From owner-freebsd-stable@FreeBSD.ORG Tue Nov 18 10:26:25 2014 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A3A478B9; Tue, 18 Nov 2014 10:26:25 +0000 (UTC) Received: from mail.ismobile.com (mail.ismobile.com [176.57.193.164]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "mail.ismobile.com", Issuer "GlobalSign Domain Validation CA - G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 13FEEEF6; Tue, 18 Nov 2014 10:26:24 +0000 (UTC) Received: from mail.ismobile.com (localhost [127.0.0.1]) by dkim.mail.ismobile.com (Postfix) with ESMTP id 3056D2B54A4; Tue, 18 Nov 2014 10:26:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=ismobile.com; h=date:from :to:cc:subject:message-id:in-reply-to:references:mime-version :content-type:content-transfer-encoding; s=selector1; bh=+xKqSBh BHN529f3i6kSy3m4ENJA=; b=m6sK/3gOeYsLG88i7GSw8CoSlHzh8N41LyuSHlv cRI2bBf2AlpluJBlyeBUkAJbf4cfuUPaWXk1Dxhr1xF408pR2KY3XK2MDCVeu+BN ze7lRea9P4qk/cDB9j0UanVf5iM605dzfi90HSvR07tig4b5VCfM0edv25kdeWpT M2sA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=ismobile.com; h=date:from:to :cc:subject:message-id:in-reply-to:references:mime-version :content-type:content-transfer-encoding; q=dns; s=selector1; b=d RHlZ0/YQxbUyGzi1pKiL+hOpGhGBpf0WvMQmNFAxfxFYn2NBcsZMOWzRIl8Wvo8X olw9huIk+jEoGCy7Lfbv2o7WgNiNEfJOpoQm6fG6RdTxac9cOHgKz88AwdFqeXGP sgqpVllH/JfQV3jwfBNTmHo2HpP3y5FBI0nR0XzoOI= Received: from [172.16.2.28] (glz-macbookpro.hq.ismobile.com [172.16.2.28]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.ismobile.com (Postfix) with ESMTPSA id 6E4162B54A1; Tue, 18 Nov 2014 10:26:21 +0000 (UTC) Date: Tue, 18 Nov 2014 11:26:19 +0100 From: =?UTF-8?Q?G=C3=B6ran_L=C3=B6wkrantz?= To: VANHULLEBUS Yvan Subject: Re: [MASSMAIL]Re: Problem with IPSec tunnel and normal routing Message-ID: <6F84B34B2AA9F9E37A9161FF@[172.16.2.28]> In-Reply-To: <20141118100739.GB18512@zeninc.net> References: <20141118100739.GB18512@zeninc.net> X-Mailer: Mulberry/4.1.0a3 (Mac OS X) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline; size=15409 Cc: freebsd-stable@freebsd.org X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Nov 2014 10:26:25 -0000 --On 18 Nov 2014 11:07:40 +0100 VANHULLEBUS Yvan wrote: > Hi. > > > On Tue, Nov 18, 2014 at 10:52:50AM +0100, G?ran L?wkrantz wrote: >> We have a problem with a NanoBSD GW/Router that seems to get it's >> forwarding screwed up by an IPSec tunnel. >> >> +----+ +-------+ >> | | +----+ | | +-- A >> 2 -+ | | | | | | >> 3 -+ GW +-- DMZ --+ FW +--- Internet ---???? ---+ IPSec +----+-- B >> 4 -+ | | | | endp | | >> | | +----+ | | +-- C >> +----+ +-------+ >> >> Net 2 - em2 - 192.168.2.0/24 - servers, server-net switches. >> Net 3 - em1 - 192.168.3.0/24 - workstations, ws-net switches >> Net 4 - em0 - 192.168.4.0/24 - WiFi access points + VLAN switch >> >> DMZ - em5 - XXX.XXX.XXX.128/27 - DMZ and transfer net to outside. >> IPSec endp - YYY.YYY.YYY.2 >> >> Net A - 192.168.45.129/32 >> Net B - 192.168.45.130/32 >> Net C - 192.168.40.8/29 >> >> Net 2 and Net 3 are setup to allow