From owner-freebsd-net@FreeBSD.ORG Tue Oct 3 01:36:47 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 22B3D16A403 for ; Tue, 3 Oct 2006 01:36:47 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.186]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2E01743D46 for ; Tue, 3 Oct 2006 01:36:45 +0000 (GMT) (envelope-from max@love2party.net) Received: from [88.64.177.119] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu4) with ESMTP (Nemesis), id 0ML21M-1GUZD53cEP-0002oc; Tue, 03 Oct 2006 03:36:40 +0200 From: Max Laier Organization: FreeBSD To: freebsd-net@freebsd.org Date: Tue, 3 Oct 2006 03:36:33 +0200 User-Agent: KMail/1.9.4 References: <128414.1159832453736.JavaMail.root@web07ps> In-Reply-To: <128414.1159832453736.JavaMail.root@web07ps> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2550349.OYpFy1Ng1N"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200610030336.38754.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: fwun@bigpond.net.au Subject: Re: IPSEC & PF - Please help X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Oct 2006 01:36:47 -0000 --nextPart2550349.OYpFy1Ng1N Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Tuesday 03 October 2006 01:40, fwun@bigpond.net.au wrote: > Here is the article I read about patch for PF: > http://www.mail-archive.com/freebsd-pf@freebsd.org/msg01315.html > Where can I find an official release of this patch for freebsd 6.1? > the FreeBSD 6.1-stable I m using is dated in early August. enc(4) was MFCed to RELENG_6 "Mon Jul 24 23:20:58 2006 UTC (2 months, 1=20 week ago." If you move to RELENG_6 or the upcoming BETA build you should=20 get it with no patching. If you need it in 6.1 you'd have to backport it=20 yourself, but this should be more or less the same patch as the MFC. > ---- fwun@bigpond.net.au wrote: > > Hi, > > > > I am having trouble in setting up IPSEC with a remote office. I > > desperately need help to sort out the problem. Here is the > > description of this little network: > > > > My Office (with Cable Internet, sis0 is the public interface): > > sis0: flags=3D8843 mtu 1500 > > options=3D8 > > inet6 fe80::20d:b9ff:fe03:e22c%sis0 prefixlen 64 scopeid 0x1 > > inet 60.225.5.1 netmask 0xfffffc00 broadcast 255.255.255.255 > > ether 00:0d:b9:03:e2:2c > > media: Ethernet autoselect (100baseTX ) > > status: active > > sis1: flags=3D8843 mtu 1500 > > options=3D8 > > inet6 fe80::20d:b9ff:fe03:e22d%sis1 prefixlen 64 scopeid 0x2 > > inet 192.168.0.254 netmask 0xffffff00 broadcast 192.168.0.255 > > inet 10.1.10.1 netmask 0xff000000 broadcast 10.255.255.255 > > ether 00:0d:b9:03:e2:2d > > media: Ethernet autoselect (100baseTX ) > > status: active > > lo0: flags=3D8049 mtu 16384 > > inet6 ::1 prefixlen 128 > > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 > > inet 127.0.0.1 netmask 0xff000000 > > inet 10.1.1.1 netmask 0xffffff00 > > pflog0: flags=3D41 mtu 33208 > > pfsync0: flags=3D41 mtu 2020 > > gif102: flags=3D8051 mtu 1280 > > tunnel inet 60.225.5.1 --> 203.33.16.32 > > inet 10.1.1.1 --> 10.1.1.100 netmask 0xffffff00 > > inet6 fe80::20d:b9ff:fe03:e22c%gif102 prefixlen 64 scopeid > > 0x7 > > > > Ric's Office (with ADSL boardband): > > sis0: flags=3D8843 mtu 1500 > > options=3D8 > > inet6 fe80::20d:b9ff:fe03:eb40%sis0 prefixlen 64 scopeid 0x1 > > ether 00:0d:b9:03:eb:40 > > media: Ethernet autoselect (10baseT/UTP) > > status: active > > sis1: flags=3D8843 mtu 1500 > > options=3D8 > > inet6 fe80::20d:b9ff:fe03:eb41%sis1 prefixlen 64 scopeid 0x2 > > inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255 > > inet 10.1.100.1 netmask 0xffffff00 broadcast 10.1.100.255 > > ether 00:0d:b9:03:eb:41 > > media: Ethernet autoselect (100baseTX ) > > status: active > > lo0: flags=3D8049 mtu 16384 > > inet6 ::1 prefixlen 128 > > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 > > inet 127.0.0.1 netmask 0xff000000 > > inet 10.1.1.100 netmask 0xffffff00 > > pflog0: flags=3D41 mtu 33208 > > pfsync0: