IPsec support in FreeBSD

Ashish SHUKLA ashish at FreeBSD.org
Sun Aug 22 21:07:28 UTC 2010 

Hi,

I'm running 8.1-RELEASE on amd64.

I'm connecting to an IPsec VPN (IPv4, dynamic keying using racoon) from behind
a NAT and I'm having strange issues working with it. IPsec negotiation
succeeds but there are problems with sending traffic over the tunnel.

To be able to actually able to send a packet across tunnel, I've to run a
tcpdump on the ethernet interface, then only I starts getting replies for my
packets, and SA gets established on the server (as per log of racoon
maintained by server). This is weird but this' the only work around for me to
start communicating over my tunnel.

I'm running a custom kernel[1]. Following are the values of sysctl knobs with
'ipsec' in their OID, in case my :

#v+
net.inet.ipsec.def_policy: 1
net.inet.ipsec.esp_trans_deflev: 1
net.inet.ipsec.esp_net_deflev: 1
net.inet.ipsec.ah_trans_deflev: 1
net.inet.ipsec.ah_net_deflev: 1
net.inet.ipsec.ah_cleartos: 1
net.inet.ipsec.ah_offsetmask: 0
net.inet.ipsec.dfbit: 0
net.inet.ipsec.ecn: 0
net.inet.ipsec.debug: 1
net.inet.ipsec.filtertunnel: 0
net.inet.ipsec.crypto_support: 50331648
net.inet6.ipsec6.def_policy: 1
net.inet6.ipsec6.esp_trans_deflev: 1
net.inet6.ipsec6.esp_net_deflev: 1
net.inet6.ipsec6.ah_trans_deflev: 1
net.inet6.ipsec6.ah_net_deflev: 1
net.inet6.ipsec6.ecn: 0
net.inet6.ipsec6.debug: 1
net.inet6.ipsec6.filtertunnel: 0
#v-

I was using pf as the firewall, but I disabled it using `pfctl -d` to avoid
any possibilities of issues due to firewall. I'm wondering if this is related
to kern/122562[2].

Also after connecting/disconnecting the tunnel after n times, I noticed my
IPv4 address is gone from the interfaces, some messages appeared in my
dmesg[3] with beep sounds generated. And this happened yesterday also. To
workaround this I'd to re-assign IPv4 address to the interface.

References:
[1]  http://people.freebsd.org/~ashish/ipsec/CHATEAU
[2]  http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/122562
[3]  http://people.freebsd.org/~ashish/ipsec/messages.kern

Thanks in advance
-- 
Ashish SHUKLA      | GPG: F682 CDCC 39DC 0FEA E116  20B6 C746 CFA9 E74F A4B0
freebsd.org!ashish | http://people.freebsd.org/~ashish/

“The best way to predict the future is to implement it.” (David
Heinemeier Hansson)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-net/attachments/20100822/31d9d6c6/attachment.pgp

More information about the freebsd-net mailing list