From owner-freebsd-security@FreeBSD.ORG Tue Mar 27 04:30:27 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 5D86916A400 for ; Tue, 27 Mar 2007 04:30:27 +0000 (UTC) (envelope-from info@plot.uz) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.169]) by mx1.freebsd.org (Postfix) with ESMTP id DD74413C459 for ; Tue, 27 Mar 2007 04:30:26 +0000 (UTC) (envelope-from info@plot.uz) Received: by ug-out-1314.google.com with SMTP id 71so1806168ugh for ; Mon, 26 Mar 2007 21:30:25 -0700 (PDT) Received: by 10.66.250.17 with SMTP id x17mr289665ugh.1174969824828; Mon, 26 Mar 2007 21:30:24 -0700 (PDT) Received: from plot.uz ( [83.221.182.175]) by mx.google.com with ESMTP id 30sm1239906ugf.2007.03.26.21.30.21; Mon, 26 Mar 2007 21:30:24 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=unavailable version=3.1.7 X-Spam-Report: Received: from localhost by plot.uz (MDaemon PRO v9.5.5) with DomainPOP id md50000001004.msg for ; Tue, 27 Mar 2007 09:31:49 +0500 Delivered-To: info@plot.uz Received: by 10.100.94.19 with SMTP id r19cs1064319anb; Mon, 26 Mar 2007 11:07:59 -0700 (PDT) Received: by 10.90.56.14 with SMTP id e14mr7194940aga.1174932479327; Mon, 26 Mar 2007 11:07:59 -0700 (PDT) Received: from piper.hamline.edu (piper.hamline.edu [138.192.2.101]) by mx.google.com with ESMTP id 34si38724558nza.2007.03.26.11.07.58; Mon, 26 Mar 2007 11:07:59 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of rjohanne@piper.hamline.edu designates 138.192.2.101 as permitted sender) Received: from wnk (wnk [138.192.24.100]) by piper.hamline.edu (8.12.6/8.12.6) with ESMTP id l2QJ6vQO025213; Mon, 26 Mar 2007 13:07:20 -0600 (CST) Date: Mon, 26 Mar 2007 13:07:16 -0500 (CDT) X-X-Sender: rjohanne@wnk.hamline.edu To: Tom Judge In-Reply-To: <45F8B01A.50106@tomjudge.com> Message-ID: References: <20070307170617.GA2799@zen.inc> <20070307212442.GA1384@jayce.zen.inc> <45F8B01A.50106@tomjudge.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Return-Path: rjohanne@piper.hamline.edu X-Envelope-From: rjohanne@piper.hamline.edu X-MDaemon-Deliver-To: freebsd-security@freebsd.org X-Spam-Processed: plot.uz, Tue, 27 Mar 2007 09:31:50 +0500 From: Robert Johannes X-Mailman-Approved-At: Tue, 27 Mar 2007 04:32:06 +0000 Cc: freebsd-security@freebsd.org Subject: Re: freebsd vpn server behind nat dsl router X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Mar 2007 04:30:27 -0000 On Thu, 15 Mar 2007, Tom Judge wrote: > Robert Johannes wrote: >> >> On Wed, 7 Mar 2007, VANHULLEBUS Yvan wrote: >> >> >> Ok, I have done quite a bit of work since my last email, but I still don't >> see visible progress. I did rebuild world and the kernel with the NAT-T >> patches/support that you recommended. I have been playing around with >> ipsec e.t.c. >> >> I have created an esp tunnel between my two sites, and I am sending some >> ping traffic to the remote end, but the packets don't seem to get through. >> Here's a snippet of what I see on tcpdump: >> >> 14:06:53.594241 IP 190.41.95.135 > client-201.240.165.191.speedy.net.pe: \ >> IP 192.168.1.254 > 192.168.0.254: ICMP echo request, id 5784, seq 1519, \ >> length 64 (ipip-proto-4) >> 14:06:54.595071 IP 190.41.95.135 > client-201.240.165.191.speedy.net.pe: \ >> IP 192.168.1.254 > 192.168.0.254: ICMP echo request, id 5784, seq 1520, \ >> length 64 (ipip-proto-4) > > Firstly have you set your DSL routers up to nat the ipencap protocol back to > your FreeBSD box? (IPencap is a IP payload protocol, not a TCP or UDP > payload, so you will probably need a prity advanced router to do this). The > packets you see here are not protected by IPSEC they are just plain old > IPENCAP packets. If they where IPSEC packets I would expect to see ESP as > the protocol and not see the encapsulated packet header (Again when you get > IPSEC working you are going to need to NAT these packets to your freebsd > boxes.) You are right that the dsl routers I have can't nat the ipencap protocol (or perhaps I just don't know how to configure them to.) I have configured them to do port forwarding of the 4500 port(NAT-T) to the freebsd vpn servers, and that works because I can do a tcpdump on that port and see traffic coming in from the internet, by simply telneting to that port. So, I don't have ipsec working. How do I debug ipsec to see where I am failing? >>> From what I can tell, the kernel knows that it is to send the ping request >> from 192.168.1.254 to 192.168.0.254 through the tunnel mouths 190.41.95.135 >> and 201.240.165.191. But, there's no request from the other end. Doing a >> tcpdump on the other side (192.168.0.254), nothing is coming in. I have >> also done a ping from the latter machine to the former, but with exactly >> the same problem. Nothing seems to get to the other end. >> >> The tunnel is not using racoon yet. I figure that I should be able to see >> some traffic going back and forth before I use racoon to manage keys. The >> tunnel was created by the following lines on one host, and reversed on the >> other: >> >> spdadd 192.168.1.0/24 192.168.0.0/24 any -P in ipsec >> esp/tunnel/190.41.95.135-201.240.151.15/require; >> spdadd 192.168.0.0/24 192.168.1.0/24 any -P out ipsec >> esp/tunnel/201.240.151.15-190.41.95.135/require; >> >> If any one can shed some more light on this, I would appreciate it. >> > > From what I can see your /etc/ipsec.conf should look like this: > > spdadd 190.41.95.135/32 201.240.151.15/32 ipencap -P in ipsec > esp/tunnel/190.41.95.135-201.240.151.15/require; > spdadd 201.240.151.15/32 190.41.95.135/32 ipencap -P out ipsec > esp/tunnel/201.240.151.15-190.41.95.135/require; > > These rules may be wrong but your tunnel seems to be an IP protocol 4 payload > which is ipencap (see /etc/protocols). > > Hope this helps. Yes, this helps me know where I am at. I don't have ipsec working, just plain-old ipencap, which is what I am trying to by-pass to begin with because my routers can't handle nating ipencap. So, in order to get ipsec and NAT-T working, which I did all the patch work to get NAT-T support, it is not enough to have the above entries in /etc/ipsec.conf? What else do I need to do? Must I configure racoon as well, otherwise ipsec doesn't work? And if I do get ipsec working, how do I know, because I have not seen any log entries related to ipsec, except for the ones at bootup {WARNING: debug.mpsafenet forced to 0 as ipsec requires Giant IPsec: Initialized Security Association Processing.} Thanks for your responses. robert > > Tom > > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > >