Date: Sat, 21 May 2011 09:33:45 -0500 From: jhall@socket.net To: freebsd-questions@freebsd.org Subject: IPSec routing (long post) Message-ID: <20110521143347.215E2106564A@hub.freebsd.org>
next in thread | raw e-mail | index | archive | help
Ladies and Gentlemen,
First, please excuse this extremely long post. I have tried to include
all of the information I thought was relevant, and may have included too
much.
I have established an IPSec connection to our vendor using transport mode.
However, I am having problems successfully routing the traffic. We using
a preshared key for authentication. The connection is successfully made.
My vendor has verified they are able to see the connection up on their
router and I am able to see a successful connection when running racoon in
the foreground. I am running FBSD 8.1.
My external IP address is 1.2.3.4 and the vendor's is 5.6.7.8. The
default gateway on my system is 1.2.3.5. My internal IP address range is
192.168.1.0/24 and the vendor's is 192.168.2.0//24.
Following is what I have done/tried.
Following are my entries in racoon.conf. I have not changed any of the
default settings for padding/spacing/etc.
remote 5.6.7.8
{
exchange_mode main,aggressive;
doi ipsec_doi;
situation identity_only;
my_identifier address 1.2.3.4;
proposal_check obey; # obey, strict, or claim
lifetime time 86400 secs;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo address 192.168.1.024 any address 192.168.2.0/24 any
{
pfs_group 2;
encryption_algorithm 3des;
lifetime time 3600 secs;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
sainfo address 192.168.2.0/24 any address 192.168.1.024 any
{
pfs_group 2;
encryption_algorithm 3des;
lifetime time 3600 secs;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
sainfo address 1.2.3.4/32 any address 192.168.2.0/24 any
{
pfs_group 2;
encryption_algorithm 3des;
lifetime time 3600 secs;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
sainfo address 192.168.2.0/24 any address 65.1117.48.155/32 any
{
pfs_group 2;
encryption_algorithm 3des;
lifetime time 3600 secs;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
sainfo address 1.2.3.4/32 any address 5.6.7.8 any
{
pfs_group 2;
encryption_algorithm 3des;
lifetime time 3600 secs;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
sainfo address 1.2.3.4/32 any address 5.6.7.8 any
{
pfs_group 2;
encryption_algorithm 3des;
lifetime time 3600 secs;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
sainfo address 5.6.7.8/32 any address 1.2.3.4/32 any
{
pfs_group 2;
encryption_algorithm 3des;
lifetime time 3600 secs;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
sainfo address 192.168.1.024 any address 5.6.7.8 any
{
pfs_group 2;
encryption_algorithm 3des;
lifetime time 3600 secs;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
sainfo address 192.168.1.024 any address 5.6.7.8 any
{
pfs_group 2;
encryption_algorithm 3des;
lifetime time 3600 secs;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
The following entries are made using setkey.
flush;
spdflush;
spdadd 1.2.3.4/32 5.6.7.8/32 any -P out ipsec
esp/tunnel/1.2.3.4-5.6.7.8/require;
spdadd 192.168.1.0/24 192.168.2.0//24 any -P out ipsec
esp/transport/1.2.3.4-5.6.7.8/require;
spdadd 1.2.3.4/32 192.168.2.0//24 any -P out ipsec
esp/transport/1.2.3.4-5.6.7.8/require;
spdadd 192.168.1.0/24 5.6.7.8 any -P out ipsec
esp/transport/1.2.3.4-5.6.7.8/require;
spdadd 5.6.7.8/32 1.2.3.4/32 any -P in ipsec
esp/tunnel/5.6.7.8-1.2.3.4/require;
spdadd 192.168.2.0//24 192.168.1.0/24 any -P in ipsec
esp/transport/5.6.7.8-1.2.3.4/require;
spdadd 192.168.2.0//24 1.2.3.4/32 any -P in ipsec
esp/transport/5.6.7.8-1.2.3.4/require;
spdadd 5.6.7.8/32 192.168.1.0/24 any -P in ipsec
esp/transport/5.6.7.8-1.2.3.4/require;
Using setkey -DP all of the entries have been made.
I see the following in the log which indicates, to me anyway, the proper
policy has been applied.
