Date: Tue, 3 Oct 2006 03:36:33 +0200 From: Max Laier <max@love2party.net> To: freebsd-net@freebsd.org Cc: fwun@bigpond.net.au Subject: Re: IPSEC & PF - Please help Message-ID: <200610030336.38754.max@love2party.net> In-Reply-To: <128414.1159832453736.JavaMail.root@web07ps> References: <128414.1159832453736.JavaMail.root@web07ps>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart2550349.OYpFy1Ng1N Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Tuesday 03 October 2006 01:40, fwun@bigpond.net.au wrote: > Here is the article I read about patch for PF: > http://www.mail-archive.com/freebsd-pf@freebsd.org/msg01315.html > Where can I find an official release of this patch for freebsd 6.1? > the FreeBSD 6.1-stable I m using is dated in early August. enc(4) was MFCed to RELENG_6 "Mon Jul 24 23:20:58 2006 UTC (2 months, 1=20 week ago." If you move to RELENG_6 or the upcoming BETA build you should=20 get it with no patching. If you need it in 6.1 you'd have to backport it=20 yourself, but this should be more or less the same patch as the MFC. > ---- fwun@bigpond.net.au wrote: > > Hi, > > > > I am having trouble in setting up IPSEC with a remote office. I > > desperately need help to sort out the problem. Here is the > > description of this little network: > > > > My Office (with Cable Internet, sis0 is the public interface): > > sis0: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > > options=3D8<VLAN_MTU> > > inet6 fe80::20d:b9ff:fe03:e22c%sis0 prefixlen 64 scopeid 0x1 > > inet 60.225.5.1 netmask 0xfffffc00 broadcast 255.255.255.255 > > ether 00:0d:b9:03:e2:2c > > media: Ethernet autoselect (100baseTX <full-duplex>) > > status: active > > sis1: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > > options=3D8<VLAN_MTU> > > inet6 fe80::20d:b9ff:fe03:e22d%sis1 prefixlen 64 scopeid 0x2 > > inet 192.168.0.254 netmask 0xffffff00 broadcast 192.168.0.255 > > inet 10.1.10.1 netmask 0xff000000 broadcast 10.255.255.255 > > ether 00:0d:b9:03:e2:2d > > media: Ethernet autoselect (100baseTX <full-duplex>) > > status: active > > lo0: flags=3D8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384 > > inet6 ::1 prefixlen 128 > > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 > > inet 127.0.0.1 netmask 0xff000000 > > inet 10.1.1.1 netmask 0xffffff00 > > pflog0: flags=3D41<UP,RUNNING> mtu 33208 > > pfsync0: flags=3D41<UP,RUNNING> mtu 2020 > > gif102: flags=3D8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280 > > tunnel inet 60.225.5.1 --> 203.33.16.32 > > inet 10.1.1.1 --> 10.1.1.100 netmask 0xffffff00 > > inet6 fe80::20d:b9ff:fe03:e22c%gif102 prefixlen 64 scopeid > > 0x7 > > > > Ric's Office (with ADSL boardband): > > sis0: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > > options=3D8<VLAN_MTU> > > inet6 fe80::20d:b9ff:fe03:eb40%sis0 prefixlen 64 scopeid 0x1 > > ether 00:0d:b9:03:eb:40 > > media: Ethernet autoselect (10baseT/UTP) > > status: active > > sis1: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > > options=3D8<VLAN_MTU> > > inet6 fe80::20d:b9ff:fe03:eb41%sis1 prefixlen 64 scopeid 0x2 > > inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255 > > inet 10.1.100.1 netmask 0xffffff00 broadcast 10.1.100.255 > > ether 00:0d:b9:03:eb:41 > > media: Ethernet autoselect (100baseTX <full-duplex>) > > status: active > > lo0: flags=3D8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384 > > inet6 ::1 prefixlen 128 > > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 > > inet 127.0.0.1 netmask 0xff000000 > > inet 10.1.1.100 netmask 0xffffff00 > > pflog0: flags=3D41<UP,RUNNING> mtu 33208 > > pfsync0: flags=3D41<UP,RUNNING> mtu 2020 > > tun0: flags=3D8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1492 > > inet 203.33.16.32 --> 203.17.1.1 netmask 0xffffffff > > Opened by PID 362 > > > > #Script for establish IPSEC at My Office: > > /sbin/ifconfig lo0 inet 10.1.1.1/24 