From owner-freebsd-questions@freebsd.org Mon Jan 25 00:15:11 2016 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 08F10A4534F for ; Mon, 25 Jan 2016 00:15:11 +0000 (UTC) (envelope-from maxidlabs@gmail.com) Received: from mail-yk0-x22d.google.com (mail-yk0-x22d.google.com [IPv6:2607:f8b0:4002:c07::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id BCFC4B67 for ; Mon, 25 Jan 2016 00:15:10 +0000 (UTC) (envelope-from maxidlabs@gmail.com) Received: by mail-yk0-x22d.google.com with SMTP id u68so15335011ykd.2 for ; Sun, 24 Jan 2016 16:15:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=j1So4bM6doOr7vRQ9Dg2M03Ya7L/a4qOOOU9B+6dfjg=; b=f1mkNU9C0Zh0b4YKCJZVOQS/CkNhuyge34wK7wCdMZepjZZjX9Ridb7mMiRDuvQ5Wu xjIRspdDVurIA7qohXxl9uDefl3WPWF5iZ8Cp9AjZg/DCx80AIDJeMSSFgQY3TsMNfUv vbZ9QSqMtPzszkbCJHSL4/OsGNUGi2R2rgSOzDmJTUk/CiXMzi2WhSMSXsmyvCsRtder FhFM04Aaloah6uSgnOJbPaAppjO7l/xOJ7vzwvcMvtZ2+8FJFroCG7xAwX0za097nZE0 eQcCwHGtFhcotLoa1nSkbUBpeza160Xk0VrRzSgXdaz3O/HwzIbtWGwgv0dFtxVMP6hx c9gw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:date:message-id:subject:from:to :content-type; bh=j1So4bM6doOr7vRQ9Dg2M03Ya7L/a4qOOOU9B+6dfjg=; b=mttFIG+1QZkdaA4SE4AdSz0TS6wQRMqLpQrmb/Wvn4INuTTptwx2zsrZKBWyYjReqP k2yXIp90iytjL1I4jOz0YhoO0KjSJl3nBWOoGBVciZ93lG3Y+Qe9TmV0xXXyd92B4bwT k58nGXXpKR6jy0+9NZGsobnEcb/XYTSS13nfwE/if12zXQRDbyVRw2rjdv6Ghm+ueEmo z5BqnWoEUWm4E7CVM66fZCVQjU6S4mZbDS0LQyh/fwcYva+nlE1OL2DYsT3zMTo8El2+ d9M1ZaTPS4T7roTrMlCIQO6PzizUCELF+0N0TdSFI+s5ubE14G89oMsZx/ey2Ec95ujP zRSQ== X-Gm-Message-State: AG10YOQ+Wr07A8CbfgI/1C673Rcohtg1/HdZVjhELGlcMYKA1Zx1k0IQVY8PKMfTtaF0OF1fnTQYvQ7Frr5G/Q== MIME-Version: 1.0 X-Received: by 10.13.219.213 with SMTP id d204mr7311987ywe.219.1453680910024; Sun, 24 Jan 2016 16:15:10 -0800 (PST) Received: by 10.129.1.3 with HTTP; Sun, 24 Jan 2016 16:15:09 -0800 (PST) Date: Mon, 25 Jan 2016 01:15:09 +0100 Message-ID: Subject: StrongSwan+FreeBSD 10.2+FreeBSD 11+enc0 does not work From: Max Id To: freebsd-questions@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Jan 2016 00:15:11 -0000 Good day, I've set up a FreeBSD-based VPN server using StrongSwan daemon( IKEv2 ). I can connect to this VPN server from Windows 8.1 box or BlackBerry Passport ( IKE2 ), everything works perfectly, I have access to both Internet behind VPN server and VPN server resources, such as DLNA. Now I am trying to set up FreeBSD-based client using StrongSwan daemon as well, but the tunnel does not seem to be working. Setup: Client( releng/10.2, bfe0 192.168.1.132, enc0 ) Server( current/11, em0 192.168.11.1, em1 96.200.XX.XX, enc0 ) The firewalls on both boxes are 100% disabled ( pfctl -d ), so they do not interfere. I set up an IKEv2 authentication based on certificates, similarly as for Windows and Blackberry clients. The server is configured to assign vpn clients virtual addresses from the pool 10.0.11.0/28. I then bring up VPN client on client box. A new interface, tun0, is created and assigned the address 10.0.11.1, which is perfectly correct. StrongSwan daemons on both boxes say the VPN SA connection is successfully established. The command netstat -rn on the server shows a new entry for 10.0.11.1, which is also correct ( the same was for BlackBerry and Windows ). I perform few tests to check if the tunnel is actually working. All the tests are performed on enc0 interface, which should inherit all IPSec traffic.The sysctl parameters for enc0 interface are set according to manual, to peel off the outer UDP packet header. Test 1. I run the following command on client: ping 192.168.11.1, which should ping the internal server's interface. tcpdump -i enc0 on client shows non-decapsulated icmp request followed by decapsulated icmp request. tcpdump -i enc0 on server shows non-decapsulated icmp request only. replies are not shown. Test 2. I run the following command on server: ping 10.0.11.1, which should ping the client's virtual VPN address. tcpdump -i enc0 on client shows non-decapsulated icmp request, non-decapsulated icmp reply and also decapsulated icmp reply. tcpdump -i enc0 on server shows non-decapsulated icmp request, non-decapsulated icmp reply and also decapsulated icmp request. In any case, on any box, ping utility reports 100% packet loss. I am wondering if it is bug in kernel, or strongswan, or the wrong setup. Seems like there are some problems with decapsulation, because in most cases I do not see decapsulated packet. Any response will be really appreciated. Thanks, Max.