.conf snippet ---
pass in quick on $if_inetfw proto udp from any to ($if_inetfw:0) port
500 keep state
pass in quick on $if_inetfw proto {esp,ah,ipencap} from any to
($if_inetfw:0) keep state
pass out quick on $if_inetfw proto {esp,ah,ipencap} from any to any
keep state
--- pf.conf snippet ---
So the question is, what is wrong, why do I don't have any traffic
going to the B host out of the fbsd box? And how can this be fixed?
Thanks in advance
--
Sincerely,
Gergely CZUCZY
+36-30-9702963
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090715181703.00006c68>