Date: Thu, 5 Jul 2012 21:15:07 -0700 From: Chris Benesch <chris.benesch@gmail.com> To: freebsd-net@freebsd.org Subject: IPSec woes coming from OpenBSD to Free Message-ID: <CAPKwmM1heXCRviB5nQ-YCDYsTTLMa2UNDG4sAfj1xeeft63RNQ@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hi all,
Forgive me if I sound noobish, but I have been using OpenBSD for a long
time and havent messed with FreeBSD in over 5 years. My situation overall
is thus: I need to connect an internal network to my workplace over
IPSec. It is currently working on OpenBSD, but after all the flack that
came out last year and the fact that I do work in the financial industry,
maybe it is better to have a system without the documented security hole.
Thats a whole other discussion.
Looking at the manual, it says to create a gif interface with the other
end. Unfortunately I do not know how they have the other end set up
completely so I dont know for example the other ends internal address.
Basically it is joining my internal network 192.168.127.0 (not the real
number, but the same class of network) to 189.168.175.0/24 and once that is
up, the 176.0/24 network as well. But for now, lets focus on 175. To test
out the move, I have installed 9.0 on an old laptop. It only has one
network card on it, but I set up the fwe0 interface (firewire) to be the
internal interface (192.168.127.1)
I read a lot of relevant pages and from what I can tell I think everything
is right, or I should at least see some traffic. However, I see absolutely
no traffic. I do a tcpdump in another session for udp port 500 and there
is nada, zilch. I am not connecting to another FreeBSD box, but to a
Watchguard XTM 505 device, so the usual things of "go change this on the
other host" dont work in my case, I can only manipulate my end. Oh, my
laptop is assigned ip address 192.168.0.33 and it has all UDP 500 traffic
directed to it from my DSL router. Same setup as the OpenBSD box which
works, but different IP.
I have replaced the real IPs with modified versions so that I can remain
secure, but illustrate any issues.
So here is psk.txt:
189.168.155.32 MySecretKey << I know this key is correct.
Here is setkey.conf:
flush;
spdflush;
spdadd 192.168.127.0/24 189.168.175.0/24 any -P out ipsec
esp/tunnel/192.186.0.33-189.168.155.32/require;
spdadd 189.168.175.0/24 192.168.127.0/24 any -P in ipsec
esp/tunnel/189.168.155.32-192.186.0.33/require;
I did flush and dump that each time I tested.
racoon.conf
path pre_shared_key "/usr/local/etc/racoon/psk.txt"; #location of
pre-shared key file
log debug2; #log verbosity setting: set to 'notify' when testing and
debugging is complete
padding # options are not to be changed
{
maximum_length 20;
randomize off;
strict_check off;
exclusive_tail off;
}
timer # timing options. change as needed
{
counter 5;
interval 20 sec;
persend 1;
# natt_keepalive 15 sec;
phase1 30 sec;
phase2 15 sec;
}
listen # address [port] that racoon will listening on
{
isakmp 192.168.0.33 [500];
}
remote 189.168.155.32 [500]
{
exchange_mode aggressive,main;
doi ipsec_doi;
situation identity_only;
my_identifier address 12.34.56.78; << internet facing public
address that is static
peers_identifier address 198.168.155.32;
lifetime time 1 hour;
passive off;
proposal_check obey;
nat_traversal off;
initial_contact on;
generate_policy off;
proposal {
encryption_algorithm aes;
hash_algorithm sha1;
authentication_method pre_shared_key;
lifetime time 30 sec;
dh_group 5;
}
}
sainfo (address 192.168.127.0/24 any address 189.168.175.0/24 any) #
address $network/$netmask $type address $network/$netmask $type ( $type
being any or esp)
{ # $network
must be the two internal networks you are joining.
pfs_group 1;
lifetime time 1200 sec;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
And there is no firewall set up or anything. Like I said I am just testing
this out, all I have done is I installed FReeBSD 9.0 i386 on the laptop,
compiled the kernel with option IPSEC, device crypto, and option
IPSEC_NAT_T (to get rid of the error when starting up the racoon system),
installed from pkg_add the ipsec-tools package and set up these files,
absolutely nothing else. Oh yes, I installed the bash shell for root and
my own user. Thats it, literally.
