From owner-freebsd-questions@FreeBSD.ORG Sat May 21 14:33:47 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 215E2106564A for ; Sat, 21 May 2011 14:33:47 +0000 (UTC) (envelope-from jhall@socket.net) Received: from mf1.socket.net (mf1.socket.net [216.106.88.38]) by mx1.freebsd.org (Postfix) with ESMTP id D7D568FC1B for ; Sat, 21 May 2011 14:33:46 +0000 (UTC) Received: from localhost (unknown [216.106.88.17]) by mf1.socket.net (Postfix) with SMTP id A2C804040A for ; Sat, 21 May 2011 09:33:45 -0500 (CDT) To: freebsd-questions@freebsd.org From: jhall@socket.net X-Apparently-from: jhall@mail.socket.net X-Remote-Host: 216.106.31.249 User-Agent: Socket WebMail Date: Sat, 21 May 2011 09:33:45 -0500 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Message-Id: <20110521143347.215E2106564A@hub.freebsd.org> Subject: IPSec routing (long post) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: jhall@socket.net List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 May 2011 14:33:47 -0000 Ladies and Gentlemen, First, please excuse this extremely long post. I have tried to include all of the information I thought was relevant, and may have included too much. I have established an IPSec connection to our vendor using transport mode. However, I am having problems successfully routing the traffic. We using a preshared key for authentication. The connection is successfully made. My vendor has verified they are able to see the connection up on their router and I am able to see a successful connection when running racoon in the foreground. I am running FBSD 8.1. My external IP address is 1.2.3.4 and the vendor's is 5.6.7.8. The default gateway on my system is 1.2.3.5. My internal IP address range is 192.168.1.0/24 and the vendor's is 192.168.2.0//24. Following is what I have done/tried. Following are my entries in racoon.conf. I have not changed any of the default settings for padding/spacing/etc. remote 5.6.7.8 { exchange_mode main,aggressive; doi ipsec_doi; situation identity_only; my_identifier address 1.2.3.4; proposal_check obey; # obey, strict, or claim lifetime time 86400 secs; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 2; } } sainfo address 192.168.1.024 any address 192.168.2.0/24 any { pfs_group 2; encryption_algorithm 3des; lifetime time 3600 secs; authentication_algorithm hmac_sha1; compression_algorithm deflate; } sainfo address 192.168.2.0/24 any address 192.168.1.024 any { pfs_group 2; encryption_algorithm 3des; lifetime time 3600 secs; authentication_algorithm hmac_sha1; compression_algorithm deflate; } sainfo address 1.2.3.4/32 any address 192.168.2.0/24 any { pfs_group 2; encryption_algorithm 3des; lifetime time 3600 secs; authentication_algorithm hmac_sha1; compression_algorithm deflate; } sainfo address 192.168.2.0/24 any address 65.1117.48.155/32 any { pfs_group 2; encryption_algorithm 3des; lifetime time 3600 secs; authentication_algorithm hmac_sha1; compression_algorithm deflate; } sainfo address 1.2.3.4/32 any address 5.6.7.8 any { pfs_group 2; encryption_algorithm 3des; lifetime time 3600 secs; authentication_algorithm hmac_sha1; compression_algorithm deflate; sainfo address 1.2.3.4/32 any address 5.6.7.8 any { pfs_group 2; encryption_algorithm 3des; lifetime time 3600 secs; authentication_algorithm hmac_sha1; compression_algorithm deflate; } sainfo address 5.6.7.8/32 any address 1.2.3.4/32 any { pfs_group 2; encryption_algorithm 3des; lifetime time 3600 secs; authentication_algorithm hmac_sha1; compression_algorithm deflate; } sainfo address 192.168.1.024 any address 5.6.7.8 any { pfs_group 2; encryption_algorithm 3des; lifetime time 3600 secs; authentication_algorithm hmac_sha1; compression_algorithm deflate; } sainfo address 192.168.1.024 any address 5.6.7.8 any { pfs_group 2; encryption_algorithm 3des; lifetime