From owner-freebsd-net@FreeBSD.ORG Fri Feb 1 10:03:55 2013 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id BACDA759 for ; Fri, 1 Feb 2013 10:03:55 +0000 (UTC) (envelope-from gkontos.mail@gmail.com) Received: from mail-pa0-f54.google.com (mail-pa0-f54.google.com [209.85.220.54]) by mx1.freebsd.org (Postfix) with ESMTP id 9CE0C8B9 for ; Fri, 1 Feb 2013 10:03:55 +0000 (UTC) Received: by mail-pa0-f54.google.com with SMTP id fa10so568704pad.41 for ; Fri, 01 Feb 2013 02:03:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:content-type; bh=JYd6S3ZhBL/FstB44v7BJufZED3QRh6fqVowS/Nldc8=; b=oICyjrbn7YlQku64Qo94Jt+8LrHPiyCVYVjhNdUdxv71f2TGzFYwZJaP4dDS7ne66/ rjv9ywq7znNHIanrlPaTe44TgyyHZWnZq2VQHQgq5RGiaadbbsQvu/yn71ZZlgHj3ibp ojyxCRn8fWvvMbIiF/cbWDD1aTgrsYF5N5NCmgKTtWt75z0yOk3yZvU/XNkcWiSFjj0V wgY0wvVV/9hbMtBIx2n2KeZCYpW4DasQx6jkPuTXGzQTao5dVNiJt2e3rfT01kPV0foe veSWnAXnCRKdMgGTQZYU+hQgTerQVgMD60LhWtebqM6DW5RD23TqDm2W15KQWNanfvmY kcJQ== MIME-Version: 1.0 X-Received: by 10.68.238.165 with SMTP id vl5mr24591454pbc.0.1359712600281; Fri, 01 Feb 2013 01:56:40 -0800 (PST) Received: by 10.68.34.198 with HTTP; Fri, 1 Feb 2013 01:56:40 -0800 (PST) In-Reply-To: References: Date: Fri, 1 Feb 2013 11:56:40 +0200 Message-ID: Subject: Re: Welcome to the "freebsd-net" mailing list From: George Kontostanos To: freebsd-net@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Feb 2013 10:03:55 -0000 Hi everyone! I am trying to tunnel IPv4 traffic over an IPv6 VPN. So far it is unsuccessful. Both machines are running FreeBSD 9.1-RELEASE. They are acting as gateways and they both have assigned /64 IPv6 subnets. The purpose is to encapsulate the non routable IPv4 traffic behind those gateways into the IPv6 VPN. For the sake of simplicity I will present the configuration of the first machine. The second has exactly the reverse. (Kernels are compiled with IPsec) #ifconfig gif0 create #ifconfig gif0 ipv6 tunnel xxxx:fc50:1001:5f00::86 xxxx:580:8f00:2c00::2093 #ifconfig gif0 alias 10.10.10.4 10.1.1.3 The tunnel comes up, machine a can ping machine b and vice versa. > ping 10.1.1.3 PING 10.1.1.3 (10.1.1.3): 56 data bytes 64 bytes from 10.1.1.3: icmp_seq=0 ttl=64 time=187.772 ms 64 bytes from 10.1.1.3: icmp_seq=1 ttl=64 time=184.516 ms 64 bytes from 10.1.1.3: icmp_seq=2 ttl=64 time=185.563 ms ipsec-tools comes in to create the actual IPsec connection. setkey.conf: flush; spdflush; spdadd 10.1.1.0/24 10.10.10.0/24 any -P out ipsec esp/tunnel/xxxx:fc50:1001:5f00::86-xxxx:580:8f00:2c00::2093/use; spdadd 10.10.10.0/24 10.1.1.0/24 any -P in ipsec esp/tunnel/xxxx:580:8f00:2c00::2093-xxxx:fc50:1001:5f00::86/use; racoon.conf: path include "/usr/local/etc/racoon" ; path pre_shared_key "/usr/local/etc/racoon/psk.txt" ; log debug; padding # options are not to be changed { maximum_length 20; # maximum padding length randomize off; # enable randomize length strict_check off; # enable strict check exclusive_tail off; # extract last one octet } listen # address [port] that racoon will listening on { isakmp xxxx:580:8f00:2c00::2093 [500]; } timer # timing options. change as needed { counter 5; # maximum trying count to send interval 20 sec; # maximum interval to resend persend 1; # the number of packets per a send phase1 60 sec; phase2 25 sec; } remote xxxx:fc50:1001:5f00::86 [500] { exchange_mode aggressive,main; doi ipsec_doi; situation identity_only; lifetime time 8 hour; initial_contact on; passive off; proposal_check obey; generate_policy off; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 2; } } sainfo anonymous { pfs_group 5; lifetime time 12 hour ; encryption_algorithm blowfish,3des,des; # authentication_algorithm hmac_md5,hmac_sha1; authentication_algorithm hmac_sha1; compression_algorithm deflate ; } Once the IPsec is established: 2013-01-31 18:02:20: DEBUG: KEYMAT computed. 2013-01-31 18:02:20: DEBUG: call pk_sendupdate 2013-01-31 18:02:20: DEBUG: encryption(blowfish) 2013-01-31 18:02:20: DEBUG: hmac(sha1) 2013-01-31 18:02:20: DEBUG: call pfkey_send_update2 2013-01-31 18:02:20: DEBUG: pfkey update sent. 2013-01-31 18:02:20: DEBUG: encryption(blowfish) 2013-01-31 18:02:20: DEBUG: hmac(sha1) 2013-01-31 18:02:20: DEBUG: call pfkey_send_add2 (NAT flavor) 2013-01-31 18:02:20: DEBUG: call pfkey_send_add2 2013-01-31 18:02:20: DEBUG: pfkey add sent. 2013-01-31 18:02:20: DEBUG: pk_recv: retry[0] recv() 2013-01-31 18:02:20: DEBUG: got pfkey UPDATE message 2013-01-31 18:02:20: DEBUG: pfkey UPDATE succeeded: ESP/Tunnel xxxx:580:8f00:2c00::2093[500]-> xxxx:fc50:1001:5f00::86[500] spi=15238148(0xe88404) 2013-01-31 18:02:20: INFO: IPsec-SA established: ESP/Tunnel xxxx:580:8f00:2c00::2093[500]-> xxxx:fc50:1001:5f00::86[500] spi=15238148(0xe88404) 2013-01-31 18:02:20: DEBUG: === 2013-01-31 18:02:20: DEBUG: pk_recv: retry[0] recv() 2013-01-31 18:02:20: DEBUG: got pfkey ADD message 2013-01-31 18:02:20: INFO: IPsec-SA established: ESP/Tunnel xxxx:580:8f00:2c00::2093[500]-> xxxx:fc50:1001:5f00::86[500] spi=109946295(0x68da5b7) 2013-01-31 18:02:20: DEBUG: === I can only ping the IPv6 endpoints. The IPv4 simply time outs. I run a tcpdump but didn't see anything that it could assist me. I suspect that my problem is in the spd policies. I also run into an older PR (http://www.freebsd.org/cgi/query-pr.cgi?pr=169438&cat=) which looks similar. The ipsec_output.c though seems different in that part. Any help will be appreciated! Thanks -- George Kontostanos --- http://www.aisecure.net