From owner-freebsd-net@FreeBSD.ORG Wed Jul 15 16:29:57 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BEA36106564A for ; Wed, 15 Jul 2009 16:29:57 +0000 (UTC) (envelope-from phoemix@harmless.hu) Received: from marvin.harmless.hu (marvin.harmless.hu [195.56.55.204]) by mx1.freebsd.org (Postfix) with ESMTP id 823E48FC17 for ; Wed, 15 Jul 2009 16:29:57 +0000 (UTC) (envelope-from phoemix@harmless.hu) Received: from [217.150.130.134] (helo=unknown) by marvin.harmless.hu with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1MR7AJ-0000xG-8h for freebsd-net@freebsd.org; Wed, 15 Jul 2009 18:17:07 +0200 Date: Wed, 15 Jul 2009 18:17:03 +0200 From: Gergely CZUCZY To: freebsd-net@freebsd.org Message-ID: <20090715181703.00006c68@unknown> Organization: Harmless Digital Bt X-Mailer: Claws Mail 3.7.1 (GTK+ 2.16.0; i586-pc-mingw32msvc) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: IPsec tunnel help X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Jul 2009 16:29:58 -0000 Hello, I'd like to ask for a bit of a help. I'd like to set up an IPSec VPN between two hosts, and I'm facing an issue I can't solve myself. The setup is the following: It's a site-to-host VPN, from A to B. At A side there's the fbsd gateway, it's a 7.2 box, everything is built into the kernel, and ipsec-tools is up and running. I've got a /24 range here. Site B is a Zywall 2 Plus device. A: pub: 217.150.138.138, local: 192.168.0.0/24 B: pub: 217.150.130.163, local box: 192.168.1.64/32 C: 192.168.0.248 Phase 1 and 2 are completed. I'm trying to ping a box from the B site behind the fbsd box, let's call it C. The icmp-echo-request reaches C, reply is generated. The icmp-echo-reply appears on the local interface of the fbsd box, but at that point it's lost I can't find a trace of it. It's not on the gif0 IF and neither there are any outgoing ESP packets on the public interface. Configs: --- rc.conf -- # IPSec VPN ipsec_enable="YES" ipsec_file="/etc/ipsec.conf" ipsec_program="/usr/local/sbin/setkey" racoon_enable="YES" racoon_flags="-d -l /var/log/racoon.log" --- rc.conf --- (i've put up the gif0 by hand) gif0: gif0: flags=8051 metric 0 mtu 1280 tunnel inet 217.150.138.138 --> 217.150.130.163 inet 192.168.0.0 --> 192.168.1.64 netmask 0xffffffff (I've also tried with 192.168.0.251->192.168.1.64/32, no luck, same results) --- ipsec.conf --- spdflush; spdadd 192.168.1.64/32 192.168.0.0/24 any -P in ipsec esp/tunnel/217.150.130.163-217.150.138.138/unique; spdadd 192.168.0.0/24 192.168.1.64/32 any -P in ipsec esp/tunnel/217.150.138.138-217.150.130.163/unique; --- ipsec.conf --- --- racoon.conf --- log debug; path pre_shared_key "/usr/local/etc/ipsec.keys"; path pidfile "/var/run/racoon.pid"; listen { isakmp 217.150.138.138; adminsock "/var/db/racoon/racoon.sock"; } remote 217.150.130.163 { exchange_mode main; my_identifier address 217.150.138.138; peers_identifier address 217.150.130.163; verify_identifier on; # lifetime time 40000 sec; proposal_check claim; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 2; lifetime time 40000 seconds; } } sainfo address 192.168.1.64/32 any address 192.168.0.0/24 any { lifetime time 40000 seconds; encryption_algorithm 3des; authentication_algorithm hmac_sha1; compression_algorithm deflate; } sainfo address 192.168.0.0/24 any address 192.168.1.64/32 any { lifetime time 40000 seconds; encryption_algorithm 3des; authentication_algorithm hmac_sha1; compression_algorithm deflate; } --- racoon.conf --- I've got the tunnel up: # racoonctl show-sa isakmp Destination Cookies Created 217.150.130.163.500 60566fd9f22997f0:368679084fb0bf3e 2009-07-15 17:47:00 # racoonctl show-sa esp 217.150.138.138 217.150.130.163 ... 217.150.130.163 217.150.138.138 ... (if i should show anything out of it tell me) I'm pinging the C box, on the local if i see the traffic: IP 192.168.1.64 > 192.168.0.248: ICMP echo request, id 1547, seq 3777, length 64 IP 192.168.0.248 > 192.168.1.64: ICMP echo reply, id 1547, seq 3777, length 64 on the gif0 i only see: IP 192.168.1.64 > 192.168.0.248: ICMP echo request, id 1547, seq 3802, length 64 and on the public IF i see the following traffic: IP 217.150.130.163 > 217.150.138.138: ESP(spi=0x022aff56,seq=0x627), length 116 No ESP packets from the fbsd box to the zyxel (A->B). Practically traffic comes in, reaches the box on the local net, but any traffic going outside is being lost somewhere. In the pf.conf I allow the traffic to go through: --- pf.conf snippet --- pass in quick on $if_inetfw proto udp from any to ($if_inetfw:0) port 500 keep state pass in quick on $if_inetfw proto {esp,ah,ipencap} from any to ($if_inetfw:0) keep state pass out quick on $if_inetfw proto {esp,ah,ipencap} from any to any keep state --- pf.conf snippet --- So the question is, what is wrong, why do I don't have any traffic going to the B host out of the fbsd box? And how can this be fixed? Thanks in advance -- Sincerely, Gergely CZUCZY +36-30-9702963