Date: Thu, 29 Mar 2007 15:40:04 +0300 From: Toomas Aas <toomas.aas@raad.tartu.ee> To: freebsd-net@freebsd.org Subject: IPSec tunneling problem Message-ID: <460BB3A4.8020804@raad.tartu.ee>
next in thread | raw e-mail | index | archive | help
Hello! We have a central office which is separated from the Internet with firewall running Linux 2.4 and FreeSWAN. I'm trying to create an IPSec tunnel to the central office from another small branch office, using FreeBSD 6.2 with it's integrated IPSec and ipsec-tools. The tunneling is generally working, both internal networks can see each other, but I'm having some problems with traffic originating from the FreeBSD firewall itself. The central office has internal network 192.168.1.0/24 and firewall's external IP is, let's say, A.B.C.D. The branch office has internal network 192.168.5.0/24 and firewall's external IP is W.X.Y.Z. The policies in /etc/ipsec.conf are as follows. spdadd 192.168.5.0/24 192.168.1.0/24 any -P out ipsec \ esp/tunnel/W.X.Y.Z-A.B.C.D/require; spdadd 192.168.1.0/24 192.168.5.0/24 any -P in ipsec \ esp/tunnel/A.B.C.D-W.X.Y.Z/require; The traffic between hosts in 192.168.1.0/24 and 192.168.5.0/24 is being correctly tunnelled, i.e. when I watch the traffic on firewall's external interface with tcpdump, I can see only ESP traffic between A.B.C.D and W.X.Y.Z, and the internal IPs don't appear anywhere. I can even successfully initiate *some* tunnelled traffic from the firewall machine itself, for example ping -S 192.168.5.1 192.168.1.3 works correctly, as does telnet -s 192.168.5.1 192.168.1.3 53 However, the main reason why I want to have internal traffic originating from the firewall host itself is that I'd like to run an internal DNS server with slave zones for my internal network (*.in-addr.arpa) so all the DNS traffic wouldn't go through the VPN. The master for these zones is 192.168.1.3. I've configured named.conf with following options { ... listen-on { 127.0.0.1; 192.168.5.1; }; query source address 192.168.5.1; forwarders { 192.168.1.3; }; ... }; ... zone "1.168.192.in-addr.arpa" { type slave; file "slave/1.168.192.in-addr.arpa"; masters { 192.168.1.3; }; }; ... However, when I start named and watch the traffic on firewall's external interface with tcpdump, I can see actual packets between 192.168.5.1 and 192.168.1.3. What is the difference between this DNS traffic and things like telnet -s, which causes the DNS traffic to not be tunneled? -- Toomas Aas
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?460BB3A4.8020804>