2011-05-21 10:10:29: DEBUG: suitable inbound SP found: 192.168.2.0/24[0]
1.2.3.4/32[0] proto=any dir=in.
2011-05-21 10:10:29: DEBUG: new acquire 1.2.3.4/32[0] 192.168.2.0/24[0]
proto=any dir=out
2011-05-21 10:10:29: DEBUG: configuration found for 5.6.7.8.
2011-05-21 10:10:29: DEBUG: getsainfo params: loc='1.2.3.4',
rmt='192.168.2.0/24', peer='NULL', id=0
2011-05-21 10:10:29: DEBUG: getsainfo pass #2
2011-05-21 10:10:29: DEBUG: evaluating sainfo: loc='ANONYMOUS',
rmt='ANONYMOUS', peer='ANY', id=0
2011-05-21 10:10:29: DEBUG: evaluating sainfo: loc='192.168.1.0/24',
rmt='5.6.7.8', peer='ANY', id=0
2011-05-21 10:10:29: DEBUG: check and compare ids : value mismatch
(IPv4_subnet)
2011-05-21 10:10:29: DEBUG: cmpid target: '1.2.3.4'
2011-05-21 10:10:29: DEBUG: cmpid source: '192.168.1.0/24'
2011-05-21 10:10:29: DEBUG: evaluating sainfo: loc='1.2.3.4',
rmt='5.6.7.8', peer='ANY', id=0
2011-05-21 10:10:29: DEBUG: check and compare ids : values matched
(IPv4_address)
2011-05-21 10:10:29: DEBUG: cmpid target: '1.2.3.4'
2011-05-21 10:10:29: DEBUG: cmpid source: '1.2.3.4'
2011-05-21 10:10:29: DEBUG: check and compare ids : value mismatch
(IPv4_address)
2011-05-21 10:10:29: DEBUG: cmpid target: '192.168.2.0/24'
2011-05-21 10:10:29: DEBUG: cmpid source: '5.6.7.8'
2011-05-21 10:10:29: DEBUG: evaluating sainfo: loc='1.2.3.4',
rmt='192.168.2.0/24', peer='ANY', id=0
2011-05-21 10:10:29: DEBUG: check and compare ids : values matched
(IPv4_address)
2011-05-21 10:10:29: DEBUG: cmpid target: '1.2.3.4'
2011-05-21 10:10:29: DEBUG: cmpid source: '1.2.3.4'
2011-05-21 10:10:29: DEBUG: check and compare ids : values matched
(IPv4_subnet)
2011-05-21 10:10:29: DEBUG: cmpid target: '192.168.2.0/24'
2011-05-21 10:10:29: DEBUG: cmpid source: '192.168.2.0/24'
2011-05-21 10:10:29: DEBUG: selected sainfo: loc='1.2.3.4',
rmt='192.168.2.0/24', peer='ANY', id=0
2011-05-21 10:10:29: DEBUG: (proto_id=ESP spisize=4 spi=00000000
spi_p=00000000 encmode=Transport reqid=0:0)
2011-05-21 10:10:29: DEBUG: (trns_id=3DES encklen=0 authtype=hmac-sha)
2011-05-21 10:10:29: DEBUG: in post_acquire
A traceroute from my FSDB box to the vendor's router shows the following.
traceroute to 10.129.90.1 (10.129.90.1), 64 hops max, 52 byte packets
1 65.117.48.153 (65.117.48.153) 0.355 ms 0.317 ms 0.280 ms
2 localhost (127.0.0.1) 0.322 ms 0.203 ms 0.276 ms
3 * * *
4 * * *
My guess is that I have some type of error in my routing table, but I have
no idea what I should be looking for.
Following is the route table.
# netstat -rn | more
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif
Expire
default 1.2.3.5 UGS 5 1808102 bge1
192.168.1.0/24 link#1 U 3 2089735 bge0
10.129.10.40 link#1 UHS 1 0 lo0
1.2.3.1/29 link#2 U 0 0 bge1
1.2.3.4 link#2 UHS 0 103 lo0
Any suggestions would be greatly appreciated.
Thank you in advance for your help.
Jay
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20110521143347.215E2106564A>