tunnel to Nets A,B and C. >> >> GW is FreeBSD gw01.xxxx.com 10.1-PRERELEASE FreeBSD 10.1-PRERELEASE >> # 0 r274192 >> IKEv1 etc. is handled by strongswan-5.2.0_1 >> Left IPSec endpoint is a Clavister VPN GW. >> >> After a host on Net 3 has connected through the tunnel to >> 192.168.45.129 via a NATed VMWare Fusion connection, traffic from >> that host is received correctly at the GW on Net 3 (em1) but the >> response from the GW is sent out via the DMZ interface em5. >> Switching the host to Net 4 i.e. disconnecting the network cable and >> starting the WiFi restores connectivity. >> >> Other hosts on Net 3 that has not communicated via the IPSec tunnel >> is NOT affected. >> >> All routing seems to be correct on the GW so some other mechanism >> must be at play. >> >> Any help appreciated. > > Could you please send us at least a dump of your SPD and routing > configuration ? > > > Yvan. > _______________________________________________ > netstat -rn Routing tables Internet: Destination Gateway Flags Netif Expire default 176.57.193.129 UGS em5 10.191.251.0/24 10.191.251.2 UGS tun0 10.191.251.1 link#12 UHS lo0 10.191.251.2 link#12 UH tun0 10.191.252.0/24 10.191.252.2 UGS tun1 10.191.252.1 link#13 UHS lo0 10.191.252.2 link#13 UH tun1 10.191.253.0/24 10.191.253.2 UGS tun2 10.191.253.1 link#14 UHS lo0 10.191.253.2 link#14 UH tun2 127.0.0.1 link#11 UH lo0 176.57.193.128/27 link#6 U em5 176.57.193.157 link#6 UHS lo0 176.57.193.157/32 link#6 U em5 176.57.193.158 link#6 UHS lo0 192.168.2.0/24 link#3 U em2 192.168.2.1 link#3 UHS lo0 192.168.3.0/24 link#2 U em1 192.168.3.1 link#2 UHS lo0 192.168.4.0/24 link#1 U em0 192.168.4.254 link#1 UHS lo0 192.168.5.0/24 link#4 U em3 192.168.5.254 link#4 UHS lo0 192.168.9.0/24 link#5 U em4 192.168.9.254 link#5 UHS lo0 192.168.40.8/29 176.57.193.129 US em5 192.168.45.129 176.57.193.129 UGHS em5 192.168.45.130 176.57.193.129 UGHS em5 Internet6: Destination Gateway Flags Netif Expire ::/96 ::1 UGRS lo0 default 2a00:f680:101:1::1 UGS em5 ::1 link#11 UH lo0 ::ffff:0.0.0.0/96 ::1 UGRS lo0 2a00:f680:101:1::/64 link#6 U em5 2a00:f680:101:1::fffd link#6 UHS lo0 2a00:f680:101:1::fffe link#6 UHS lo0 fe80::/10 ::1 UGRS lo0 fe80::%em5/64 link#6 U em5 fe80::230:48ff:feb9:99c9%em5 link#6 UHS lo0 fe80::%lo0/64 link#11 U lo0 fe80::1%lo0 link#11 UHS lo0 fe80::%tun0/64 link#12 U tun0 fe80::21b:21ff:fe24:6248%tun0 link#12 UHS lo0 fe80::%tun1/64 link#13 U tun1 fe80::21b:21ff:fe24:6248%tun1 link#13 UHS lo0 fe80::%tun2/64 link#14 U tun2 fe80::21b:21ff:fe24:6248%tun2 link#14 UHS lo0 ff01::%em5/32 fe80::230:48ff:feb9:99c9%em5 U em5 ff01::%lo0/32 ::1 U lo0 ff01::%tun0/32 fe80::21b:21ff:fe24:6248%tun0 U tun0 ff01::%tun1/32 fe80::21b:21ff:fe24:6248%tun1 U tun1 ff01::%tun2/32 fe80::21b:21ff:fe24:6248%tun2 U tun2 ff02::/16 ::1 UGRS lo0 ff02::%em5/32 fe80::230:48ff:feb9:99c9%em5 U em5 ff02::%lo0/32 ::1 U lo0 ff02::%tun0/32 fe80::21b:21ff:fe24:6248%tun0 U tun0 ff02::%tun1/32 fe80::21b:21ff:fe24:6248%tun1 U tun1 ff02::%tun2/32 fe80::21b:21ff:fe24:6248%tun2 U tun2 