From owner-freebsd-net@FreeBSD.ORG Fri Oct 25 13:42:28 2013 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 41AEF205 for ; Fri, 25 Oct 2013 13:42:28 +0000 (UTC) (envelope-from vanhu@zeninc.net) Received: from smtp.zeninc.net (smtp.zeninc.net [80.67.176.25]) by mx1.freebsd.org (Postfix) with ESMTP id B371127E7 for ; Fri, 25 Oct 2013 13:42:27 +0000 (UTC) Received: from nono (nono.zen.inc [192.168.1.95]) by smtp.zeninc.net (smtpd) with ESMTP id A6B052798C5 for ; Fri, 25 Oct 2013 15:35:18 +0200 (CEST) Received: by nono (Postfix, from userid 1000) id 8AD9221F5F; Fri, 25 Oct 2013 15:35:18 +0200 (CEST) Date: Fri, 25 Oct 2013 15:35:18 +0200 From: VANHULLEBUS Yvan To: freebsd-net@freebsd.org Subject: Re: Can't configure a simple IPSec (manual SA/SP) Message-ID: <20131025133517.GA5588@zeninc.net> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: All mail clients suck. This one just sucks less. X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Oct 2013 13:42:28 -0000 On Fri, Oct 25, 2013 at 11:20:11AM +0200, Olivier Cochard-Labb? wrote: > Hi all, Hi. > I'm trying to configure simple static IPSec SA/SP in tunnel mode on my > FreeBSD 9.2-RELEASE (crypto + ipsec added to the kernel) but the IPSec > configuration seems to be ignored. > > local private net (em0): 10.0.12.0/24 > local end-point IP (em1): 10.0.23.2 > remote private net: 10.0.45.0/24 > remote end-point IP: 10.0.34.4 > > I'm configuring the static SA/SP entries like that: > > flush; > spdflush; > spdadd 10.0.12.0/24 10.0.45.0/24 any -P out ipsec > esp/tunnel/10.0.23.2-10.0.34.4/require; > spdadd 10.0.45.0/24 10.0.12.0/24 any -P in ipsec > esp/tunnel/10.0.34.4-10.0.23.2/require; > add 10.0.23.2 10.0.34.4 esp 0x1000 -E 3des-cbc "3des_compliant_password1"; > add 10.0.34.4 10.0.23.2 esp 0x1001 -E 3des-cbc "3des_compliant_password2"; > > This configuration seems correctly applied: [seems good] > But when a machine in local_private_net try to ping a > remote_private_net, the traffic is not tunnel/encrypted: > > [root@R2]~# tcpdump -pni em1 > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes > 10:35:21.284571 IP 10.0.12.1 > 10.0.45.5: ICMP echo request, id 48913, > seq 0, length 64 > 10:35:22.288836 IP 10.0.12.1 > 10.0.45.5: ICMP echo request, id 48913, > seq 1, length 64 > 10:35:23.298386 IP 10.0.12.1 > 10.0.45.5: ICMP echo request, id 48913, > seq 2, length 64 > > I've try to enable IPSEC_DEBUG on my kernel: I've got nothing in my log. > > How can I get a more verbose IPsec log for spotting my problem ? I'm not sure your problem is directly related to your IPsec configuration: your packet may just not reach the IPsec stack for some reason to be understood. Do you use some bridging configuration ? Do you have some kind of filtering/NAT rules ? Some complex routing tables ? Can you send the output (on your IPsec gate) of: sysctl -a net.inet.ip.fastforwarding Have also a look at the output of "netstat -s", and check all sections related to IPsec (pfkey, ipsec, esp). Yvan.