From owner-freebsd-net  Wed Mar 20 14:18:33 2002
Delivered-To: freebsd-net@freebsd.org
Received: from studsboll.d2g.com (a63.flamman.student.liu.se [130.236.218.63])
	by hub.freebsd.org (Postfix) with ESMTP id 54B6837B419
	for <freebsd-net@freebsd.org>; Wed, 20 Mar 2002 14:18:13 -0800 (PST)
Received: from studsboll.realworld.nu (localhost [127.0.0.1])
	by studsboll.d2g.com (8.11.6/8.11.6) with SMTP id g2KMI2S07613;
	Wed, 20 Mar 2002 23:18:02 +0100 (CET)
	(envelope-from doktorn@realworld.nu)
Date: Wed, 20 Mar 2002 23:18:02 +0100
From: Rickard Borgmäster <doktorn@realworld.nu>
To: Lars Eggert <larse@ISI.EDU>
Cc: freebsd-net@freebsd.org
Subject: Re: IPSec tunnel FreeBSD<->OpenBSD using isakmp
Message-Id: <20020320231802.222a8dd2.doktorn@realworld.nu>
In-Reply-To: <3C98EF33.6090207@isi.edu>
References: <20020320205735.0851b080.doktorn@realworld.nu>
	<3C98EF33.6090207@isi.edu>
X-Mailer: Sylpheed version 0.7.2 (GTK+ 1.2.10; i386-portbld-freebsd4.5)
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org

On Wed, 20 Mar 2002 12:21:07 -0800
Lars Eggert <larse@ISI.EDU> hit the keyboard and punched:

>  > I can see this at OpenBSD box:
>  > # netstat -rn
>  > [...]
>  > Port  Destination        Port  Proto SA(Address/Proto/Type/Direction)
>  > 192.168.2/24       0     10.0.0/24          0     0
>  > 130.236.218.63/50/use/in 10.0.0/24          0     192.168.2/24 
> 0
>  > 0     130.236.218.63/50/require/out
>  >
>  > However, on the FreeBSD side, netstat -rn won't show anything about
>  > 10.0.0.0/24. Maybe Encap routes won't show in the ordinary routing
>  > table on FreeBSD?
> 
> It looks like the OpenBSD IPsec implementation integrates IPsec tunnel 
> mode SAs with the routing table (good!) FreeBSD's KAME doesn't (yet; 
> more recent KAME SNAPs have "device sec" which looks promising).

KAME? Is KAME something I need? The only thing I've added is
options IPSEC
options IPSEC_ESP
to my kernel and installed the isakmpd port. Then, of course, set up the
/etc/isakmpd/isakmpd.conf file.

>  > From either the OpenBSD or FreeBSD box, I am unable to reach the
>  > private net behind the other IPSec node. Ie, from FreeBSD box, I
>  > cannot reach 10.0.0.0/24. And from OpenBSD box, I cannot reach
>  > 192.168.2.0/24.
> 
> I bet your boxes pick the wrong source address when you generate packets
> on them to go to the other net, because you don't have any interfaces 
> configured on these nets (IPsec SAs aren't interfaces, at least on 
> FreeBSD). Try tcpdumping and tell me what you get.

Not sure I get your point here. Why do I don't have any interface on
these nets? Do you mean that on the FreeBSD box with:
pub-ip: 130.236.218.63
priv-net: 192.168.2.0/24

...that I miss an interface with 10.0.0.x address here?

I think I'm lost here... :-/

Well, tcpdump on the OpenBSD box, while pinging 10.0.0.1 from FBSD,
gives nothing. No packets received. tcpdumping output on FBSD while
pinging 10.0.0.1:
tcpdump: listening on xl0
23:08:31.194401 0:1:2:fa:aa:76 0:0:c:7:ac:29 0800 98: 130.236.218.63 >
10.0.0.1: icmp: echo request

I also get a message (from where I don't know...) like this: 
PING 10.0.0.1 (10.0.0.1): 56 data bytes
36 bytes from linkoping-2-FE1-0-0.sunet.se (130.242.201.73): Destination
Host Unreachable Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src     
Dst 4  5  00 5400 cf42   0 0000  3d  01 473a 130.236.218.63  10.0.0.1 

This indicates that when I ping 10.0.0.1, packets go out the "normal" way
instead of taking the path tru the tunnel. Almost same thing on OpenBSD:
tcpdump: listening on xl1
23:13:17.016763 0:10:4b:cf:1f:e0 0:c0:7b:a3:71:b6 0800 98: 213.88.128.173
> 192.168.2.17: icmp: echo request 23:13:18.023316 0:10:4b:cf:1f:e0
> 0:c0:7b:a3:71:b6 0800 98: 213.88.128.173 > 192.168.2.17: icmp: echo
> request 23:13:18.031981 0:c0:7b:a3:71:b6 0:10:4b:cf:1f:e0 0800 70:
> 62.95.60.2 > 213.88.128.173: icmp: host 192.168.2.17 unreachable

I hope I got the tcpdump stuff that interests you. I didn't really figure
what else to tcpdump on :-)

Thing is, that both machines works just fine as IPSec peers, but not
"nodes" or what to call it. The passing the ESP packets just fine, and
connects their private/nat:ed networks to eachother. So the *BSD serves
their clients just fine, but cannot use the tunnel themselves...
-- 

Rickard

                                               .--.        .--.
.----------------------------------------.     |  |        |  | .-.
|           Rickard Borgmäster           |     |  |        |  |/  /
|             doktorn@sub.nu             |   .-^  |  .--.  |     <
|         http://doktorn.sub.nu/         |  (  o  | ( () ) |  |\  \
`----------------------------------------'  `-----'  `--'  `--' `--'



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message