Date: Fri, 1 Feb 2013 11:56:40 +0200 From: George Kontostanos <gkontos.mail@gmail.com> To: freebsd-net@freebsd.org Subject: Re: Welcome to the "freebsd-net" mailing list Message-ID: <CA%2BdUSypxEgC=mFqqXOEFo1W%2BZNnLfjytFgkXN_Wqzm2rDwRcHw@mail.gmail.com> In-Reply-To: <mailman.0.1359711972.62517.freebsd-net@freebsd.org> References: <mailman.0.1359711972.62517.freebsd-net@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi everyone! I am trying to tunnel IPv4 traffic over an IPv6 VPN. So far it is unsuccessful. Both machines are running FreeBSD 9.1-RELEASE. They are acting as gateways and they both have assigned /64 IPv6 subnets. The purpose is to encapsulate the non routable IPv4 traffic behind those gateways into the IPv6 VPN. For the sake of simplicity I will present the configuration of the first machine. The second has exactly the reverse. (Kernels are compiled with IPsec) #ifconfig gif0 create #ifconfig gif0 ipv6 tunnel xxxx:fc50:1001:5f00::86 xxxx:580:8f00:2c00::2093 #ifconfig gif0 alias 10.10.10.4 10.1.1.3 The tunnel comes up, machine a can ping machine b and vice versa. > ping 10.1.1.3 PING 10.1.1.3 (10.1.1.3): 56 data bytes 64 bytes from 10.1.1.3: icmp_seq=0 ttl=64 time=187.772 ms 64 bytes from 10.1.1.3: icmp_seq=1 ttl=64 time=184.516 ms 64 bytes from 10.1.1.3: icmp_seq=2 ttl=64 time=185.563 ms ipsec-tools comes in to create the actual IPsec connection. setkey.conf: flush; spdflush; spdadd 10.1.1.0/24 10.10.10.0/24 any -P out ipsec esp/tunnel/xxxx:fc50:1001:5f00::86-xxxx:580:8f00:2c00::2093/use; spdadd 10.10.10.0/24 10.1.1.0/24 any -P in ipsec esp/tunnel/xxxx:580:8f00:2c00::2093-xxxx:fc50:1001:5f00::86/use; racoon.conf: path include "/usr/local/etc/racoon" ; path pre_shared_key "/usr/local/etc/racoon/psk.txt" ; log debug; padding # options are not to be changed { maximum_length 20; # maximum padding length randomize off; # enable randomize length strict_check off; # enable strict check exclusive_tail off; # extract last one octet } listen # address [port] that racoon will listening on { isakmp xxxx:580:8f00:2c00::2093 [500]; } timer # timing options. change as needed { counter 5; # maximum trying count to send interval 20 sec; # maximum interval to resend persend 1; # the number of packets per a send phase1 60 sec; phase2 25 sec; } remote xxxx:fc50:1001:5f00::86 [500] { exchange_mode aggressive,main; doi ipsec_doi; situation identity_only; lifetime time 8 hour; initial_contact on; passive off; proposal_check obey; generate_policy off; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 2; } } sainfo anonymous { pfs_group 5; lifetime time 12 hour ; encryption_algorithm blowfish,3des,des; # authentication_algorithm hmac_md5,hmac_sha1; authentication_algorithm hmac_sha1; compression_algorithm deflate ; } Once the IPsec is established: 2013-01-31 18:02:20: DEBUG: KEYMAT computed. 2013-01-31 18:02:20: DEBUG: call pk_sendupdate 2013-01-31 18:02:20: DEBUG: encryption(blowfish) 2013-01-31 18:02:20: DEBUG: hmac(sha1) 2013-01-31 18:02:20: DEBUG: call pfkey_send_update2 2013-01-31 18:02:20: DEBUG: pfkey update sent. 2013-01-31 18:02:20: DEBUG: encryption(blowfish) 2013-01-31 18:02:20: DEBUG: hmac(sha1) 2013-01-31 18:02:20: DEBUG: call pfkey_send_add2 (NAT flavor) 2013-01-31 18:02:20: DEBUG: call pfkey_send_add2 2013-01-31 18:02:20: DEBUG: pfkey add sent. 2013-01-31 18:02:20: DEBUG: pk_recv: retry[0] recv() 2013-01-31 18:02:20: DEBUG: got pfkey UPDATE message 2013-01-31 18:02:20: DEBUG: pfkey UPDATE succeeded: ESP/Tunnel xxxx:580:8f00:2c00::2093[500]-> xxxx:fc50:1001:5f00::86[500] spi=15238148(0xe88404) 2013-01-31 18:02:20: INFO: IPsec-SA established: ESP/Tunnel xxxx:580:8f00:2c00::2093[500]-> xxxx:fc50:1001:5f00::86[500] spi=15238148(0xe88404) 2013-01-31 18:02:20: DEBUG: === 2013-01-31 18:02:20: DEBUG: pk_recv: retry[0] recv() 2013-01-31 18:02:20: DEBUG: got pfkey ADD message 2013-01-31 18:02:20: INFO: IPsec-SA established: ESP/Tunnel xxxx:580:8f00:2c00::2093[500]-> xxxx:fc50:1001:5f00::86[500] spi=109946295(0x68da5b7) 2013-01-31 18:02:20: DEBUG: === I can only ping the IPv6 endpoints. The IPv4 simply time outs. I run a tcpdump but didn't see anything that it could assist me. I suspect that my problem is in the spd policies. I also run into an older PR (http://www.freebsd.org/cgi/query-pr.cgi?pr=169438&cat=) which looks similar. The ipsec_output.c though seems different in that part. Any help will be appreciated! Thanks -- George Kontostanos --- http://www.aisecure.net
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CA%2BdUSypxEgC=mFqqXOEFo1W%2BZNnLfjytFgkXN_Wqzm2rDwRcHw>