alias > > setkey -FP > > setkey -F > > > > # Tunnel to Ric office > > /sbin/ifconfig gif102 destroy > > /sbin/ifconfig gif102 create > > /sbin/ifconfig gif102 tunnel 60.225.5.1 203.33.16.32 > > /sbin/ifconfig gif102 inet 10.1.1.1 10.1.1.100 netmask 255.255.255.0 > > /sbin/route delete 10.1.100.1/24 > > /sbin/route delete 172.17.100.0/24 > > /sbin/route add 10.1.100.1/24 10.1.1.100 > > /sbin/route add 172.17.100.0/24 10.1.1.100 > > > > setkey -c << EOF > > > > Firewall rule at My (SAm)'s office: > > # pfctl -sr > > pass in on sis1 inet proto tcp from any to 127.0.0.1 port =3D 3128 keep > > state pass out on sis0 inet proto tcp from any to any port =3D http > > keep state block drop in log all > > block drop in log quick on sis0 inet proto udp from any to > > 255.255.255.255 block drop in log quick on sis1 inet proto udp from > > any to 255.255.255.255 pass in on lo0 all > > pass out quick on sis0 all keep state > > pass out quick on sis1 all keep state > > pass in on sis1 all keep state > > pass out on sis0 proto tcp all flags S/SA keep state > > pass out on sis1 proto tcp all flags S/SA keep state > > pass in on sis0 proto tcp from any to any port =3D ssh flags S/SA keep > > state pass in on sis0 proto tcp from any to any port =3D http flags > > S/SA keep state pass in on sis0 proto udp from any to any port =3D > > commplex-main keep state pass in quick on ath0 all keep state > > pass in quick on sis0 inet proto esp from 60.225.5.1 to 203.33.16.32 > > pass out quick on sis0 inet proto esp from 203.33.16.32 to 60.225.5.1 > > pass in quick proto ipencap all > > pass in quick inet from 10.1.100.0/24 to 10.1.1.0/24 > > pass out quick inet from 10.1.1.0/24 to 10.1.100.0/24 > > pass in quick inet from 10.1.1.0/24 to any > > pass in quick on sis0 inet proto udp from 60.225.5.1 to 203.33.16.32 > > port =3D isakmp pass out quick on sis0 inet proto udp from 203.33.16.32 > > to 60.225.5.1 port =3D isakmp pass quick on gif102 all > > > > Nework routing table at My (SAm)'s office: > > # netstat -rn | less > > Routing tables > > > > Internet: > > Destination Gateway Flags Refs Use Netif > > Expire default 60.225.5.111 UGS 0 55131=20 > > sis0 10 link#2 UC 0 1 =20 > > sis1 10.1.1.1 10.1.1.1 UH 0 0 =20 > > lo0 10.1.100/24 10.1.1.100 UGS 0 7 > > gif102 60.225.5/22 link#1 UC 0 0 =20 > > sis0 60.225.5.111 00:0f:35:45:78:70 UHLW 2 0 =20 > > sis0 1200 127.0.0.1 127.0.0.1 UH 0 =20 > > 541 lo0 172.17.4/24 link#3 UC 0 =20 > > 0 ath0 172.17.100/24 10.1.1.100 UGS 0 0 > > gif102 192.168.0 link#2 UC 0 0 =20 > > sis1 > > > > # Tunnel to Ric office > > spdadd 10.1.1.1 10.1.1.100 any -P out ipsec > > esp/tunnel/10.1.1.1-10.1.1.100/require ; spdadd 10.1.1.100 10.1.1.1 > > any -P in ipsec esp/tunnel/10.1.1.100-10.1.1.1/require ; add > > 10.1.1.1 10.1.1.100 esp 2744 -m tunnel -E blowfish-cbc > > 0xC0AD6D1F390BBECD431A75A3461C2FD62433DD1D947804CAD75133DABF2F25C4B6F > >928521AECE611218C007CE917CC986CF36382DB29D11B -A hmac-sha1 > > 0xB4D3FBE932C36E1D09BA4827F78A542D37C936BE ; add 10.1.1.100 10.1.1.1 > > esp 3944 -m tunnel -E blowfish-cbc > > 0xB4E4556530711A5831A8289B4A8DB9334F62A878E6FAAF889A243FEA7BDEEE3058A > >4E8220289C02A09321BEFE0619AA641006F3C02230B3B -A hmac-sha1 > > 0xAFB28AABC10B4B704A730CB070A719ED93254AB6 ; > > > > #Script for establish IPSEC at Ric's office: > > /sbin/ifconfig lo0 inet 10.1.1.100/24 alias > > setkey -FP > > setkey -F > > > > # Tunnel to Sam Office > > /sbin/ifconfig gif102 destroy > > /sbin/ifconfig gif102 create > > /sbin/ifconfig gif102 tunnel 203.33.16.32 60.225.5.1 > > /sbin/ifconfig gif102 inet 10.1.1.100 10.1.1.1 netmask 255.255.255.0 > > /sbin/route delete 10.1.1.1/24 > > /sbin/route delete 172.17.4.0/24 > > /sbin/route add 10.1.1.1/24 10.1.1.1 > > /sbin/route add 172.17.4.0/24 10.1.1.1 > > > > setkey -c << EOF > > > > # Tunnel to Sam office > > spdadd 10.1.1.100 10.1.1.1 any -P out ipsec > > esp/tunnel/10.1.1.100-10.1.1.1/require ; spdadd 10.1.1.1 10.1.1.100 > > any -P in ipsec esp/tunnel/10.1.1.1-10.1.1.100/require ; add > > 10.1.1.100 10.1.1.1 esp 2744 -m tunnel -E blowfish-cbc > > 0xC0AD6D1F390BBECD431A75A3461C2FD62433DD1D947804CAD75133DABF2F25C4B6F > >928521AECE611218C007CE917CC986CF36382DB29D11B -A hmac-sha1 > > 0xB4D3FBE932C36E1D09BA4827F78A542D37C936BE ; add 10.1.1.1 10.1.1.100 > > esp 3944 -m tunnel -E blowfish-cbc > > 0xB4E4556530711A5831A8289B4A8DB9334F62A878E6FAAF889A243FEA7BDEEE3058A > >4E8220289C02A09321BEFE0619AA641006F3C02230B3B -A hmac-sha1 > > 0xAFB28AABC10B4B704A730CB070A719ED93254AB6 ; > > > > > > EOF > > > > Firewall rule at Ric's office: > > # pfctl -sr > > pass in on sis1 inet proto tcp from any to 127.0.0.1 port =3D 3128 keep > > state pass out on tun0 inet proto tcp from any to any port =3D http > > keep state block drop in log all > > block drop in log quick on tun0 inet proto udp from any to > > 255.255.255.255 block drop in log quick on sis1 inet proto udp from > > any to 255.255.255.255 pass in on lo0 all > > pass out quick on tun0 all keep state > > pass out quick on sis1 all keep state > > pass in on sis1 all keep state > > pass out on tun0 proto tcp all flags S/SA keep state > > pass out on sis1 proto tcp all flags S/SA keep state > > pass in on tun0 proto tcp from any to any port =3D ssh flags S/SA keep > > state pass in on tun0 proto tcp from any to any port =3D http flags > > S/SA keep state pass in on tun0 proto udp from any to any port =3D > > commplex-main keep state pass in quick on ath0 all keep state > > pass in quick on tun0 inet proto esp from 203.33.16.32 to 60.225.5.1 > > pass out quick on tun0 inet proto esp from 60.225.5.1 to 203.33.16.32 > > pass in quick proto ipencap all > > pass in quick inet from 10.1.1.0/24 to 10.1.100.0/24 > > pass in quick inet from 10.1.1.0/24 to 10.1.1.0/24 > > pass out quick inet from 10.1.100.0/24 to 10.1.1.0/24 > > pass out quick inet from 10.1.100.0/24 to 10.1.100.0/24 > > pass in quick on tun0 inet proto udp from 203.33.16.32 to 60.225.5.1 > > port =3D isakmp pass out quick on tun0 inet proto udp from 60.225.5.1 > > to 203.33.16.32 port =3D isakmp pass quick on gif102 all > > > > Network routing table at Ric's office: > > # netstat -rn > > Routing tables > > > > Internet: > > Destination Gateway Flags Refs Use Netif > > Expire default 203.17.101.81 UGS 0 2005455 =20 > > tun0 10.1.1/24 10.1.1.1 UGS 0 0 > > gif102 10.1.1.1 10.1.1.100 UH 972 1015 > > gif102 10.1.1.100 10.1.1.100 UH 0 16 =20 > > lo0 10.1.100/24 link#2 UC 0 0 =20 > > sis1 10.1.100.1 00:0d:b9:03:eb:41 UHLW 1 10 =20 > > lo0 127.0.0.1 127.0.0.1 UH 0 3335 =20 > > lo0 172.17.4/24 10.1.1.1 UGS 0 586 > > gif102 192.168.0 link#2 UC 0 1 =20 > > sis1 192.168.0.198 00:0d:60:ff:b7:1f UHLW 1 1141717 =20 > > sis1 818 192.168.0.200 00:14:22:fd:cc:8f UHLW 1 =20 > > 9945 sis1 203.17.10.8 203.33.16.32 UH 1 0=20 > > tun0 > > > > The problem is My (Sam) office can ping 10.1.100.1 at Ric's office, > > but I still can't ping his other IP 10.1.1.100 (assigned to his > > loopback lo interfaice). Ric's office can't ping me (Sam) 10.1.1.1 or > > 10.1.10.1 at all. Tcpdump shown that the PF firewall blocked the > > incoming packet from 10.1.1/24, then I make a "pass" rule to let it > > thru. But Ric still can't ping 10.1.1.1 and 10.1.10.1 > > > > And I read the following article from PF mailing, it might be the > > issue in PF. Can anyone please shed some lights to me? I desperately > > want to get this working. > > > > Thanks > > S > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart2550349.OYpFy1Ng1N Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQBFIb6mXyyEoT62BG0RAqzGAJ9OVgbwPR0bgp/KzDRaC3VlUpW8XQCfe1G+ Y/NTvgnQq6Bz5Eeq51Rwiso= =yhOM -----END PGP SIGNATURE----- --nextPart2550349.OYpFy1Ng1N--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200610030336.38754.max>