VPN with FAST_IPSEC and ipsec tools
fox at verio.net
Mon Jun 26 04:09:52 UTC 2006
-----BEGIN PGP SIGNED MESSAGE-----
Michael Vince <mv at thebeastie.org> wrote:
> After reloading ipsec and racoon I tried to do a traceroute from a
> client behind the local gateway to a client behind the remote gateway,
> it went off and did a typical traceroute through the gateway out over
> the Internet like a regular traceroute, completely being missed by the
> kernel/ipsec rules, nothing stopped it or tried to tunnel it or
> trigger racoon IKE activity.
I didn't really include a section on troubleshooting, so I suppose I
could mention some things about that.
Traceroute is a very helpful tool. As you noticed, the traceroute
proceeded out to the Internet, whereas in a normal tunnel you should
never see the internet at all, it should proceed from one hop being the
near gateway, to the next hop being the far gateway. What this
indicates is that your SA definition is not triggering.
To be more specific, your SPD does not match the output traffic and
trigger the creation of a SAD.
You can examine these with "setkey -D" (for SA's) or "setkey -DP" (for
When you run "setkey -DP" you should see an outbound definition
containing your source network, followed by the destination, like so:
192.168.1.0/24[any] 192.168.11.0/24[any] any
created: Jun 23 16:12:51 2006 lastused: Jun 23 16:12:51 2006
lifetime: 0(s) validtime: 0(s)
spid=16851 seq=5 pid=89388
This is a SPD declaring that if traffic sourced from 192.168.1.0/24 ever
tries to route to 192.168.11.0/24, traveling in an outbound direction,
then it will trigger the creation of a SAD (though I usually just call
The SA will be in tunnel mode, using esp, with 22.214.171.124 as the source
gateway (here) and 126.96.36.199 as the destination gateway (there). The
keyword "unique" specifies that no other existing SA's will be
leveraged, or "piggybacked," a real unique SA specifying only these two
subnets must be negotiated.
That is just an explanation for what the descriptor says. You must
validate: Is this true for your network? Is the network 192.168.1.0/24
really located behind gateway 188.8.131.52, and is 192.168.11.0/24 behind
184.108.40.206? Just a quick sanity check, you must be certain you've set it
If your traffic routes right past this SPD without being matched, it
makes me wonder: Is the traffic being NAT'd before it has a chance to
be matched by the kernel? I am using PF on FreeBSD 6.0, and in my setup
I did not have to add any special "no nat" rules in order to make this
work. However, if you use some other method of NAT, there may be some
> I tried putting 'require' in my ipsec rules, didn't change anything.
Yes, as I mentioned, 'require' is just a less-strict form of 'unique'.
You can get things working well with 'require' but you will find
interoperational problems with other gateways (like Cisco) that expect
unique SA's to be negotiated.
> Did you have any special routes to tell the ipsec/kernel to start
> encrypting the traffic?
It is not completely clear to me at what "stage" of traffic handling
IPSEC is matched. Is the packet matched as soon as it heads inbound?
Before the routing table check? After the routing table? When it tries
to flow outbound? The "-P out" seems to imply that it would be checked
at that stage... and if so, that means your NAT must not be applied
My typical NAT rule looks like this:
nat on $EXT from $INT:network to any -> $EXTIP
This causes NAT to be applied when the packet has already been routed
and is about to leave through the external interface. However, if you
had a different rule:
nat on $INT to any -> $EXTIP
This is a pathological example, but if you used this example, I wonder
if it would apply NAT too soon and prevent the packet from being matched?
> Are you using FAST_IPSEC or the other IPsec? If so I will have to
> change. Which version of FreeBSD are you using?
Hmm... In examining my kernel configuration I found these options:
# options IPSEC_FILTERGIF
# options FAST_IPSEC
So it appears that I am NOT using FAST_IPSEC. For some reason I thought
that I was, but now I see I was mistaken. I wonder if someone can
explain the difference between the two?
David DeSimone == Network Admin == fox at verio.net
"It took me fifteen years to discover that I had no
talent for writing, but I couldn't give it up because
by that time I was too famous. -- Robert Benchley
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
-----END PGP SIGNATURE-----
More information about the freebsd-net