time 3600 secs; authentication_algorithm hmac_sha1; compression_algorithm deflate; } The following entries are made using setkey. flush; spdflush; spdadd 1.2.3.4/32 5.6.7.8/32 any -P out ipsec esp/tunnel/1.2.3.4-5.6.7.8/require; spdadd 192.168.1.0/24 192.168.2.0//24 any -P out ipsec esp/transport/1.2.3.4-5.6.7.8/require; spdadd 1.2.3.4/32 192.168.2.0//24 any -P out ipsec esp/transport/1.2.3.4-5.6.7.8/require; spdadd 192.168.1.0/24 5.6.7.8 any -P out ipsec esp/transport/1.2.3.4-5.6.7.8/require; spdadd 5.6.7.8/32 1.2.3.4/32 any -P in ipsec esp/tunnel/5.6.7.8-1.2.3.4/require; spdadd 192.168.2.0//24 192.168.1.0/24 any -P in ipsec esp/transport/5.6.7.8-1.2.3.4/require; spdadd 192.168.2.0//24 1.2.3.4/32 any -P in ipsec esp/transport/5.6.7.8-1.2.3.4/require; spdadd 5.6.7.8/32 192.168.1.0/24 any -P in ipsec esp/transport/5.6.7.8-1.2.3.4/require; Using setkey -DP all of the entries have been made. I see the following in the log which indicates, to me anyway, the proper policy has been applied. 2011-05-21 10:10:29: DEBUG: suitable inbound SP found: 192.168.2.0/24[0] 1.2.3.4/32[0] proto=any dir=in. 2011-05-21 10:10:29: DEBUG: new acquire 1.2.3.4/32[0] 192.168.2.0/24[0] proto=any dir=out 2011-05-21 10:10:29: DEBUG: configuration found for 5.6.7.8. 2011-05-21 10:10:29: DEBUG: getsainfo params: loc='1.2.3.4', rmt='192.168.2.0/24', peer='NULL', id=0 2011-05-21 10:10:29: DEBUG: getsainfo pass #2 2011-05-21 10:10:29: DEBUG: evaluating sainfo: loc='ANONYMOUS', rmt='ANONYMOUS', peer='ANY', id=0 2011-05-21 10:10:29: DEBUG: evaluating sainfo: loc='192.168.1.0/24', rmt='5.6.7.8', peer='ANY', id=0 2011-05-21 10:10:29: DEBUG: check and compare ids : value mismatch (IPv4_subnet) 2011-05-21 10:10:29: DEBUG: cmpid target: '1.2.3.4' 2011-05-21 10:10:29: DEBUG: cmpid source: '192.168.1.0/24' 2011-05-21 10:10:29: DEBUG: evaluating sainfo: loc='1.2.3.4', rmt='5.6.7.8', peer='ANY', id=0 2011-05-21 10:10:29: DEBUG: check and compare ids : values matched (IPv4_address) 2011-05-21 10:10:29: DEBUG: cmpid target: '1.2.3.4' 2011-05-21 10:10:29: DEBUG: cmpid source: '1.2.3.4' 2011-05-21 10:10:29: DEBUG: check and compare ids : value mismatch (IPv4_address) 2011-05-21 10:10:29: DEBUG: cmpid target: '192.168.2.0/24' 2011-05-21 10:10:29: DEBUG: cmpid source: '5.6.7.8' 2011-05-21 10:10:29: DEBUG: evaluating sainfo: loc='1.2.3.4', rmt='192.168.2.0/24', peer='ANY', id=0 2011-05-21 10:10:29: DEBUG: check and compare ids : values matched (IPv4_address) 2011-05-21 10:10:29: DEBUG: cmpid target: '1.2.3.4' 2011-05-21 10:10:29: DEBUG: cmpid source: '1.2.3.4' 2011-05-21 10:10:29: DEBUG: check and compare ids : values matched (IPv4_subnet) 2011-05-21 10:10:29: DEBUG: cmpid target: '192.168.2.0/24' 2011-05-21 10:10:29: DEBUG: cmpid source: '192.168.2.0/24' 2011-05-21 10:10:29: DEBUG: selected sainfo: loc='1.2.3.4', rmt='192.168.2.0/24', peer='ANY', id=0 2011-05-21 10:10:29: DEBUG: (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Transport reqid=0:0) 2011-05-21 10:10:29: DEBUG: (trns_id=3DES encklen=0 authtype=hmac-sha) 2011-05-21 10:10:29: DEBUG: in post_acquire A traceroute from my FSDB box to the vendor's router shows the following. traceroute to 10.129.90.1 (10.129.90.1), 64 hops max, 52 byte packets 1 65.117.48.153 (65.117.48.153) 0.355 ms 0.317 ms 0.280 ms 2 localhost (127.0.0.1) 0.322 ms 0.203 ms 0.276 ms 3 * * * 4 * * * My guess is that I have some type of error in my routing table, but I have no idea what I should be looking for. Following is the route table. # netstat -rn | more Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default 1.2.3.5 UGS 5 1808102 bge1 192.168.1.0/24 link#1 U 3 2089735 bge0 10.129.10.40 link#1 UHS 1 0 lo0 1.2.3.1/29 link#2 U 0 0 bge1 1.2.3.4 link#2 UHS 0 103 lo0 Any suggestions would be greatly appreciated. Thank you in advance for your help. Jay