IPsec tunnel help

Gergely CZUCZY phoemix at harmless.hu
Wed Jul 15 16:29:58 UTC 2009 

Hello,

I'd like to ask for a bit of a help.

I'd like to set up an IPSec VPN between two hosts, and I'm facing an
issue I can't solve myself.

The setup is the following:
It's a site-to-host VPN, from A to B.
At A side there's the fbsd gateway, it's a 7.2 box, everything is built
into the kernel, and ipsec-tools is up and running. I've got a /24
range here.

Site B is a Zywall 2 Plus device.

A: pub: 217.150.138.138, local: 192.168.0.0/24
B: pub: 217.150.130.163, local box: 192.168.1.64/32
C: 192.168.0.248

Phase 1 and 2 are completed. I'm trying to ping a box from the B site
behind the fbsd box, let's call it C. The icmp-echo-request reaches C,
reply is generated. The icmp-echo-reply appears on the local interface
of the fbsd box, but at that point it's lost I can't find a trace of
it. It's not on the gif0 IF and neither there are any outgoing ESP
packets on the public interface.

Configs:
--- rc.conf --
# IPSec VPN
ipsec_enable="YES"
ipsec_file="/etc/ipsec.conf"
ipsec_program="/usr/local/sbin/setkey"
racoon_enable="YES"
racoon_flags="-d -l /var/log/racoon.log"

--- rc.conf ---
(i've put up the gif0 by hand)

gif0:
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1280
        tunnel inet 217.150.138.138 --> 217.150.130.163
        inet 192.168.0.0 --> 192.168.1.64 netmask 0xffffffff
(I've also tried with 192.168.0.251->192.168.1.64/32, no luck, same
results)

--- ipsec.conf ---
spdflush;
spdadd 192.168.1.64/32 192.168.0.0/24 any -P in ipsec
  esp/tunnel/217.150.130.163-217.150.138.138/unique;
spdadd 192.168.0.0/24 192.168.1.64/32 any -P in ipsec
  esp/tunnel/217.150.138.138-217.150.130.163/unique;
--- ipsec.conf ---

--- racoon.conf ---
log debug;

path pre_shared_key "/usr/local/etc/ipsec.keys";
path pidfile        "/var/run/racoon.pid";

listen {
       isakmp   217.150.138.138;
       adminsock        "/var/db/racoon/racoon.sock";
}

remote 217.150.130.163 {
       exchange_mode main;

       my_identifier    address 217.150.138.138;
       peers_identifier address 217.150.130.163;
       verify_identifier        on;

#       lifetime                time    40000 sec;

       proposal_check   claim;

       proposal
       {
        encryption_algorithm    3des;
        hash_algorithm          sha1;
        authentication_method   pre_shared_key;
        dh_group                2;
        lifetime time           40000 seconds;
       }
}

sainfo address 192.168.1.64/32 any address 192.168.0.0/24 any {
       lifetime time          40000 seconds;
       encryption_algorithm   3des;
       authentication_algorithm hmac_sha1;
       compression_algorithm    deflate;
}

sainfo address 192.168.0.0/24 any address 192.168.1.64/32 any {
       lifetime time          40000 seconds;
       encryption_algorithm   3des;
       authentication_algorithm hmac_sha1;
       compression_algorithm    deflate;
}
--- racoon.conf ---

I've got the tunnel up:
# racoonctl show-sa isakmp
Destination            Cookies                           Created
217.150.130.163.500    60566fd9f22997f0:368679084fb0bf3e 2009-07-15
17:47:00
# racoonctl show-sa esp
217.150.138.138 217.150.130.163
...
217.150.130.163 217.150.138.138
...
(if i should show anything out of it tell me)

I'm pinging the C box, on the local if i see the traffic:
IP 192.168.1.64 > 192.168.0.248: ICMP echo request, id 1547, seq 3777,
length 64 IP 192.168.0.248 > 192.168.1.64: ICMP echo reply, id 1547,
seq 3777, length 64


on the gif0 i only see:
IP 192.168.1.64 > 192.168.0.248: ICMP echo request, id 1547, seq 3802,
length 64


and on the public IF i see the following traffic:
IP 217.150.130.163 > 217.150.138.138: ESP(spi=0x022aff56,seq=0x627),
length 116


No ESP packets from the fbsd box to the zyxel (A->B). Practically
traffic comes in, reaches the box on the local net, but any traffic
going outside is being lost somewhere.

In the pf.conf I allow the traffic to go through:
--- pf.conf snippet ---
pass in quick on $if_inetfw proto udp from any to ($if_inetfw:0) port
  500 keep state
pass in quick on $if_inetfw proto {esp,ah,ipencap} from any to
  ($if_inetfw:0) keep state
pass out quick on $if_inetfw proto {esp,ah,ipencap} from any to any
  keep state
--- pf.conf snippet ---

So the question is, what is wrong, why do I don't have any traffic
going to the B host out of the fbsd box? And how can this be fixed?

Thanks in advance

-- 
Sincerely,
Gergely CZUCZY

+36-30-9702963

More information about the freebsd-net mailing list