IPSEC & PF - Please help
Max Laier
max at love2party.net
Mon Oct 2 18:36:47 PDT 2006
On Tuesday 03 October 2006 01:40, fwun at bigpond.net.au wrote:
> Here is the article I read about patch for PF:
> http://www.mail-archive.com/freebsd-pf@freebsd.org/msg01315.html
> Where can I find an official release of this patch for freebsd 6.1?
> the FreeBSD 6.1-stable I m using is dated in early August.
enc(4) was MFCed to RELENG_6 "Mon Jul 24 23:20:58 2006 UTC (2 months, 1
week ago." If you move to RELENG_6 or the upcoming BETA build you should
get it with no patching. If you need it in 6.1 you'd have to backport it
yourself, but this should be more or less the same patch as the MFC.
> ---- fwun at bigpond.net.au wrote:
> > Hi,
> >
> > I am having trouble in setting up IPSEC with a remote office. I
> > desperately need help to sort out the problem. Here is the
> > description of this little network:
> >
> > My Office (with Cable Internet, sis0 is the public interface):
> > sis0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> > options=8<VLAN_MTU>
> > inet6 fe80::20d:b9ff:fe03:e22c%sis0 prefixlen 64 scopeid 0x1
> > inet 60.225.5.1 netmask 0xfffffc00 broadcast 255.255.255.255
> > ether 00:0d:b9:03:e2:2c
> > media: Ethernet autoselect (100baseTX <full-duplex>)
> > status: active
> > sis1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> > options=8<VLAN_MTU>
> > inet6 fe80::20d:b9ff:fe03:e22d%sis1 prefixlen 64 scopeid 0x2
> > inet 192.168.0.254 netmask 0xffffff00 broadcast 192.168.0.255
> > inet 10.1.10.1 netmask 0xff000000 broadcast 10.255.255.255
> > ether 00:0d:b9:03:e2:2d
> > media: Ethernet autoselect (100baseTX <full-duplex>)
> > status: active
> > lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
> > inet6 ::1 prefixlen 128
> > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
> > inet 127.0.0.1 netmask 0xff000000
> > inet 10.1.1.1 netmask 0xffffff00
> > pflog0: flags=41<UP,RUNNING> mtu 33208
> > pfsync0: flags=41<UP,RUNNING> mtu 2020
> > gif102: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
> > tunnel inet 60.225.5.1 --> 203.33.16.32
> > inet 10.1.1.1 --> 10.1.1.100 netmask 0xffffff00
> > inet6 fe80::20d:b9ff:fe03:e22c%gif102 prefixlen 64 scopeid
> > 0x7
> >
> > Ric's Office (with ADSL boardband):
> > sis0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> > options=8<VLAN_MTU>
> > inet6 fe80::20d:b9ff:fe03:eb40%sis0 prefixlen 64 scopeid 0x1
> > ether 00:0d:b9:03:eb:40
> > media: Ethernet autoselect (10baseT/UTP)
> > status: active
> > sis1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> > options=8<VLAN_MTU>
> > inet6 fe80::20d:b9ff:fe03:eb41%sis1 prefixlen 64 scopeid 0x2
> > inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
> > inet 10.1.100.1 netmask 0xffffff00 broadcast 10.1.100.255
> > ether 00:0d:b9:03:eb:41
> > media: Ethernet autoselect (100baseTX <full-duplex>)
> > status: active
> > lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
> > inet6 ::1 prefixlen 128
> > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
> > inet 127.0.0.1 netmask 0xff000000
> > inet 10.1.1.100 netmask 0xffffff00
> > pflog0: flags=41<UP,RUNNING> mtu 33208
> > pfsync0: flags=41<UP,RUNNING> mtu 2020
> > tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1492
> > inet 203.33.16.32 --> 203.17.1.1 netmask 0xffffffff
> > Opened by PID 362
> >
> > #Script for establish IPSEC at My Office:
> > /sbin/ifconfig lo0 inet 10.1.1.1/24 alias
> > setkey -FP
> > setkey -F
> >
> > # Tunnel to Ric office
> > /sbin/ifconfig gif102 destroy
> > /sbin/ifconfig gif102 create
> > /sbin/ifconfig gif102 tunnel 60.225.5.1 203.33.16.32
> > /sbin/ifconfig gif102 inet 10.1.1.1 10.1.1.100 netmask 255.255.255.0
