From owner-freebsd-net@FreeBSD.ORG Fri Jul 6 04:15:08 2012 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id DC1DA1065673 for ; Fri, 6 Jul 2012 04:15:08 +0000 (UTC) (envelope-from chris.benesch@gmail.com) Received: from mail-yw0-f54.google.com (mail-yw0-f54.google.com [209.85.213.54]) by mx1.freebsd.org (Postfix) with ESMTP id 4729F8FC15 for ; Fri, 6 Jul 2012 04:15:08 +0000 (UTC) Received: by yhfs35 with SMTP id s35so3261878yhf.13 for ; Thu, 05 Jul 2012 21:15:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=1mqLxu9pLVFy/uxFWJS5jOn6lVwluv51Gcjtahx400Q=; b=e8IJb3zcGH9QVnCShjzNTb8ZXD1ir+xqoCSZparCqLUOqAlMSi4dTJprjtucGnW4jU o2+fqY1X9D98n/jIqQEGHowQa9Q8OZKqDYQYqxDoLAwnGiZfM68jVCgGGUYKgBU9CBAb YIYv8yg0kZQWIjnRo2rAlydgV91bvvT/LF1vOY6a555d9ZAgSTrGgPp/JWdiAiOCbECA g9zUEkxfljaufQaxoIbYdSBOBo/oSKiA6wRBKxnNKJb8gLAiD0UvzqB1OntX5BvtZErm BM886cQBhI+1XNN4bh+Vp1J+V20dr1Efvp7D5DvYpkVUgRwt2Byj4xcH+sGj63ofKRhm 5KsA== MIME-Version: 1.0 Received: by 10.50.189.234 with SMTP id gl10mr1429125igc.59.1341548107078; Thu, 05 Jul 2012 21:15:07 -0700 (PDT) Received: by 10.231.26.150 with HTTP; Thu, 5 Jul 2012 21:15:07 -0700 (PDT) Date: Thu, 5 Jul 2012 21:15:07 -0700 Message-ID: From: Chris Benesch To: freebsd-net@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: IPSec woes coming from OpenBSD to Free X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Jul 2012 04:15:09 -0000 Hi all, Forgive me if I sound noobish, but I have been using OpenBSD for a long time and havent messed with FreeBSD in over 5 years. My situation overall is thus: I need to connect an internal network to my workplace over IPSec. It is currently working on OpenBSD, but after all the flack that came out last year and the fact that I do work in the financial industry, maybe it is better to have a system without the documented security hole. Thats a whole other discussion. Looking at the manual, it says to create a gif interface with the other end. Unfortunately I do not know how they have the other end set up completely so I dont know for example the other ends internal address. Basically it is joining my internal network 192.168.127.0 (not the real number, but the same class of network) to 189.168.175.0/24 and once that is up, the 176.0/24 network as well. But for now, lets focus on 175. To test out the move, I have installed 9.0 on an old laptop. It only has one network card on it, but I set up the fwe0 interface (firewire) to be the internal interface (192.168.127.1) I read a lot of relevant pages and from what I can tell I think everything is right, or I should at least see some traffic. However, I see absolutely no traffic. I do a tcpdump in another session for udp port 500 and there is nada, zilch. I am not connecting to another FreeBSD box, but to a Watchguard XTM 505 device, so the usual things of "go change this on the other host" dont work in my case, I can only manipulate my end. Oh, my laptop is assigned ip address 192.168.0.33 and it has all UDP 500 traffic directed to it from my DSL router. Same setup as the OpenBSD box which works, but different IP. I have replaced the real IPs with modified versions so that I can remain secure, but illustrate any issues. So here is psk.txt: 189.168.155.32 MySecretKey << I know this key is correct. Here is setkey.conf: flush; spdflush; spdadd 192.168.127.0/24 189.168.175.0/24 any -P out ipsec esp/tunnel/192.186.0.33-189.168.155.32/require; spdadd 189.168.175.0/24 192.168.127.0/24 any -P in ipsec esp/tunnel/189.168.155.32-192.186.0.33/require; I did flush and dump that each time I tested. racoon.conf path pre_shared_key "/usr/local/etc/racoon/psk.txt"; #location of pre-shared key file log debug2; #log verbosity setting: set to 'notify' when testing and debugging is complete padding # options are not to be changed { maximum_length 20; randomize off; strict_check off; exclusive_tail off; } timer # timing options. change as needed { counter 5; interval 20 sec; persend 1; # natt_keepalive 15 sec; phase1 30 sec; phase2 15 sec; } listen # address [port] that racoon will listening on { isakmp 192.168.0.33 [500]; } remote 189.168.155.32 [500] { exchange_mode