flags=3D41 mtu 2020 > > tun0: flags=3D8051 mtu 1492 > > inet 203.33.16.32 --> 203.17.1.1 netmask 0xffffffff > > Opened by PID 362 > > > > #Script for establish IPSEC at My Office: > > /sbin/ifconfig lo0 inet 10.1.1.1/24 alias > > setkey -FP > > setkey -F > > > > # Tunnel to Ric office > > /sbin/ifconfig gif102 destroy > > /sbin/ifconfig gif102 create > > /sbin/ifconfig gif102 tunnel 60.225.5.1 203.33.16.32 > > /sbin/ifconfig gif102 inet 10.1.1.1 10.1.1.100 netmask 255.255.255.0 > > /sbin/route delete 10.1.100.1/24 > > /sbin/route delete 172.17.100.0/24 > > /sbin/route add 10.1.100.1/24 10.1.1.100 > > /sbin/route add 172.17.100.0/24 10.1.1.100 > > > > setkey -c << EOF > > > > Firewall rule at My (SAm)'s office: > > # pfctl -sr > > pass in on sis1 inet proto tcp from any to 127.0.0.1 port =3D 3128 keep > > state pass out on sis0 inet proto tcp from any to any port =3D http > > keep state block drop in log all > > block drop in log quick on sis0 inet proto udp from any to > > 255.255.255.255 block drop in log quick on sis1 inet proto udp from > > any to 255.255.255.255 pass in on lo0 all > > pass out quick on sis0 all keep state > > pass out quick on sis1 all keep state > > pass in on sis1 all keep state > > pass out on sis0 proto tcp all flags S/SA keep state > > pass out on sis1 proto tcp all flags S/SA keep state > > pass in on sis0 proto tcp from any to any port =3D ssh flags S/SA keep > > state pass in on sis0 proto tcp from any to any port =3D http flags > > S/SA keep state pass in on sis0 proto udp from any to any port =3D > > commplex-main keep state pass in quick on ath0 all keep state > > pass in quick on sis0 inet proto esp from 60.225.5.1 to 203.33.16.32 > > pass out quick on sis0 inet proto esp from 203.33.16.32 to 60.225.5.1 > > pass in quick proto ipencap all > > pass in quick inet from 10.1.100.0/24 to 10.1.1.0/24 > > pass out quick inet from 10.1.1.0/24 to 10.1.100.0/24 > > pass in quick inet from 10.1.1.0/24 to any > > pass in quick on sis0 inet proto udp from 60.225.5.1 to 203.33.16.32 > > port =3D isakmp pass out quick on sis0 inet proto udp from 203.33.16.32 > > to 60.225.5.1 port =3D isakmp pass quick on gif102 all > > > > Nework routing table at My (SAm)'s office: > > # netstat -rn | less > > Routing tables > > > > Internet: > > Destination Gateway Flags Refs Use Netif > > Expire default 60.225.5.111 UGS 0 55131=20 > > sis0 10 link#2 UC 0 1 =20 > > sis1 10.1.1.1 10.1.1.1 UH 0 0 =20 > > lo0 10.1.100/24 10.1.1.100 UGS 0 7 > > gif102 60.225.5/22 link#1 UC 0 0 =20 > > sis0 60.225.5.111 00:0f:35:45:78:70 UHLW 2 0 =20 > > sis0 1200 127.0.0.1 127.0.0.1 UH 0 =20 > > 541 lo0 172.17.4/24 link#3 UC 0 =20 > > 0 ath0 172.17.100/24 10.1.1.100 UGS 0 0 > > gif102 192.168.0 link#2 UC 0 0 =20 > > sis1 > > > > # Tunnel to Ric office > > spdadd 10.1.1.1 10.1.1.100 any -P out ipsec > > esp/tunnel/10.1.1.1-10.1.1.100/require ; spdadd 10.1.1.100 10.1.1.1 > > any -P in ipsec esp/tunnel/10.1.1.100-10.1.1.1/require ; add > > 10.1.1.1 10.1.1.100 esp 2744 -m tunnel -E blowfish-cbc > > 0xC0AD6D1F390BBECD431A75A3461C2FD62433DD1D947804CAD75133DABF2F25C4B6F > >928521AECE611218C007CE917CC986CF36382DB29D11B -A hmac-sha1 > > 0xB4D3FBE932C36E1D09BA4827F78A542D37C936BE ; add 10.1.1.100 10.1.1.1 > > esp 3944 -m tunnel -E blowfish-cbc > > 0xB4E4556530711A5831A8289B4A8DB9334F62A878E6FAAF889A243FEA7BDEEE3058A > >4E8220289C02A09321BEFE0619AA641006F3C02230B3B -A hmac-sha1 > > 0xAFB28AABC10B4B704A730CB070A719ED93254AB6 ; > > > > #Script for establish IPSEC at Ric's office: > > /sbin/ifconfig lo0 inet 10.1.1.100/24 alias > > setkey -FP > > setkey -F > > > > # Tunnel to Sam Office > > /sbin/ifconfig gif102 destroy > > /sbin/ifconfig gif102 create > > /sbin/ifconfig gif102 tunnel 203.33.16.32 60.225.5.1 > > /sbin/ifconfig gif102 inet 10.1.1.100 10.1.1.1 netmask 255.255.255.0 > > /sbin/route delete 10.1.1.1/24 > > /sbin/route delete 172.17.4.0/24 > > /sbin/route add 10.1.1.1/24 10.1.1.1 > > /sbin/route add 172.17.4.0/24 10.1.1.1 > > > > setkey -c << EOF > > > > # Tunnel to Sam office > > spdadd 10.1.1.100 10.1.1.1 any -P out ipsec > > esp/tunnel/10.1.1.100-10.1.1.1/require ; spdadd 10.1.1.1 10.1.1.100 > > any -P in ipsec esp/tunnel/10.1.1.1-10.1.1.100/require ; add > > 10.1.1.100 10.1.1.1 esp 2744 -m tunnel -E blowfish-cbc > > 0xC0AD6D1F390BBECD431A75A3461C2FD62433DD1D947804CAD75133DABF2F25C4B6F > >928521AECE611218C007CE917CC986CF36382DB29D11B -A hmac-sha1 > > 0xB4D3FBE932C36E1D09BA4827F78A542D37C936BE ; add 10.1.1.1 10.1.1.100 > > esp 3944 -m tunnel -E blowfish-cbc > > 0xB4E4556530711A5831A8289B4A8DB9334F62A878E6FAAF889A243FEA7BDEEE3058A > >4E8220289C02A09321BEFE0619AA641006F3C02230B3B -A hmac-sha1 > > 0xAFB28AABC10B4B704A730CB070A719ED93254AB6 ; > > > > > > EOF > > > > Firewall rule at Ric's office: > > # pfctl -sr > > pass in on sis1 inet proto tcp from any to 127.0.0.1 port =3D 3128 keep > > state pass out on tun0 inet proto tcp from any to any port =3D http > > keep state block drop in log all > > block drop in log quick on tun0 inet proto udp from any to > > 255.255.255.255 block drop in log quick on sis1 inet proto udp from > > any to 255.255.255.255 pass in on lo0 all > > pass out quick on tun0 all keep state > > pass out quick on sis1 all keep state > > pass in on sis1 all keep state > > pass out on tun0 proto tcp all flags S/SA keep state > > pass out on sis1 proto tcp all flags S/SA keep state > > pass in on tun0 proto tcp from any to any port =3D ssh flags S/SA keep > > state pass in on tun0 proto tcp from any to any port =3D http flags > > S/SA keep state pass in on tun0 proto udp from any to any port =3D > > commplex-main keep state pass in quick on ath0 all keep state > > pass in quick on tun0 inet proto esp from 203.33.16.32 to 60.225.5.1 > > pass out quick on tun0 inet proto esp from 60.225.5.1 to 203.33.16.32 > > pass in quick proto ipencap all > > pass in quick inet from 10.1.1.0/24 to 10.1.100.0/24 > > pass in quick inet from 10.1.1.0/24 to 10.1.1.0/24 > > pass out quick inet from 10.1.100.0/24 to 10.1.1.0/24 > > pass out quick inet from 10.1.100.0/24 to 10.1.100.0/24 > > pass in quick on tun0 inet proto udp from 203.33.16.32 to 60.225.5.1 > > port =3D isakmp pass out quick on tun0 inet proto udp from 60.225.5.1 > > to 203.33.16.32 port =3D isakmp pass quick on gif102 all > > > > Network routing table at Ric's office: > > # netstat -rn > > Routing tables > > > > Internet: > > Destination Gateway Flags Refs Use Netif > > Expire default 203.17.101.81 UGS 0 2005455 =20 > > tun0 10.1.1/24 10.1.1.1 UGS 0 0 > > gif102 10.1.1.1 10.1.1.100 UH 972 1015 > > gif102 10.1.1.100 10.1.1.100 UH 0 16 =20 > > lo0 10.1.100/24 link#2 UC 0 0 =20 > > sis1 10.1.100.1 00:0d:b9:03:eb:41 UHLW 1 10 =20 > > lo0 127.0.0.1 127.0.0.1 UH 0 3335 =20 > > lo0 172.17.4/24 10.1.1.1 UGS 0 586 > > gif102 192.168.0 link#2 UC 0 1 =20 > > sis1 192.168.0.198 00:0d:60:ff:b7:1f UHLW 1 1141717 =20 > > sis1 818 192.168.0.200 00:14:22:fd:cc:8f UHLW 1 =20 > > 9945 sis1 203.17.10.8 203.33.16.32 UH 1 0=20 > > tun0 > > > > The problem is My (Sam) office can ping 10.1.100.1 at Ric's office, > > but I still can't ping his other IP 10.1.1.100 (assigned to his > > loopback lo interfaice). Ric's office can't ping me (Sam) 10.1.1.1 or > > 10.1.10.1 at all. Tcpdump shown that the PF firewall blocked the > > incoming packet from 10.1.1/24, then I make a "pass" rule to let it > > thru. But Ric still can't ping 10.1.1.1 and 10.1.10.1 > > > > And I read the following article from PF mailing, it might be the > > issue in PF. Can anyone please shed some lights to me? I desperately > > want to get this working. > > > > Thanks > > S > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart2550349.OYpFy1Ng1N Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQBFIb6mXyyEoT62BG0RAqzGAJ9OVgbwPR0bgp/KzDRaC3VlUpW8XQCfe1G+ Y/NTvgnQq6Bz5Eeq51Rwiso= =yhOM -----END PGP SIGNATURE----- --nextPart2550349.OYpFy1Ng1N--