> > /sbin/route delete 10.1.100.1/24
> > /sbin/route delete 172.17.100.0/24
> > /sbin/route add 10.1.100.1/24 10.1.1.100
> > /sbin/route add 172.17.100.0/24 10.1.1.100
> >
> > setkey -c << EOF
> >
> > Firewall rule at My (SAm)'s office:
> > # pfctl -sr
> > pass in on sis1 inet proto tcp from any to 127.0.0.1 port = 3128 keep
> > state pass out on sis0 inet proto tcp from any to any port = http
> > keep state block drop in log all
> > block drop in log quick on sis0 inet proto udp from any to
> > 255.255.255.255 block drop in log quick on sis1 inet proto udp from
> > any to 255.255.255.255 pass in on lo0 all
> > pass out quick on sis0 all keep state
> > pass out quick on sis1 all keep state
> > pass in on sis1 all keep state
> > pass out on sis0 proto tcp all flags S/SA keep state
> > pass out on sis1 proto tcp all flags S/SA keep state
> > pass in on sis0 proto tcp from any to any port = ssh flags S/SA keep
> > state pass in on sis0 proto tcp from any to any port = http flags
> > S/SA keep state pass in on sis0 proto udp from any to any port =
> > commplex-main keep state pass in quick on ath0 all keep state
> > pass in quick on sis0 inet proto esp from 60.225.5.1 to 203.33.16.32
> > pass out quick on sis0 inet proto esp from 203.33.16.32 to 60.225.5.1
> > pass in quick proto ipencap all
> > pass in quick inet from 10.1.100.0/24 to 10.1.1.0/24
> > pass out quick inet from 10.1.1.0/24 to 10.1.100.0/24
> > pass in quick inet from 10.1.1.0/24 to any
> > pass in quick on sis0 inet proto udp from 60.225.5.1 to 203.33.16.32
> > port = isakmp pass out quick on sis0 inet proto udp from 203.33.16.32
> > to 60.225.5.1 port = isakmp pass quick on gif102 all
> >
> > Nework routing table at My (SAm)'s office:
> > # netstat -rn | less
> > Routing tables
> >
> > Internet:
> > Destination Gateway Flags Refs Use Netif
> > Expire default 60.225.5.111 UGS 0 55131
> > sis0 10 link#2 UC 0 1
> > sis1 10.1.1.1 10.1.1.1 UH 0 0
> > lo0 10.1.100/24 10.1.1.100 UGS 0 7
> > gif102 60.225.5/22 link#1 UC 0 0
> > sis0 60.225.5.111 00:0f:35:45:78:70 UHLW 2 0
> > sis0 1200 127.0.0.1 127.0.0.1 UH 0
> > 541 lo0 172.17.4/24 link#3 UC 0
> > 0 ath0 172.17.100/24 10.1.1.100 UGS 0 0
> > gif102 192.168.0 link#2 UC 0 0
> > sis1
> >
> > # Tunnel to Ric office
> > spdadd 10.1.1.1 10.1.1.100 any -P out ipsec
> > esp/tunnel/10.1.1.1-10.1.1.100/require ; spdadd 10.1.1.100 10.1.1.1
> > any -P in ipsec esp/tunnel/10.1.1.100-10.1.1.1/require ; add
> > 10.1.1.1 10.1.1.100 esp 2744 -m tunnel -E blowfish-cbc
> > 0xC0AD6D1F390BBECD431A75A3461C2FD62433DD1D947804CAD75133DABF2F25C4B6F
> >928521AECE611218C007CE917CC986CF36382DB29D11B -A hmac-sha1
> > 0xB4D3FBE932C36E1D09BA4827F78A542D37C936BE ; add 10.1.1.100 10.1.1.1
> > esp 3944 -m tunnel -E blowfish-cbc
> > 0xB4E4556530711A5831A8289B4A8DB9334F62A878E6FAAF889A243FEA7BDEEE3058A
> >4E8220289C02A09321BEFE0619AA641006F3C02230B3B -A hmac-sha1
> > 0xAFB28AABC10B4B704A730CB070A719ED93254AB6 ;
> >
> > #Script for establish IPSEC at Ric's office:
> > /sbin/ifconfig lo0 inet 10.1.1.100/24 alias
> > setkey -FP
> > setkey -F
> >
> > # Tunnel to Sam Office
> > /sbin/ifconfig gif102 destroy
> > /sbin/ifconfig gif102 create
> > /sbin/ifconfig gif102 tunnel 203.33.16.32 60.225.5.1
> > /sbin/ifconfig gif102 inet 10.1.1.100 10.1.1.1 netmask 255.255.255.0
> > /sbin/route delete 10.1.1.1/24
> > /sbin/route delete 172.17.4.0/24
> > /sbin/route add 10.1.1.1/24 10.1.1.1
> > /sbin/route add 172.17.4.0/24 10.1.1.1
> >
> > setkey -c << EOF
> >
> > # Tunnel to Sam office
> > spdadd 10.1.1.100 10.1.1.1 any -P out ipsec
> > esp/tunnel/10.1.1.100-10.1.1.1/require ; spdadd 10.1.1.1 10.1.1.100
> > any -P in ipsec esp/tunnel/10.1.1.1-10.1.1.100/require ; add