aggressive,main; doi ipsec_doi; situation identity_only; my_identifier address 12.34.56.78; << internet facing public address that is static peers_identifier address 198.168.155.32; lifetime time 1 hour; passive off; proposal_check obey; nat_traversal off; initial_contact on; generate_policy off; proposal { encryption_algorithm aes; hash_algorithm sha1; authentication_method pre_shared_key; lifetime time 30 sec; dh_group 5; } } sainfo (address 192.168.127.0/24 any address 189.168.175.0/24 any) # address $network/$netmask $type address $network/$netmask $type ( $type being any or esp) { # $network must be the two internal networks you are joining. pfs_group 1; lifetime time 1200 sec; encryption_algorithm aes; authentication_algorithm hmac_sha1; compression_algorithm deflate; } And there is no firewall set up or anything. Like I said I am just testing this out, all I have done is I installed FReeBSD 9.0 i386 on the laptop, compiled the kernel with option IPSEC, device crypto, and option IPSEC_NAT_T (to get rid of the error when starting up the racoon system), installed from pkg_add the ipsec-tools package and set up these files, absolutely nothing else. Oh yes, I installed the bash shell for root and my own user. Thats it, literally. When I run racoon, there is no traffic at all on rl0 (my network interface) on udp port 500 Here is the output from racoon: [root@laptop /usr/local/etc/racoon]# racoon -v -d -F Foreground mode. 2012-07-06 04:10:55: INFO: @(#)ipsec-tools 0.8.0 ( http://ipsec-tools.sourceforge.net) 2012-07-06 04:10:55: INFO: @(#)This product linked OpenSSL 0.9.8q 2 Dec 2010 (http://www.openssl.org/) 2012-07-06 04:10:55: INFO: Reading configuration from "/usr/local/etc/racoon/racoon.conf" 2012-07-06 04:10:55: DEBUG: call pfkey_send_register for AH 2012-07-06 04:10:55: DEBUG: call pfkey_send_register for ESP 2012-07-06 04:10:55: DEBUG: call pfkey_send_register for IPCOMP 2012-07-06 04:10:55: DEBUG: reading config file /usr/local/etc/racoon/racoon.conf 2012-07-06 04:10:55: DEBUG2: lifetime = 30 2012-07-06 04:10:55: DEBUG2: lifebyte = 0 2012-07-06 04:10:55: DEBUG2: encklen=128 2012-07-06 04:10:55: DEBUG2: p:1 t:1 2012-07-06 04:10:55: DEBUG2: AES-CBC(7) 2012-07-06 04:10:55: DEBUG2: SHA(2) 2012-07-06 04:10:55: DEBUG2: 1536-bit MODP group(5) 2012-07-06 04:10:55: DEBUG2: pre-shared key(1) 2012-07-06 04:10:55: DEBUG2: 2012-07-06 04:10:55: DEBUG: hmac(modp1536) 2012-07-06 04:10:55: DEBUG: no check of compression algorithm; not supported in sadb message. 2012-07-06 04:10:55: DEBUG: getsainfo params: loc='192.168.127.0/24' rmt=' 189.168.175.0/24' peer='NULL' client='NULL' id=0 2012-07-06 04:10:55: DEBUG2: parse successed. 2012-07-06 04:10:55: INFO: 192.168.0.33[500] used for NAT-T 2012-07-06 04:10:55: INFO: 192.168.0.33[500] used as isakmp port (fd=5) 2012-07-06 04:10:55: DEBUG: pk_recv: retry[0] recv() 2012-07-06 04:10:55: DEBUG: got pfkey X_SPDDUMP message 2012-07-06 04:10:55: DEBUG2: 02120000 0f000100 01000000 f60a0000 03000500 ff180000 10020000 c6ba9d00 00000000 00000000 03000600 ff180000 10020000 c0a8e700 00000000 00000000 07001200 02000100 06000000 00000000 28003200 02020000 10020000 c0a80002 00000000 00000000 10020000 c0ba0021 00000000 00000000 2012-07-06 04:10:55: DEBUG: pk_recv: retry[0] recv() 2012-07-06 04:10:55: DEBUG: got pfkey X_SPDDUMP message 2012-07-06 04:10:55: DEBUG2: 02120000 0f000100 00000000 f60a0000 03000500 ff180000 10020000 c0a8e700 00000000 00000000 03000600 ff180000 10020000 c6ba9d00 00000000 00000000 07001200 02000200 05000000 00000000 28003200 02020000 10020000 c0ba0021 00000000 00000000 10020000 c0a80002 00000000 00000000 2012-07-06 04:10:55: DEBUG: sub:0xbfbfe64c: 192.168.127.0/24[0] 189.168.175.0/24[0] proto=any dir=out 2012-07-06 04:10:55: DEBUG: db :0x28891148: 189.168.175.0/24[0] 192.168.127.0/24[0] proto=any dir=in And it hangs here ad infinitum, no traffic in another session runnning tcpdump, nothing. Any help would be appreciated. :) If I can just get this kick started a little bit I've been in the computer biz, specifically Unix based for the last 12 years, I can probably get it, but for now I'm stuck :(