root@gw01:/data/home/admglz # setkey -D No SAD entries. root@gw01:/data/home/admglz # setkey -DP 192.168.45.130[any] 192.168.2.0/24[any] any in ipsec esp/tunnel/92.254.132.2-176.57.193.158/unique:1 created: Nov 18 09:49:44 2014 lastused: Nov 18 09:49:44 2014 lifetime: 9223372036854775807(s) validtime: 0(s) spid=84 seq=29 pid=51194 refcnt=1 192.168.40.8/29[any] 192.168.2.0/24[any] any in ipsec esp/tunnel/92.254.132.2-176.57.193.158/unique:1 created: Nov 18 09:49:44 2014 lastused: Nov 18 09:49:44 2014 lifetime: 9223372036854775807(s) validtime: 0(s) spid=86 seq=28 pid=51194 refcnt=1 192.168.45.130[any] 192.168.3.0/24[any] any in ipsec esp/tunnel/92.254.132.2-176.57.193.158/unique:1 created: Nov 18 09:49:44 2014 lastused: Nov 18 09:49:44 2014 lifetime: 9223372036854775807(s) validtime: 0(s) spid=88 seq=27 pid=51194 refcnt=1 192.168.40.8/29[any] 192.168.3.0/24[any] any in ipsec esp/tunnel/92.254.132.2-176.57.193.158/unique:1 created: Nov 18 09:49:44 2014 lastused: Nov 18 09:49:44 2014 lifetime: 9223372036854775807(s) validtime: 0(s) spid=90 seq=26 pid=51194 refcnt=1 192.168.45.129[any] 10.191.251.0/24[any] any in ipsec esp/tunnel/92.254.132.2-176.57.193.158/unique:1 created: Nov 18 09:49:44 2014 lastused: Nov 18 09:49:44 2014 lifetime: 9223372036854775807(s) validtime: 0(s) spid=92 seq=25 pid=51194 refcnt=1 192.168.45.130[any] 10.191.251.0/24[any] any in ipsec esp/tunnel/92.254.132.2-176.57.193.158/unique:1 created: Nov 18 09:49:44 2014 lastused: Nov 18 09:49:44 2014 lifetime: 9223372036854775807(s) validtime: 0(s) spid=94 seq=24 pid=51194 refcnt=1 192.168.40.8/29[any] 10.191.251.0/24[any] any in ipsec esp/tunnel/92.254.132.2-176.57.193.158/unique:1 created: Nov 18 09:49:44 2014 lastused: Nov 18 09:49:44 2014 lifetime: 9223372036854775807(s) validtime: 0(s) spid=96 seq=23 pid=51194 refcnt=1 192.168.45.129[any] 10.191.252.0/24[any] any in ipsec esp/tunnel/92.254.132.2-176.57.193.158/unique:1 created: Nov 18 09:49:44 2014 lastused: Nov 18 09:49:44 2014 lifetime: 9223372036854775807(s) validtime: 0(s) spid=98 seq=22 pid=51194 refcnt=1 192.168.45.130[any] 10.191.252.0/24[any] any in ipsec esp/tunnel/92.254.132.2-176.57.193.158/unique:1 created: Nov 18 09:49:44 2014 lastused: Nov 18 09:49:44 2014 lifetime: 9223372036854775807(s) validtime: 0(s) spid=100 seq=21 pid=51194 refcnt=1 192.168.40.8/29[any] 10.191.252.0/24[any] any in ipsec esp/tunnel/92.254.132.2-176.57.193.158/unique:1 created: Nov 18 09:49:44 2014 lastused: Nov 18 09:49:44 2014 lifetime: 9223372036854775807(s) validtime: 0(s) spid=102 seq=20 pid=51194 refcnt=1 192.168.45.129[any] 10.191.253.0/24[any] any in ipsec esp/tunnel/92.254.132.2-176.57.193.158/unique:1 created: Nov 18 09:49:44 2014 lastused: Nov 18 09:49:44 2014 lifetime: 9223372036854775807(s) validtime: 0(s) spid=104 seq=19 pid=51194 refcnt=1 192.168.45.130[any] 10.191.253.0/24[any] any in ipsec esp/tunnel/92.254.132.2-176.57.193.158/unique:1 created: Nov 18 09:49:44 2014 lastused: Nov 18 09:49:44 2014 lifetime: 9223372036854775807(s) validtime: 0(s) spid=106 