From owner-freebsd-net@FreeBSD.ORG Thu Mar 29 13:10:57 2007 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 029F616A404 for ; Thu, 29 Mar 2007 13:10:57 +0000 (UTC) (envelope-from toomas.aas@raad.tartu.ee) Received: from kuller.raad.tartu.ee (kuller.raad.tartu.ee [194.126.106.100]) by mx1.freebsd.org (Postfix) with ESMTP id AD13913C4BE for ; Thu, 29 Mar 2007 13:10:56 +0000 (UTC) (envelope-from toomas.aas@raad.tartu.ee) Received: from localhost (localhost [127.0.0.1]) by kuller.raad.tartu.ee (Postfix) with ESMTP id DEC69B814 for ; Thu, 29 Mar 2007 15:40:28 +0300 (EEST) X-Virus-Scanned: amavisd-new at post.raad.tartu.ee Received: from kuller.raad.tartu.ee ([127.0.0.1]) by localhost (kuller.raad.tartu.ee [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yfyrY+QWYTYb for ; Thu, 29 Mar 2007 15:40:24 +0300 (EEST) Received: from raad.tartu.ee (lv.raad.tartu.ee [194.126.106.110]) by kuller.raad.tartu.ee (Postfix) with ESMTP id 2797BB813 for ; Thu, 29 Mar 2007 15:40:24 +0300 (EEST) Received: from INFO/SpoolDir by raad.tartu.ee (Mercury 1.48); 29 Mar 07 15:40:24 +0300 Received: from SpoolDir by INFO (Mercury 1.48); 29 Mar 07 15:40:05 +0300 Received: from [172.26.1.3] (172.26.1.3) by raad.tartu.ee (Mercury 1.48) with ESMTP; 29 Mar 07 15:40:02 +0300 Message-ID: <460BB3A4.8020804@raad.tartu.ee> Date: Thu, 29 Mar 2007 15:40:04 +0300 From: Toomas Aas User-Agent: Thunderbird 1.5.0.10 (Windows/20070221) MIME-Version: 1.0 To: freebsd-net@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: IPSec tunneling problem X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Mar 2007 13:10:57 -0000 Hello! We have a central office which is separated from the Internet with firewall running Linux 2.4 and FreeSWAN. I'm trying to create an IPSec tunnel to the central office from another small branch office, using FreeBSD 6.2 with it's integrated IPSec and ipsec-tools. The tunneling is generally working, both internal networks can see each other, but I'm having some problems with traffic originating from the FreeBSD firewall itself. The central office has internal network 192.168.1.0/24 and firewall's external IP is, let's say, A.B.C.D. The branch office has internal network 192.168.5.0/24 and firewall's external IP is W.X.Y.Z. The policies in /etc/ipsec.conf are as follows. spdadd 192.168.5.0/24 192.168.1.0/24 any -P out ipsec \ esp/tunnel/W.X.Y.Z-A.B.C.D/require; spdadd 192.168.1.0/24 192.168.5.0/24 any -P in ipsec \ esp/tunnel/A.B.C.D-W.X.Y.Z/require; The traffic between hosts in 192.168.1.0/24 and 192.168.5.0/24 is being correctly tunnelled, i.e. when I watch the traffic on firewall's external interface with tcpdump, I can see only ESP traffic between A.B.C.D and W.X.Y.Z, and the internal IPs don't appear anywhere. I can even successfully initiate *some* tunnelled traffic from the firewall machine itself, for example ping -S 192.168.5.1 192.168.1.3 works correctly, as does telnet -s 192.168.5.1 192.168.1.3 53 However, the main reason why I want to have internal traffic originating from the firewall host itself is that I'd like to run an internal DNS server with slave zones for my internal network (*.in-addr.arpa) so all the DNS traffic wouldn't go through the VPN. The master for these zones is 192.168.1.3. I've configured named.conf with following options { ... listen-on { 127.0.0.1; 192.168.5.1; }; query source address 192.168.5.1; forwarders { 192.168.1.3; }; ... }; ... zone "1.168.192.in-addr.arpa" { type slave; file "slave/1.168.192.in-addr.arpa"; masters { 192.168.1.3; }; }; ... However, when I start named and watch the traffic on firewall's external interface with tcpdump, I can see actual packets between 192.168.5.1 and 192.168.1.3. What is the difference between this DNS traffic and things like telnet -s, which causes the DNS traffic to not be tunneled? -- Toomas Aas