Date: Thu, 29 Mar 2007 15:40:04 +0300 From: Toomas Aas <toomas.aas@raad.tartu.ee> To: freebsd-net@freebsd.org Subject: IPSec tunneling problem Message-ID: <460BB3A4.8020804@raad.tartu.ee>
next in thread | raw e-mail | index | archive | help
Hello!
We have a central office which is separated from the Internet with firewall
running Linux 2.4 and FreeSWAN. I'm trying to create an IPSec tunnel to the
central office from another small branch office, using FreeBSD 6.2 with
it's integrated IPSec and ipsec-tools. The tunneling is generally working,
both internal networks can see each other, but I'm having some problems
with traffic originating from the FreeBSD firewall itself.
The central office has internal network 192.168.1.0/24 and firewall's
external IP is, let's say, A.B.C.D. The branch office has internal network
192.168.5.0/24 and firewall's external IP is W.X.Y.Z.
The policies in /etc/ipsec.conf are as follows.
spdadd 192.168.5.0/24 192.168.1.0/24 any -P out ipsec \
esp/tunnel/W.X.Y.Z-A.B.C.D/require;
spdadd 192.168.1.0/24 192.168.5.0/24 any -P in ipsec \
esp/tunnel/A.B.C.D-W.X.Y.Z/require;
The traffic between hosts in 192.168.1.0/24 and 192.168.5.0/24 is being
correctly tunnelled, i.e. when I watch the traffic on firewall's external
interface with tcpdump, I can see only ESP traffic between A.B.C.D and
W.X.Y.Z, and the internal IPs don't appear anywhere.
I can even successfully initiate *some* tunnelled traffic from the firewall
machine itself, for example
ping -S 192.168.5.1 192.168.1.3
works correctly, as does
telnet -s 192.168.5.1 192.168.1.3 53
However, the main reason why I want to have internal traffic originating
from the firewall host itself is that I'd like to run an internal DNS
server with slave zones for my internal network (*.in-addr.arpa) so all the
DNS traffic wouldn't go through the VPN. The master for these zones is
192.168.1.3. I've configured named.conf with following
options
{
...
listen-on { 127.0.0.1; 192.168.5.1; };
query source address 192.168.5.1;
forwarders {
192.168.1.3;
};
...
};
...
zone "1.168.192.in-addr.arpa" {
type slave;
file "slave/1.168.192.in-addr.arpa";
masters { 192.168.1.3; };
};
...
However, when I start named and watch the traffic on firewall's external
interface with tcpdump, I can see actual packets between 192.168.5.1 and
192.168.1.3.
What is the difference between this DNS traffic and things like telnet -s,
which causes the DNS traffic to not be tunneled?
--
Toomas Aas
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?460BB3A4.8020804>