From owner-freebsd-questions@FreeBSD.ORG Thu Dec 21 22:02:12 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 7A69316A403 for ; Thu, 21 Dec 2006 22:02:12 +0000 (UTC) (envelope-from byron.pezan@gmail.com) Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.235]) by mx1.freebsd.org (Postfix) with ESMTP id 08CB313C44C for ; Thu, 21 Dec 2006 22:02:11 +0000 (UTC) (envelope-from byron.pezan@gmail.com) Received: by wx-out-0506.google.com with SMTP id s18so2434044wxc for ; Thu, 21 Dec 2006 14:02:11 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type; b=kNH+szWfv3oK/MA00WFiM8QOjtsg12Sk6NOgVd4z0tbn6k2ZE9Q9CEfuKoC8cHKiGQUhiiCrWgWkf4sxWcCIs0DEYViujXe59EMF6AxMt4YvG1WyVpqqqZ1ivyI01scLXn0S38j+aRzfqnIoFDyBHLuyuOi9VWjpVClxW0drswE= Received: by 10.90.49.19 with SMTP id w19mr8935463agw.1166736818843; Thu, 21 Dec 2006 13:33:38 -0800 (PST) Received: by 10.90.83.12 with HTTP; Thu, 21 Dec 2006 13:33:38 -0800 (PST) Message-ID: <51b6baf0612211333i38ac81b7ob114830d72dfa9ba@mail.gmail.com> Date: Thu, 21 Dec 2006 16:33:38 -0500 From: "Byron Pezan" To: freebsd-questions@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: ISAKMPD between FreeBSD 6.1 and OpenBSD 3.9 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Dec 2006 22:02:12 -0000 Does anyone have experience configuring ISAKMPD on FreeBSD? I'm trying to get a tunnel built between FreeBSD 6.1 and OpenBSD 3.9, but am having problems convincing the FreeBSD box to route traffic through the tunnel. Here are the details: Tunnel Mode Transport A.B.C.D OpenBSD box external IP D.C.B.A OpenBSD box internal IP D.C.0.0/16 Private net behind OpenBSD box W.X.Y.Z FreeBSD box external IP Z.Y.X.W FreeBSD box internal IP Z.Y.0.0/16 Private net behind FreeBSD box Here is the out put of `isakmpd -d -L -DA=10` as seen from the OpenBSD box: 15:46:30.514054 A.B.C.D.isakmp > W.X.Y.Z.isakmp: [udp sum ok] isakmp v1.0exchange ID_PROT cookie: 286174efc077306b->0000000000000000 msgid: 00000000 len: 228 payload: SA len: 120 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 108 proposal: 1 proto: ISAKMP spisz: 0 xforms: 3 payload: TRANSFORM len: 36 transform: 0 ID: ISAKMP attribute ENCRYPTION_ALGORITHM = BLOWFISH_CBC attribute HASH_ALGORITHM = SHA attribute AUTHENTICATION_METHOD = PRE_SHARED attribute GROUP_DESCRIPTION = MODP_1024 attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 600 attribute KEY_LENGTH = 128 payload: TRANSFORM len: 32 transform: 1 ID: ISAKMP attribute ENCRYPTION_ALGORITHM = 3DES_CBC attribute HASH_ALGORITHM = SHA attribute AUTHENTICATION_METHOD = PRE_SHARED attribute GROUP_DESCRIPTION = MODP_1024 attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 600 payload: TRANSFORM len: 32 transform: 2 ID: ISAKMP attribute ENCRYPTION_ALGORITHM = 3DES_CBC attribute HASH_ALGORITHM = MD5 attribute AUTHENTICATION_METHOD = PRE_SHARED attribute GROUP_DESCRIPTION = MODP_1024 attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 600 payload: VENDOR len: 20 (supports v2 NAT-T, draft-ietf-ipsec-nat-t-ike-02) payload: VENDOR len: 20 (supports v3 NAT-T, draft-ietf-ipsec-nat-t-ike-03) payload: VENDOR len: 20 (supports NAT-T, RFC 3947) payload: VENDOR len: 20 (supports DPD v1.0) [ttl 0] (id 1, len 256) 15:46:30.839197 W.X.Y.Z.isakmp > A.B.C.D.isakmp: [udp sum ok] isakmp v1.0exchange ID_PROT cookie: 286174efc077306b->69ca5432aa5e90a2 msgid: 00000000 len: 84 payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 44 proposal: 1 proto: ISAKMP spisz: 0 xforms: 1 payload: TRANSFORM len: 36 transform: 0 ID: ISAKMP attribute ENCRYPTION_ALGORITHM = BLOWFISH_CBC attribute HASH_ALGORITHM = SHA attribute AUTHENTICATION_METHOD = PRE_SHARED attribute GROUP_DESCRIPTION = MODP_1024 attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 600 attribute KEY_LENGTH = 128 [ttl 0] (id 1, len 112) 15:46:30.851759 A.B.C.D.isakmp > W.X.Y.Z.isakmp: [udp sum ok] isakmp v1.0exchange ID_PROT cookie: 286174efc077306b->69ca5432aa5e90a2 msgid: 00000000 len: 180 payload: KEY_EXCH len: 132 payload: NONCE len: 20 [ttl 0] (id 1, len 208) 15:46:31.175037 W.X.Y.Z.isakmp > A.B.C.D.isakmp: [udp sum ok] isakmp v1.0exchange ID_PROT cookie: 286174efc077306b->69ca5432aa5e90a2 msgid: 00000000 len: 180 payload: KEY_EXCH len: 132 payload: NONCE len: 20 [ttl 0] (id 1, len 208) 15:46:31.188053 A.B.C.D.isakmp > W.X.Y.Z.isakmp: [udp sum ok] isakmp v1.0exchange ID_PROT cookie: 286174efc077306b->69ca5432aa5e90a2 msgid: 00000000 len: 92 payload: ID len: 12 type: IPV4_ADDR = 208.178.12.2 payload: HASH len: 24 payload: NOTIFICATION len: 28 notification: INITIAL CONTACT (286174efc077306b->69ca5432aa5e90a2) [ttl 0] (id 1, len 120) 15:46:31.494160 W.X.Y.Z.isakmp > A.B.C.D.isakmp: [udp sum ok] isakmp v1.0exchange ID_PROT cookie: 286174efc077306b->69ca5432aa5e90a2 msgid: 00000000 len: 68 payload: ID len: 12 type: IPV4_ADDR = 58.71.34.142 payload: HASH len: 24 [ttl 0] (id 1, len 96) 15:46:31.507354 A.B.C.D.isakmp > W.X.Y.Z.isakmp: [udp sum ok] isakmp v1.0exchange QUICK_MODE cookie: 286174efc077306b->69ca5432aa5e90a2 msgid: 208a3b76 len: 332 payload: HASH len: 24 payload: SA len: 96 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 44 proposal: 1 proto: IPSEC_ESP spisz: 4 xforms: 1 SPI: 0xcfca4c50 payload: TRANSFORM len: 32 transform: 1 ID: BLOWFISH attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 600 attribute ENCAPSULATION_MODE = TUNNEL attribute AUTHENTICATION_ALGORITHM = HMAC_SHA attribute GROUP_DESCRIPTION = 2 attribute KEY_LENGTH = 128 payload: PROPOSAL len: 40 proposal: 2 proto: IPSEC_ESP spisz: 4 xforms: 1 SPI: 0xc40e7bc6 payload: TRANSFORM len: 28 transform: 1 ID: 3DES attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 600 attribute ENCAPSULATION_MODE = TUNNEL attribute AUTHENTICATION_ALGORITHM = HMAC_SHA attribute GROUP_DESCRIPTION = 2 payload: NONCE len: 20 payload: KEY_EXCH len: 132 payload: ID len: 16 type: IPV4_ADDR_SUBNET = 10.50.0.0/255.255.0.0 payload: ID len: 16 type: