Date: Thu, 15 Mar 2007 02:31:54 +0000 From: Tom Judge <tom@tomjudge.com> To: Robert Johannes <rjohanne@piper.hamline.edu> Cc: freebsd-security@freebsd.org, VANHULLEBUS Yvan <vanhu_bsd@zeninc.net> Subject: Re: freebsd vpn server behind nat dsl router Message-ID: <45F8B01A.50106@tomjudge.com> In-Reply-To: <Pine.LNX.4.64.0703141353250.3246@wnk.hamline.edu> References: <Pine.LNX.4.64.0703061251310.15938@wnk.hamline.edu> <20070307170617.GA2799@zen.inc> <Pine.LNX.4.64.0703071146580.3635@wnk.hamline.edu> <20070307212442.GA1384@jayce.zen.inc> <Pine.LNX.4.64.0703141353250.3246@wnk.hamline.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
Robert Johannes wrote: > > On Wed, 7 Mar 2007, VANHULLEBUS Yvan wrote: > > > Ok, I have done quite a bit of work since my last email, but I still > don't see visible progress. I did rebuild world and the kernel with the > NAT-T patches/support that you recommended. I have been playing around > with ipsec e.t.c. > > I have created an esp tunnel between my two sites, and I am sending some > ping traffic to the remote end, but the packets don't seem to get > through. Here's a snippet of what I see on tcpdump: > > 14:06:53.594241 IP 190.41.95.135 > client-201.240.165.191.speedy.net.pe: \ > IP 192.168.1.254 > 192.168.0.254: ICMP echo request, id 5784, seq 1519, \ > length 64 (ipip-proto-4) > 14:06:54.595071 IP 190.41.95.135 > client-201.240.165.191.speedy.net.pe: \ > IP 192.168.1.254 > 192.168.0.254: ICMP echo request, id 5784, seq 1520, \ > length 64 (ipip-proto-4) Firstly have you set your DSL routers up to nat the ipencap protocol back to your FreeBSD box? (IPencap is a IP payload protocol, not a TCP or UDP payload, so you will probably need a prity advanced router to do this). The packets you see here are not protected by IPSEC they are just plain old IPENCAP packets. If they where IPSEC packets I would expect to see ESP as the protocol and not see the encapsulated packet header (Again when you get IPSEC working you are going to need to NAT these packets to your freebsd boxes.) > >> From what I can tell, the kernel knows that it is to send the ping >> request > from 192.168.1.254 to 192.168.0.254 through the tunnel mouths > 190.41.95.135 and 201.240.165.191. But, there's no request from the > other end. Doing a tcpdump on the other side (192.168.0.254), nothing > is coming in. I have also done a ping from the latter machine to the > former, but with exactly the same problem. Nothing seems to get to the > other end. > > The tunnel is not using racoon yet. I figure that I should be able to > see some traffic going back and forth before I use racoon to manage > keys. The tunnel was created by the following lines on one host, and > reversed on the other: > > spdadd 192.168.1.0/24 192.168.0.0/24 any -P in ipsec > esp/tunnel/190.41.95.135-201.240.151.15/require; > spdadd 192.168.0.0/24 192.168.1.0/24 any -P out ipsec > esp/tunnel/201.240.151.15-190.41.95.135/require; > > If any one can shed some more light on this, I would appreciate it. > From what I can see your /etc/ipsec.conf should look like this: spdadd 190.41.95.135/32 201.240.151.15/32 ipencap -P in ipsec esp/tunnel/190.41.95.135-201.240.151.15/require; spdadd 201.240.151.15/32 190.41.95.135/32 ipencap -P out ipsec esp/tunnel/201.240.151.15-190.41.95.135/require; These rules may be wrong but your tunnel seems to be an IP protocol 4 payload which is ipencap (see /etc/protocols). Hope this helps. Tom
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?45F8B01A.50106>