From owner-freebsd-net@FreeBSD.ORG  Fri Oct 25 09:20:33 2013
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTP id 6693AD7C
 for <freebsd-net@freebsd.org>; Fri, 25 Oct 2013 09:20:33 +0000 (UTC)
 (envelope-from cochard@gmail.com)
Received: from mail-wg0-x231.google.com (mail-wg0-x231.google.com
 [IPv6:2a00:1450:400c:c00::231])
 (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id 060442883
 for <freebsd-net@freebsd.org>; Fri, 25 Oct 2013 09:20:32 +0000 (UTC)
Received: by mail-wg0-f49.google.com with SMTP id x12so3452686wgg.4
 for <freebsd-net@freebsd.org>; Fri, 25 Oct 2013 02:20:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:sender:from:date:message-id:subject:to:content-type;
 bh=gJmPAvc2xA78bd6FBC5OKVpn8nCVlimmnlYu5B8dFv0=;
 b=JXXdR7iGgqNqMN6J1GJ/daE5kxBBy9j33WsZSmn7TX0ihmbhiBb89ve22lrJaxbHBt
 1Zk7NevhC33ALowglm0F9ktE7oeRptbsXFe4Jc/vCIFdw6JbuQFmrB05ID3AYWxBjBc5
 /9B0Rtc40Ye0kEtRgl0J2P2mThScqR7Oy9IuuRvAGtkv26xypRVPjJokTb5vIDpbWdKg
 TnA0A0DNIjNcW4D5213eMHbhsq1odTQliB9WU10EUqQ2DjkWSDvEX4rrOXKwDMpyGMDp
 vUQ0Iogd5W36NJZltNdspU8ya+GcoNmfgqjburTDL5AXoERIA0XkwD0U2NCkYzoAtY6/
 FXrw==
X-Received: by 10.180.83.228 with SMTP id t4mr1648993wiy.12.1382692831404;
 Fri, 25 Oct 2013 02:20:31 -0700 (PDT)
MIME-Version: 1.0
Sender: cochard@gmail.com
Received: by 10.194.236.131 with HTTP; Fri, 25 Oct 2013 02:20:11 -0700 (PDT)
From: =?ISO-8859-1?Q?Olivier_Cochard=2DLabb=E9?= <olivier@cochard.me>
Date: Fri, 25 Oct 2013 11:20:11 +0200
X-Google-Sender-Auth: kDEle2ok3BU5I_YY94qZVn9B-wM
Message-ID: <CA+q+TcqJwNXPOEWeh_FcnLu5KE7cyU7e1h2Q4dc==8D441nRWA@mail.gmail.com>
Subject: Can't configure a simple IPSec (manual SA/SP)
To: "freebsd-net@freebsd.org" <freebsd-net@freebsd.org>
Content-Type: text/plain; charset=ISO-8859-1
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Oct 2013 09:20:33 -0000

Hi all,

I'm trying to configure simple static IPSec SA/SP in tunnel mode on my
FreeBSD 9.2-RELEASE (crypto + ipsec added to the kernel) but the IPSec
configuration seems to be ignored.

local private net (em0): 10.0.12.0/24
local end-point IP (em1): 10.0.23.2
remote private net: 10.0.45.0/24
remote end-point IP: 10.0.34.4

I'm configuring the static SA/SP entries like that:

flush;
spdflush;
spdadd 10.0.12.0/24 10.0.45.0/24 any -P out ipsec
esp/tunnel/10.0.23.2-10.0.34.4/require;
spdadd 10.0.45.0/24 10.0.12.0/24 any -P in ipsec
esp/tunnel/10.0.34.4-10.0.23.2/require;
add 10.0.23.2 10.0.34.4 esp 0x1000 -E 3des-cbc "3des_compliant_password1";
add 10.0.34.4 10.0.23.2 esp 0x1001 -E 3des-cbc "3des_compliant_password2";

This configuration seems correctly applied:

[root@R2]~# setkey -D
10.0.34.4 10.0.23.2
        esp mode=any spi=4097(0x00001001) reqid=0(0x00000000)
        E: 3des-cbc  33646573 5f636f6d 706c6961 6e745f70 61737377 6f726432
        seq=0x00000000 replay=0 flags=0x00000040 state=mature
        created: Oct 25 10:33:11 2013   current: Oct 25 11:08:49 2013
        diff: 2138(s)   hard: 0(s)      soft: 0(s)
        last:                           hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        sadb_seq=1 pid=2024 refcnt=1
10.0.23.2 10.0.34.4
        esp mode=any spi=4096(0x00001000) reqid=0(0x00000000)
        E: 3des-cbc  33646573 5f636f6d 706c6961 6e745f70 61737377 6f726431
        seq=0x00000000 replay=0 flags=0x00000040 state=mature
        created: Oct 25 10:33:11 2013   current: Oct 25 11:08:49 2013
        diff: 2138(s)   hard: 0(s)      soft: 0(s)
        last:                           hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        sadb_seq=0 pid=2024 refcnt=1
[root@R2]~# setkey -DP
10.0.45.0/24[any] 10.0.12.0/24[any] any
        in ipsec
        esp/tunnel/10.0.34.4-10.0.23.2/require
        spid=2 seq=1 pid=2025
        refcnt=1
10.0.12.0/24[any] 10.0.45.0/24[any] any
        out ipsec
        esp/tunnel/10.0.23.2-10.0.34.4/require
        spid=1 seq=0 pid=2025
        refcnt=1

But when a machine in local_private_net try to ping a
remote_private_net, the traffic is not tunnel/encrypted:

[root@R2]~# tcpdump -pni em1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes
10:35:21.284571 IP 10.0.12.1 > 10.0.45.5: ICMP echo request, id 48913,
seq 0, length 64
10:35:22.288836 IP 10.0.12.1 > 10.0.45.5: ICMP echo request, id 48913,
seq 1, length 64
10:35:23.298386 IP 10.0.12.1 > 10.0.45.5: ICMP echo request, id 48913,
seq 2, length 64

I've try to enable IPSEC_DEBUG on my kernel: I've got nothing in my log.

How can I get a more verbose IPsec log for spotting my problem ?

Thanks,

Olivier