From owner-freebsd-stable@FreeBSD.ORG Tue Dec 30 05:40:11 2014 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A97A7BD9 for ; Tue, 30 Dec 2014 05:40:11 +0000 (UTC) Received: from mail16.tpgi.com.au (smtp-out16.tpgi.com.au [220.244.226.126]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "*.tpg.com.au", Issuer "RapidSSL CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 273A418B3 for ; Tue, 30 Dec 2014 05:40:10 +0000 (UTC) X-TPG-Junk-Status: Message not scanned X-TPG-Antivirus: Passed X-TPG-Abuse: host=[202.161.115.54]; ip=202.161.115.54; date=Tue, 30 Dec 2014 16:22:12 +1100 Received: from fish.ish.com.au (202-161-115-54.static.tpgi.com.au [202.161.115.54] (may be forged)) by mail16.tpgi.com.au (envelope-from ari@ish.com.au) (8.14.3/8.14.3) with ESMTP id sBU5MAeA008253 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Tue, 30 Dec 2014 16:22:12 +1100 Received: from ip-211.ish.com.au ([203.29.62.211]:56951 helo=ish.com.au) by fish.ish.com.au with esmtp (Exim 4.82_1-5b7a7c0-XX) (envelope-from ) id 1Y5pFu-0000Jr-2R; Tue, 30 Dec 2014 16:22:07 +1100 Received: from [10.242.2.6] (HELO Aristedess-MacBook-Pro.local) by ish.com.au (CommuniGate Pro SMTP 6.1c1) with ESMTPS id 17934608; Tue, 30 Dec 2014 16:22:06 +1100 Message-ID: <54A2367D.8030600@ish.com.au> Date: Tue, 30 Dec 2014 16:22:05 +1100 From: Aristedes Maniatis User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:34.0) Gecko/20100101 Thunderbird/34.0 MIME-Version: 1.0 To: "Bjoern A. Zeeb" Subject: Re: ipsec routing issue References: <54A17F33.2020708@ish.com.au> In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Cc: freebsd-stable X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Dec 2014 05:40:11 -0000 On 30/12/2014 4:23am, Bjoern A. Zeeb wrote: > >> On 29 Dec 2014, at 16:20 , Aristedes Maniatis wrote: >> >> But how does the OS know where to send traffic to $remote_internal_address? Is that something racoon takes care of? > > No, there are no routes involved; your security policy deals with this. setkey -DP is your friend. You can have racoon inject the policy for you if you want, otherwise ipsec.conf is where it goes. # setkey -DP 203.29.62.128/25[any] 10.100.0.0/16[any] any in ipsec ipcomp/tunnel/202.161.111.54-202.127.223.110/use esp/tunnel/202.161.111.54-202.127.223.110/unique#16390 spid=26 seq=3 pid=83060 refcnt=1 203.29.62.128/25[any] 10.101.0.0/16[any] any in ipsec ipcomp/tunnel/202.161.111.54-202.127.223.110/use esp/tunnel/202.161.111.54-202.127.223.110/unique#16392 spid=28 seq=2 pid=83060 refcnt=1 10.100.0.0/16[any] 203.29.62.128/25[any] any out ipsec ipcomp/tunnel/202.127.223.110-202.161.111.54/use esp/tunnel/202.127.223.110-202.161.111.54/unique#16389 spid=25 seq=1 pid=83060 refcnt=1 10.101.0.0/16[any] 203.29.62.128/25[any] any out ipsec ipcomp/tunnel/202.127.223.110-202.161.111.54/use esp/tunnel/202.127.223.110-202.161.111.54/unique#16391 spid=27 seq=0 pid=83060 refcnt=1 Does that look right for a setup with two tunnels (two networks at one end) and compression enabled? If racoon is showing the tunnels as UP: 2014-12-30 12:01:48: INFO: initiate new phase 2 negotiation: 202.127.223.110[500]<=>202.161.111.54[500] 2014-12-30 12:01:48: INFO: IPsec-SA established: ESP/Tunnel 202.127.223.110[500]->202.161.111.54[500] spi=26332262(0x191cc66) 2014-12-30 12:01:48: INFO: IPsec-SA established: IPCOMP/Tunnel 202.127.223.110[500]->202.161.111.54[500] spi=1336(0x538) 2014-12-30 12:01:48: INFO: IPsec-SA established: ESP/Tunnel 202.127.223.110[500]->202.161.111.54[500] spi=91459320(0x5738ef8) 2014-12-30 12:01:48: INFO: IPsec-SA established: IPCOMP/Tunnel 202.127.223.110[500]->202.161.111.54[500] spi=32553(0x7f29) Am I right in saying that I would not get this far if setkey wasn't already correct? But still I cannot ping the remote internal IP (203.29.62.129). I also notice that other addresses in the remote network except for the remote firewall itself are not sent through the tunnel. I guess I'll need to add a route for those after all. Are you able to suggest my next step in diagnosis. Everything seems to be working... other than traffic going into the tunnel and coming out the other side :-) >> 2. If I am using gif0 do I need to also use gif0 on the other end? This adds another layer of encapsulation which I need to remove at the remote firewall don’t I? > > Yes. Then I think the FreeBSD handbook really needs adjustment because it explains that gif is a definite requirement. >> 3. What does this mean: >> >> ifconfig gif0 inet 192.168.1.1 192.168.0.1 netmask 0xffffffff >> >> Is that mask for the remote end or for the local end? > > Or just to be there. > > >> 4. I'm using pf for a firewall. Other than allowing isakmp, esp and ipencap through in both directions, can I control the traffic inside the tunnel? Do I need to add rules for that traffic or will it always go through? > > For that you’ll need enc(4) to do it properly. Check the man page for settings. You might want to change them off the defaults. Until I recompile my kernel for ENC, can I assume that packet filter rules aren't going to be my problem here (other than the obvious rules which allow IPSec to be established, which is working). Thanks again Ari -- --------------------------> Aristedes Maniatis ish http://www.ish.com.au Level 1, 30 Wilson Street Newtown 2042 Australia phone +61 2 9550 5001 fax +61 2 9550 4001 GPG fingerprint CBFB 84B4 738D 4E87 5E5C 5EFA EF6A 7D2E 3E49 102A