When I run racoon, there is no traffic at all on rl0 (my network interface)
on udp port 500
Here is the output from racoon:
[root@laptop /usr/local/etc/racoon]# racoon -v -d -F
Foreground mode.
2012-07-06 04:10:55: INFO: @(#)ipsec-tools 0.8.0 (
http://ipsec-tools.sourceforge.net)
2012-07-06 04:10:55: INFO: @(#)This product linked OpenSSL 0.9.8q 2 Dec
2010 (http://www.openssl.org/)
2012-07-06 04:10:55: INFO: Reading configuration from
"/usr/local/etc/racoon/racoon.conf"
2012-07-06 04:10:55: DEBUG: call pfkey_send_register for AH
2012-07-06 04:10:55: DEBUG: call pfkey_send_register for ESP
2012-07-06 04:10:55: DEBUG: call pfkey_send_register for IPCOMP
2012-07-06 04:10:55: DEBUG: reading config file
/usr/local/etc/racoon/racoon.conf
2012-07-06 04:10:55: DEBUG2: lifetime = 30
2012-07-06 04:10:55: DEBUG2: lifebyte = 0
2012-07-06 04:10:55: DEBUG2: encklen=128
2012-07-06 04:10:55: DEBUG2: p:1 t:1
2012-07-06 04:10:55: DEBUG2: AES-CBC(7)
2012-07-06 04:10:55: DEBUG2: SHA(2)
2012-07-06 04:10:55: DEBUG2: 1536-bit MODP group(5)
2012-07-06 04:10:55: DEBUG2: pre-shared key(1)
2012-07-06 04:10:55: DEBUG2:
2012-07-06 04:10:55: DEBUG: hmac(modp1536)
2012-07-06 04:10:55: DEBUG: no check of compression algorithm; not
supported in sadb message.
2012-07-06 04:10:55: DEBUG: getsainfo params: loc='192.168.127.0/24' rmt='
189.168.175.0/24' peer='NULL' client='NULL' id=0
2012-07-06 04:10:55: DEBUG2: parse successed.
2012-07-06 04:10:55: INFO: 192.168.0.33[500] used for NAT-T
2012-07-06 04:10:55: INFO: 192.168.0.33[500] used as isakmp port (fd=5)
2012-07-06 04:10:55: DEBUG: pk_recv: retry[0] recv()
2012-07-06 04:10:55: DEBUG: got pfkey X_SPDDUMP message
2012-07-06 04:10:55: DEBUG2:
02120000 0f000100 01000000 f60a0000 03000500 ff180000 10020000 c6ba9d00
00000000 00000000 03000600 ff180000 10020000 c0a8e700 00000000 00000000
07001200 02000100 06000000 00000000 28003200 02020000 10020000 c0a80002
00000000 00000000 10020000 c0ba0021 00000000 00000000
2012-07-06 04:10:55: DEBUG: pk_recv: retry[0] recv()
2012-07-06 04:10:55: DEBUG: got pfkey X_SPDDUMP message
2012-07-06 04:10:55: DEBUG2:
02120000 0f000100 00000000 f60a0000 03000500 ff180000 10020000 c0a8e700
00000000 00000000 03000600 ff180000 10020000 c6ba9d00 00000000 00000000
07001200 02000200 05000000 00000000 28003200 02020000 10020000 c0ba0021
00000000 00000000 10020000 c0a80002 00000000 00000000
2012-07-06 04:10:55: DEBUG: sub:0xbfbfe64c: 192.168.127.0/24[0]
189.168.175.0/24[0] proto=any dir=out
2012-07-06 04:10:55: DEBUG: db :0x28891148: 189.168.175.0/24[0]
192.168.127.0/24[0] proto=any dir=in
And it hangs here ad infinitum, no traffic in another session runnning
tcpdump, nothing.
Any help would be appreciated. :) If I can just get this kick started a
little bit I've been in the computer biz, specifically Unix based for the
last 12 years, I can probably get it, but for now I'm stuck :(
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPKwmM1heXCRviB5nQ-YCDYsTTLMa2UNDG4sAfj1xeeft63RNQ>