IPSec connection troubles

Denis Antrushin DAntrushin at mail.ru
Thu Feb 11 11:25:17 UTC 2010 

Hello,

I'm trying to establish IPSec connection between FreeBSD and
Solaris boxes. I use FreeBSD 8-STABLE (don't recall exact checkout
date, but it contains recent IPComp fixes for sure).
Since I'm behind NAT, I compiled 0.8alpha snapshot of ipsec-tools
from their site.

racoon config looks like this:
------------------------------------------------------------
remote A.B.C.D {
     exchange_mode main;
     doi ipsec_doi;
     situation identity_only;
     certificate_type x509 "mycert.pem" "mykey.pem";
     my_identifier asn1dn ;
     peers_identifier asn1dn ;
     peers_certfile x509 "server.crt";
     send_cert off;
     verify_identifier off;
     lifetime time 7200 seconds;
     initial_contact on;
     passive off;
     proposal_check obey;
     generate_policy off;
     nonce_size 16;
     nat_traversal on;
     proposal {
         encryption_algorithm aes;
         hash_algorithm sha1;
         authentication_method rsasig;
         dh_group modp1536;
     }
}

sainfo address 192.168.1.33/32 tcp address A.B.C.D[2112] tcp {
     pfs_group modp1536;
     lifetime time 7200 seconds;
     encryption_algorithm aes;
     authentication_algorithm hmac_sha1;
     compression_algorithm deflate;
}

sainfo address 192.168.1.33/32 udp address A.B.C.D[2112] udp {
     pfs_group modp1536;
     lifetime time 7200 seconds;
     encryption_algorithm aes;
     authentication_algorithm hmac_sha1;
     compression_algorithm deflate;
}

sainfo address 192.168.1.33/32 icmp address A.B.C.D[any] icmp {
     pfs_group modp1536;
     lifetime time 7200 seconds;
     encryption_algorithm aes;
     authentication_algorithm hmac_sha1;
     compression_algorithm deflate;
}

listen {
     isakmp 192.168.1.33 [500];
     isakmp_natt 192.168.1.33 [4500];
}

-------------------------------------------------------------------

security policy is as follows:

spdadd 192.168.1.33/32 A.B.C.D/32[2112] tcp -P out
     ipsec esp/transport//unique;
spdadd A.B.C.D/32[2112] 192.168.1.33/32 tcp -P in
     ipsec esp/transport//unique;
spdadd 192.168.1.33/32 A.B.C.D/32[2112] udp -P out
     ipsec esp/transport//unique;
spdadd A.B.C.D/32[2112] 192.168.1.33/32 udp -P in
     ipsec esp/transport//unique;

spdadd 192.168.1.33/32 A.B.C.D/32 icmp -P out
     ipsec esp/transport//require;
spdadd A.B.C.D/32 192.168.1.33/32 icmp -P in
     ipsec esp/transport//require;


When I try to connect to TCP port 2112 of solaris box,
racoon successfully negotiates with remote peer, I see
SA installed in kernel, but then nothing happens.
I see encapsulated TCP SYN packets sent on enc0, but
nothing else. TCP connection is not established, nothing
in racoon logs (except KA), nothing on PF_KEY socket.
The very same setup works on Linux and Mac.

How can I further debug this problem?


Thanks,
   Denis

More information about the freebsd-net mailing list