Date: Wed, 20 Mar 2002 23:18:02 +0100 From: Rickard Borgmäster <doktorn@realworld.nu> To: Lars Eggert <larse@ISI.EDU> Cc: freebsd-net@freebsd.org Subject: Re: IPSec tunnel FreeBSD<->OpenBSD using isakmp Message-ID: <20020320231802.222a8dd2.doktorn@realworld.nu> In-Reply-To: <3C98EF33.6090207@isi.edu> References: <20020320205735.0851b080.doktorn@realworld.nu> <3C98EF33.6090207@isi.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 20 Mar 2002 12:21:07 -0800
Lars Eggert <larse@ISI.EDU> hit the keyboard and punched:
> > I can see this at OpenBSD box:
> > # netstat -rn
> > [...]
> > Port Destination Port Proto SA(Address/Proto/Type/Direction)
> > 192.168.2/24 0 10.0.0/24 0 0
> > 130.236.218.63/50/use/in 10.0.0/24 0 192.168.2/24
> 0
> > 0 130.236.218.63/50/require/out
> >
> > However, on the FreeBSD side, netstat -rn won't show anything about
> > 10.0.0.0/24. Maybe Encap routes won't show in the ordinary routing
> > table on FreeBSD?
>
> It looks like the OpenBSD IPsec implementation integrates IPsec tunnel
> mode SAs with the routing table (good!) FreeBSD's KAME doesn't (yet;
> more recent KAME SNAPs have "device sec" which looks promising).
KAME? Is KAME something I need? The only thing I've added is
options IPSEC
options IPSEC_ESP
to my kernel and installed the isakmpd port. Then, of course, set up the
/etc/isakmpd/isakmpd.conf file.
> > From either the OpenBSD or FreeBSD box, I am unable to reach the
> > private net behind the other IPSec node. Ie, from FreeBSD box, I
> > cannot reach 10.0.0.0/24. And from OpenBSD box, I cannot reach
> > 192.168.2.0/24.
>
> I bet your boxes pick the wrong source address when you generate packets
> on them to go to the other net, because you don't have any interfaces
> configured on these nets (IPsec SAs aren't interfaces, at least on
> FreeBSD). Try tcpdumping and tell me what you get.
Not sure I get your point here. Why do I don't have any interface on
these nets? Do you mean that on the FreeBSD box with:
pub-ip: 130.236.218.63
priv-net: 192.168.2.0/24
...that I miss an interface with 10.0.0.x address here?
I think I'm lost here... :-/
Well, tcpdump on the OpenBSD box, while pinging 10.0.0.1 from FBSD,
gives nothing. No packets received. tcpdumping output on FBSD while
pinging 10.0.0.1:
tcpdump: listening on xl0
23:08:31.194401 0:1:2:fa:aa:76 0:0:c:7:ac:29 0800 98: 130.236.218.63 >
10.0.0.1: icmp: echo request
I also get a message (from where I don't know...) like this:
PING 10.0.0.1 (10.0.0.1): 56 data bytes
36 bytes from linkoping-2-FE1-0-0.sunet.se (130.242.201.73): Destination
Host Unreachable Vr HL TOS Len ID Flg off TTL Pro cks Src
Dst 4 5 00 5400 cf42 0 0000 3d 01 473a 130.236.218.63 10.0.0.1
This indicates that when I ping 10.0.0.1, packets go out the "normal" way
instead of taking the path tru the tunnel. Almost same thing on OpenBSD:
tcpdump: listening on xl1
23:13:17.016763 0:10:4b:cf:1f:e0 0:c0:7b:a3:71:b6 0800 98: 213.88.128.173
> 192.168.2.17: icmp: echo request 23:13:18.023316 0:10:4b:cf:1f:e0
> 0:c0:7b:a3:71:b6 0800 98: 213.88.128.173 > 192.168.2.17: icmp: echo
> request 23:13:18.031981 0:c0:7b:a3:71:b6 0:10:4b:cf:1f:e0 0800 70:
> 62.95.60.2 > 213.88.128.173: icmp: host 192.168.2.17 unreachable
I hope I got the tcpdump stuff that interests you. I didn't really figure
what else to tcpdump on :-)
Thing is, that both machines works just fine as IPSec peers, but not
"nodes" or what to call it. The passing the ESP packets just fine, and
connects their private/nat:ed networks to eachother. So the *BSD serves
their clients just fine, but cannot use the tunnel themselves...
--
Rickard
.--. .--.
.----------------------------------------. | | | | .-.
| Rickard Borgmäster | | | | |/ /
| doktorn@sub.nu | .-^ | .--. | <
| http://doktorn.sub.nu/ | ( o | ( () ) | |\ \
`----------------------------------------' `-----' `--' `--' `--'
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020320231802.222a8dd2.doktorn>