Multiple Gateway IPSEC Problem
Company 2210
company2210 at hotmail.com
Wed Aug 27 11:06:13 PDT 2003
Hi all,
I have a really really really annoying problem that I'm trying to
rectifiy. I have three gateways, and two ipsec (esp encrypted) links, one of
which fowards traffic to the internet. I was provided half a class C (/25)
which I have split into 4 subnets of 32 addresses (30 usable).
I am currently trying to employ only two of the 4 available subnets. The
layout is like so:
BoxA <=======> BoxB <==========> BoxC <-------> Cisco Router <---->
Internet
<===> Denotes IPSEC VPN Link
<----> Denotes standard ethernet non-encrypted link
BoxA: VPN Interface (to BoxB) - 10.0.2.2
Gateway Interface (Public): 91.18.78.33 (91.18.78.32/27 Network)
BoxB: VPN Interface (to BoxA) - 10.0.2.1
VPN Interface (to BoxC) - 10.0.0.1
Gateway Interface (Public): 91.18.78.1 (91.18.78.0/27 Network)
BoxC: VPN Interface (to BoxB) - 10.0.0.2
Gateway Interface (Private - to Cisco Router): 10.0.1.1
Cisco Router: Gateway Interface (Private to BoxC): 10.0.1.2
Gateway Interface (Public - to World): 91.17.66.69
(91.18.66.68/30 Network)
Traffic from BoxA is is supposed to head to Box B, then out to Box C which
is
conected to a cisco router that routes out to the internet, this works.
However, any traffic from Box A to Box
B fails to appear, and vice versa. This means that clients locally connected
to BoxA
can connect to the internet, but not ping/talk to any clients of BoxB and
vice
versa. To elaborate, any ping attempts from a host using 91.18.78.33 as a
gateway to any host using 91.18.78.1 as a gateway
result it "TTL exceeded" errors. However, any host using 91.18.78.1 as a
gateway, and pinging any host using 91.18.78.33 as a gateway gets a 'ping
timeout' error.
I'm sure this is a problem with the setkey rules, but I cannot see
what it is. I've included my current ruleset (with comments - for each box).
BoxA Setkey Rules:
---------------------
#delete all existing entries from the SAD and SPD databases (setkey -FP
& -F)
flush;
spdflush;
#add the policy to the SPD database
# Allow pings amongst local clients
spdadd 91.18.78.32/27 91.18.78.32/27 any -P out none;
spdadd 91.18.78.32/27 91.18.78.32/27 any -P in none;
# Encrypt and direct traffic to 91.18.78.0/27 network
spdadd 91.18.78.32/27 91.18.78.0/27 any -P out ipsec
esp/tunnel/10.0.2.2-10.0.2.1/require;
spdadd 91.18.78.0/27 91.18.78.32/27 any -P in ipsec
esp/tunnel/10.0.2.1-10.0.2.2/require;
# Encrypt and direct all other traffic (i.e. internet traffic)
spdadd 91.18.78.32/27 0.0.0.0/0 any -P out ipsec
esp/tunnel/10.0.2.2-10.0.2.1/require;
spdadd 0.0.0.0/0 91.18.78.32/27 any -P in ipsec
esp/tunnel/10.0.2.1-10.0.2.2/require;
BoxB Setkey Rules:
----------------------
# Flush all rules
# ----------------
flush;
spdflush;
# Policys for SPD Database
# -------------------------
# 1 - Local Subnet Traffic: Not Encrypted
# ----------------------------------------
spdadd 91.18.78.0/27 91.18.78.0/27 any -P out none;
spdadd 91.18.78.0/27 91.18.78.0/27 any -P in none;
# 2 - Direct flow of traffic between local networks
# --------------------------------------------------------------------------
---------------------------------
spdadd 91.18.78.0/27 91.18.78.32/27 any -P out ipsec
esp/tunnel/10.0.2.1-10.0.2.2/require;
spdadd 91.18.78.32/27 91.18.78.0/27 any -P in ipsec
esp/tunnel/10.0.2.2-10.0.2.1/require;
# 3 - Other Traffic (i.e. internet) for BoxA or it's clients must be
directed through BoxA <====> BoxB tunnel.
# --------------------------------------------------------------------------
------------------------------------------------
spdadd 0.0.0.0/0 91.18.78.32/27 any -P out ipsec
esp/tunnel/10.0.2.1-10.0.2.2/require;
spdadd 91.18.78.32/27 0.0.0.0/0 any -P in ipsec
esp/tunnel/10.0.2.2-10.0.2.1/require;
# 4 - All other traffic (i.e. internet) across entire class C/25 network
Encrypted & Sent to BoxC
# ---------------------------------------------------------------
spdadd 91.18.78.0/25 0.0.0.0/0 any -P out ipsec
esp/tunnel/10.0.0.1-10.0.0.2/require;
spdadd 0.0.0.0/0 91.18.78.0/25 any -P in ipsec
esp/tunnel/10.0.0.2-10.0.0.1/require;
BoxC Setkey Rules
---------------------
# Delete all existing entries from the SAD and SPD databases
# -----------------------------------------------------------
flush;
spdflush;
# Add policys to the SPD database
# --------------------------------
# 1 - /25 Network Traffic <-> Internet: Encrypt / Decrypt & Send on it's
wicked way.
# --------------------------------------------------------------------------
--------
spdadd 0.0.0.0/0 91.18.78.0/25 any -P out ipsec
esp/tunnel/10.0.0.2-10.0.0.1/require;
spdadd 91.18.78.0/25 0.0.0.0/0 any -P in ipsec
esp/tunnel/10.0.0.1-10.0.0.2/require;
Well, there we have it. I am sure ipsec is having issues with 0.0.0.0/0
(which is required for directing internet traffic) but I am unable to
resolve these. Any advice & / or help would be greatly appericated.
Kind Regards
Colin Watson.
More information about the freebsd-net
mailing list