> > 10.1.1.100 10.1.1.1 esp 2744 -m tunnel -E blowfish-cbc
> > 0xC0AD6D1F390BBECD431A75A3461C2FD62433DD1D947804CAD75133DABF2F25C4B6F
> >928521AECE611218C007CE917CC986CF36382DB29D11B -A hmac-sha1
> > 0xB4D3FBE932C36E1D09BA4827F78A542D37C936BE ; add 10.1.1.1 10.1.1.100
> > esp 3944 -m tunnel -E blowfish-cbc
> > 0xB4E4556530711A5831A8289B4A8DB9334F62A878E6FAAF889A243FEA7BDEEE3058A
> >4E8220289C02A09321BEFE0619AA641006F3C02230B3B -A hmac-sha1
> > 0xAFB28AABC10B4B704A730CB070A719ED93254AB6 ;
> >
> >
> > EOF
> >
> > Firewall rule at Ric's office:
> > # pfctl -sr
> > pass in on sis1 inet proto tcp from any to 127.0.0.1 port = 3128 keep
> > state pass out on tun0 inet proto tcp from any to any port = http
> > keep state block drop in log all
> > block drop in log quick on tun0 inet proto udp from any to
> > 255.255.255.255 block drop in log quick on sis1 inet proto udp from
> > any to 255.255.255.255 pass in on lo0 all
> > pass out quick on tun0 all keep state
> > pass out quick on sis1 all keep state
> > pass in on sis1 all keep state
> > pass out on tun0 proto tcp all flags S/SA keep state
> > pass out on sis1 proto tcp all flags S/SA keep state
> > pass in on tun0 proto tcp from any to any port = ssh flags S/SA keep
> > state pass in on tun0 proto tcp from any to any port = http flags
> > S/SA keep state pass in on tun0 proto udp from any to any port =
> > commplex-main keep state pass in quick on ath0 all keep state
> > pass in quick on tun0 inet proto esp from 203.33.16.32 to 60.225.5.1
> > pass out quick on tun0 inet proto esp from 60.225.5.1 to 203.33.16.32
> > pass in quick proto ipencap all
> > pass in quick inet from 10.1.1.0/24 to 10.1.100.0/24
> > pass in quick inet from 10.1.1.0/24 to 10.1.1.0/24
> > pass out quick inet from 10.1.100.0/24 to 10.1.1.0/24
> > pass out quick inet from 10.1.100.0/24 to 10.1.100.0/24
> > pass in quick on tun0 inet proto udp from 203.33.16.32 to 60.225.5.1
> > port = isakmp pass out quick on tun0 inet proto udp from 60.225.5.1
> > to 203.33.16.32 port = isakmp pass quick on gif102 all
> >
> > Network routing table at Ric's office:
> > # netstat -rn
> > Routing tables
> >
> > Internet:
> > Destination Gateway Flags Refs Use Netif
> > Expire default 203.17.101.81 UGS 0 2005455
> > tun0 10.1.1/24 10.1.1.1 UGS 0 0
> > gif102 10.1.1.1 10.1.1.100 UH 972 1015
> > gif102 10.1.1.100 10.1.1.100 UH 0 16
> > lo0 10.1.100/24 link#2 UC 0 0
> > sis1 10.1.100.1 00:0d:b9:03:eb:41 UHLW 1 10
> > lo0 127.0.0.1 127.0.0.1 UH 0 3335
> > lo0 172.17.4/24 10.1.1.1 UGS 0 586
> > gif102 192.168.0 link#2 UC 0 1
> > sis1 192.168.0.198 00:0d:60:ff:b7:1f UHLW 1 1141717
> > sis1 818 192.168.0.200 00:14:22:fd:cc:8f UHLW 1
> > 9945 sis1 203.17.10.8 203.33.16.32 UH 1 0
> > tun0
> >
> > The problem is My (Sam) office can ping 10.1.100.1 at Ric's office,
> > but I still can't ping his other IP 10.1.1.100 (assigned to his
> > loopback lo interfaice). Ric's office can't ping me (Sam) 10.1.1.1 or
> > 10.1.10.1 at all. Tcpdump shown that the PF firewall blocked the
> > incoming packet from 10.1.1/24, then I make a "pass" rule to let it
> > thru. But Ric still can't ping 10.1.1.1 and 10.1.10.1
> >
> > And I read the following article from PF mailing, it might be the
> > issue in PF. Can anyone please shed some lights to me? I desperately
> > want to get this working.
> >
> > Thanks
> > S
>
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
--
/"\ Best regards, | mlaier at freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier at EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-net/attachments/20061003/833433d3/attachment.pgp
More information about the freebsd-net
mailing list