seq=18 pid=51194 refcnt=1 192.168.40.8/29[any] 10.191.253.0/24[any] any in ipsec esp/tunnel/92.254.132.2-176.57.193.158/unique:1 created: Nov 18 09:49:44 2014 lastused: Nov 18 09:49:44 2014 lifetime: 9223372036854775807(s) validtime: 0(s) spid=108 seq=17 pid=51194 refcnt=1 192.168.45.129[any] 192.168.2.0/24[any] any in ipsec esp/tunnel/92.254.132.2-176.57.193.158/unique:1 created: Nov 18 10:19:57 2014 lastused: Nov 18 10:19:57 2014 lifetime: 9223372036854775807(s) validtime: 0(s) spid=112 seq=16 pid=51194 refcnt=1 192.168.45.129[any] 192.168.3.0/24[any] any in ipsec esp/tunnel/92.254.132.2-176.57.193.158/unique:1 created: Nov 18 11:09:30 2014 lastused: Nov 18 11:09:30 2014 lifetime: 9223372036854775807(s) validtime: 0(s) spid=114 seq=15 pid=51194 refcnt=1 192.168.2.0/24[any] 192.168.45.130[any] any out ipsec esp/tunnel/176.57.193.158-92.254.132.2/unique:1 created: Nov 18 09:49:44 2014 lastused: Nov 18 09:49:44 2014 lifetime: 9223372036854775807(s) validtime: 0(s) spid=83 seq=14 pid=51194 refcnt=1 192.168.2.0/24[any] 192.168.40.8/29[any] any out ipsec esp/tunnel/176.57.193.158-92.254.132.2/unique:1 created: Nov 18 09:49:44 2014 lastused: Nov 18 09:49:44 2014 lifetime: 9223372036854775807(s) validtime: 0(s) spid=85 seq=13 pid=51194 refcnt=1 192.168.3.0/24[any] 192.168.45.130[any] any out ipsec esp/tunnel/176.57.193.158-92.254.132.2/unique:1 created: Nov 18 09:49:44 2014 lastused: Nov 18 09:49:44 2014 lifetime: 9223372036854775807(s) validtime: 0(s) spid=87 seq=12 pid=51194 refcnt=1 192.168.3.0/24[any] 192.168.40.8/29[any] any out ipsec esp/tunnel/176.57.193.158-92.254.132.2/unique:1 created: Nov 18 09:49:44 2014 lastused: Nov 18 09:49:44 2014 lifetime: 9223372036854775807(s) validtime: 0(s) spid=89 seq=11 pid=51194 refcnt=1 10.191.251.0/24[any] 192.168.45.129[any] any out ipsec esp/tunnel/176.57.193.158-92.254.132.2/unique:1 created: Nov 18 09:49:44 2014 lastused: Nov 18 09:49:44 2014 lifetime: 9223372036854775807(s) validtime: 0(s) spid=91 seq=10 pid=51194 refcnt=1 10.191.251.0/24[any] 192.168.45.130[any] any out ipsec esp/tunnel/176.57.193.158-92.254.132.2/unique:1 created: Nov 18 09:49:44 2014 lastused: Nov 18 09:49:44 2014 lifetime: 9223372036854775807(s) validtime: 0(s) spid=93 seq=9 pid=51194 refcnt=1 10.191.251.0/24[any] 192.168.40.8/29[any] any out ipsec esp/tunnel/176.57.193.158-92.254.132.2/unique:1 created: Nov 18 09:49:44 2014 lastused: Nov 18 09:49:44 2014 lifetime: 9223372036854775807(s) validtime: 0(s) spid=95 seq=8 pid=51194 refcnt=1 10.191.252.0/24[any] 192.168.45.129[any] any out ipsec esp/tunnel/176.57.193.158-92.254.132.2/unique:1 created: Nov 18 09:49:44 2014 lastused: Nov 18 09:49:44 2014 lifetime: 9223372036854775807(s) validtime: 0(s) spid=97 seq=7 pid=51194 refcnt=1 10.191.252.0/24[any] 192.168.45.130[any] any out ipsec esp/tunnel/176.57.193.158-92.254.132.2/unique:1 created: Nov 18 09:49:44 2014 lastused: Nov 18 09:49:44 2014 lifetime: 9223372036854775807(s) validtime: 0(s) spid=99 seq=6 pid=51194 refcnt=1 10.191.252.0/24[any] 192.168.40.8/29[any] any