IPV4_ADDR_SUBNET = 10.1.0.0/255.255.0.0[ttl 0] (id 1, len 360) 15:46:31.835213 W.X.Y.Z.isakmp > A.B.C.D.isakmp: [udp sum ok] isakmp v1.0exchange QUICK_MODE cookie: 286174efc077306b->69ca5432aa5e90a2 msgid: 208a3b76 len: 292 payload: HASH len: 24 payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 44 proposal: 1 proto: IPSEC_ESP spisz: 4 xforms: 1 SPI: 0x7dc9a0bc payload: TRANSFORM len: 32 transform: 1 ID: BLOWFISH attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 600 attribute ENCAPSULATION_MODE = TUNNEL attribute AUTHENTICATION_ALGORITHM = HMAC_SHA attribute GROUP_DESCRIPTION = 2 attribute KEY_LENGTH = 128 payload: NONCE len: 20 payload: KEY_EXCH len: 132 payload: ID len: 16 type: IPV4_ADDR_SUBNET = 10.50.0.0/255.255.0.0 payload: ID len: 16 type: IPV4_ADDR_SUBNET = 10.1.0.0/255.255.0.0[ttl 0] (id 1, len 320) 15:46:31.835527 A.B.C.D.isakmp > W.X.Y.Z.isakmp: [udp sum ok] isakmp v1.0exchange QUICK_MODE cookie: 286174efc077306b->69ca5432aa5e90a2 msgid: 208a3b76 len: 52 payload: HASH len: 24 [ttl 0] (id 1, len 80) 15:47:37.592455 A.B.C.D.isakmp > W.X.Y.Z.isakmp: [udp sum ok] isakmp v1.0exchange INFO cookie: 286174efc077306b->69ca5432aa5e90a2 msgid: 63a13831 len: 68 payload: HASH len: 24 payload: DELETE len: 16 DOI: 1(IPSEC) proto: IPSEC_ESP nspis: 1 SPI: 0xcfca4c50 [ttl 0] (id 1, len 96) 15:47:37.593129 A.B.C.D.isakmp > W.X.Y.Z.isakmp: [udp sum ok] isakmp v1.0exchange INFO cookie: 286174efc077306b->69ca5432aa5e90a2 msgid: eb2ce295 len: 80 payload: HASH len: 24 payload: DELETE len: 28 DOI: 1(IPSEC) proto: ISAKMP nspis: 1 cookie: 286174efc077306b->69ca5432aa5e90a2 [ttl 0] (id 1, len 108) I'm pretty sure the tunnel is coming up as I can run `tcpdump -i rl0 host [external ip of remote gateway] and esp` and see esp packets corresponding to pings from the OpenBSD box to the FreeBSD box on both gateways. But I can never see any esp packets originating from the FreeBSD box. Here is the output of `tcpdump -i rl0 host W.X.Y.Z and esp` as seen from the OpenBSD box while pinging Z.Y.X.W: 15:47:21.652369 esp A.B.C.D > W.X.Y.Z spi 0x7DC9A0BC seq 1 len 116 15:47:22.653005 esp A.B.C.D > W.X.Y.Z spi 0x7DC9A0BC seq 2 len 116 15:47:23.662991 esp A.B.C.D > W.X.Y.Z spi 0x7DC9A0BC seq 3 len 116 15:47:24.672973 esp A.B.C.D > W.X.Y.Z spi 0x7DC9A0BC seq 4 len 116 We've tried adding a route to the FreeBSD box like so: route add D.C.0.0/16 Z.Y.X.W Which only creates a loop with ICMP re-directs. We've also tried creating gif tunnels like you would with Racoon on FreeBSD without any luck. ifconfig gif1 create ifconfig gif1 tunnel A.B.C.D W.X.Y.Z ifconfig gif1 inet D.C.B.A Z.Y.X.W netmask 255.255.255.255 route add Z.Y.0.0/16 Z.Y.X.W netmask 255.255.0.0 ifconfig gif1 create ifconfig gif1 tunnel W.X.Y.Z A.B.C.D ifconfig gif1 inet Z.Y.X.W D.C.B.A netmask 255.255.255.255 route add D.C.0.0/16 D.C.B.A netmask 255.255.0.0 What does one have to do to get a FreeBSD box to route traffic through the tunnel? TIA Byron Pezan