Továbbítás: [Ipsec-tools-users] freebsd & linux setup question
krichy@cflinux.hu
krichy at cflinux.hu
Mon Jan 21 16:53:55 UTC 2013
Küldve az én HTC-mről
----- Forwarded message -----
kezdés: "Richard Kojedzinszky" <krichy at cflinux.hu>
Befejezés: <ipsec-tools-users at lists.sourceforge.net>
Tárgy: [Ipsec-tools-users] freebsd & linux setup question
Dátum: H, jan. 21, 2013 17:08
Dear users,
I've a working tunnel setup between two linux hosts.
One end (A) has a fix address, while the other (B) has a dynamic one.
A is my server, B is my home router. Behind B, I've a private network.
What I've setup is that my private network reaches A through an IPSEC
tunnel.
The diagram:
A - { INTERNET } - B - { local network }
So, in my home router, when it acquires an IP address, such script runs
(A is the server's address, B is the dynamic address):
# echo "spdadd 10.0.0.0/24 A any -P out ipsec esp/tunnel/B-A/require;" |
setkey -c
# echo "spdadd A 10.0.0.0/24 any -P in ipsec esp/tunnel/A-B/require;" |
setkey -c
My racoon config has only an anonymous remote section. The server has one
also, but it has generate_policy set to on. Therefore, when a packet
initiates the tunnel, the server sets up correct tunnels/policies, and
everything works fine.
Now, I've decided to switc to freebsd on server side, and the same
configuration on the server simply does not work. It installs the
policies, and the tunnels, but it seems, that when a reply packet is
leaving the server, it tries to initiate a new tunnel. If I've "passive
on" on my server's remote section, then I've the following error:
Jan 21 16:06:11 pi racoon: ERROR: no configuration found for B.
Jan 21 16:06:11 pi racoon: ERROR: failed to begin ipsec sa negotication.
If I disable passive mode, then racoon tries to establish another tunnel,
but for some reason it does not succeed also. But I think, as in linux
it should work with passive on.
FreeBSD is 9.1-RELEASE, the linux side is a linux 3.5.4.
racoon on linux is:
# racoon -V
@(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net)
Compiled with:
- OpenSSL 1.0.0e 6 Sep 2011 (http://www.openssl.org/)
- Dead Peer Detection
- IKE fragmentation
- NAT Traversal
- Monotonic clock
racoon on freebsd is:
# racoon -V
@(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net)
Compiled with:
- OpenSSL 0.9.8x 10 May 2012 (http://www.openssl.org/)
- Dead Peer Detection
- IKE fragmentation
- Hybrid authentication
- Monotonic clock
Unfortunately I've no idea.
Before the first packet, on the server:
# setkey -D
No SAD entries.
After an icmp packet sent from my private network to A:
# setkey -D
A B
esp mode=tunnel spi=76859998(0x0494ca5e) reqid=0(0x00000000)
E: rijndael-cbc 1c80b80d b006e3a3 772c2a9b 5c475213
A: hmac-md5 d43ff29c 034c896a fb2e7d1c 95f73ff5
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Jan 21 17:03:39 2013 current: Jan 21 17:05:54 2013
diff: 135(s) hard: 14400(s) soft: 11520(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=1 pid=93091 refcnt=1
B A
esp mode=tunnel spi=144790000(0x08a151f0) reqid=0(0x00000000)
E: rijndael-cbc 8bd59c29 9800d10f 8f9d7e84 a720aa9c
A: hmac-md5 188070e2 a3220772 78efcb06 3457db62
seq=0x00000037 replay=4 flags=0x00000000 state=mature
created: Jan 21 17:03:39 2013 current: Jan 21 17:05:54 2013
diff: 135(s) hard: 14400(s) soft: 11520(s)
last: Jan 21 17:04:50 2013 hard: 0(s) soft: 0(s)
current: 5720(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 55 hard: 0 soft: 0
sadb_seq=0 pid=93091 refcnt=1
# setkey -DP
10.0.0.0/24[any] A[any] any
in ipsec
esp/tunnel/B-A/require
created: Jan 21 17:03:39 2013 lastused: Jan 21 17:03:39 2013
lifetime: 14400(s) validtime: 0(s)
spid=25 seq=1 pid=5232
refcnt=1
A[any] 10.0.0.0/24[any] any
out ipsec
esp/tunnel/A-B/require
created: Jan 21 17:03:39 2013 lastused: Jan 21 17:04:50 2013
lifetime: 14400(s) validtime: 0(s)
spid=26 seq=0 pid=5232
refcnt=1
Everything seems fine, as well it is in linux, howewer, the attached log
shows that the kernel or racoon does not try to use the new tunnel,
instead it wants another one.
Is it a bug in freebsd, or a feature in linux? Do somebody have experience
with such a setup?
Thanks in advance,
Kojedzinszky Richard
More information about the freebsd-net
mailing list