out ipsec esp/tunnel/176.57.193.158-92.254.132.2/unique:1 created: Nov 18 09:49:44 2014 lastused: Nov 18 09:49:44 2014 lifetime: 9223372036854775807(s) validtime: 0(s) spid=101 seq=5 pid=51194 refcnt=1 10.191.253.0/24[any] 192.168.45.129[any] any out ipsec esp/tunnel/176.57.193.158-92.254.132.2/unique:1 created: Nov 18 09:49:44 2014 lastused: Nov 18 09:49:44 2014 lifetime: 9223372036854775807(s) validtime: 0(s) spid=103 seq=4 pid=51194 refcnt=1 10.191.253.0/24[any] 192.168.45.130[any] any out ipsec esp/tunnel/176.57.193.158-92.254.132.2/unique:1 created: Nov 18 09:49:44 2014 lastused: Nov 18 09:49:44 2014 lifetime: 9223372036854775807(s) validtime: 0(s) spid=105 seq=3 pid=51194 refcnt=1 10.191.253.0/24[any] 192.168.40.8/29[any] any out ipsec esp/tunnel/176.57.193.158-92.254.132.2/unique:1 created: Nov 18 09:49:44 2014 lastused: Nov 18 09:49:44 2014 lifetime: 9223372036854775807(s) validtime: 0(s) spid=107 seq=2 pid=51194 refcnt=1 192.168.2.0/24[any] 192.168.45.129[any] any out ipsec esp/tunnel/176.57.193.158-92.254.132.2/unique:1 created: Nov 18 10:19:57 2014 lastused: Nov 18 10:19:57 2014 lifetime: 9223372036854775807(s) validtime: 0(s) spid=111 seq=1 pid=51194 refcnt=1 192.168.3.0/24[any] 192.168.45.129[any] any out ipsec esp/tunnel/176.57.193.158-92.254.132.2/unique:1 created: Nov 18 11:09:30 2014 lastused: Nov 18 11:09:30 2014 lifetime: 9223372036854775807(s) validtime: 0(s) spid=113 seq=0 pid=51194 refcnt=1 root@gw01:/data/home/admglz # ipsec statusall Status of IKE charon daemon (strongSwan 5.2.0, FreeBSD 10.1-PRERELEASE, amd64): uptime: 3 days, since Nov 15 09:32:27 2014 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 5 loaded plugins: charon curl aes des blowfish rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf xcbc cmac hmac attr kernel-pfkey kernel-pfroute resolve socket-default stroke updown eap-identity eap-md5 eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic whitelist addrblock Listening IP addresses: 192.168.4.254 192.168.3.1 192.168.2.1 192.168.5.254 192.168.9.254 176.57.193.158 2a00:f680:101:1::fffe 176.57.193.157 2a00:f680:101:1::fffd 10.191.251.1 10.191.252.1 10.191.253.1 Connections: net-net: 176.57.193.158...92.254.132.2 IKEv1 net-net: local: [176.57.193.158] uses pre-shared key authentication net-net: remote: [92.254.132.2] uses pre-shared key authentication net-net: child: 192.168.2.0/24 192.168.3.0/24 10.191.251.0/24 10.191.252.0/24 10.191.253.0/24 === 192.168.45.129/32 192.168.45.130/32 192.168.40.8/29 TUNNEL Routed Connections: net-net{1}: ROUTED, TUNNEL net-net{1}: 192.168.2.0/24 192.168.3.0/24 10.191.251.0/24 10.191.252.0/24 10.191.253.0/24 === 192.168.45.129/32 192.168.45.130/32 192.168.40.8/29 Security Associations (1 up, 0 connecting): net-net[6]: ESTABLISHED 72 minutes ago, 176.57.193.158[176.57.193.158]...92.254.132.2[92.254.132.2] net-net[6]: IKEv1 SPIs: c71206a4eb076dde_i 1587c4b0b11e1003_r*, pre-shared key reauthentication in 6 hours net-net[6]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536 /glz