weird results while ipsec + ipfv_nat (nat before vpn)

Zeus V Panchenko zeus at ibs.dn.ua
Wed Aug 3 10:53:17 UTC 2011 

Hi,

i faced weird for me situation, may somebody agree to help to win it,
please?

we need to see some http/s resources behind the Cisco PIX IPSEC

i'm trying to get working this schema:


SCHEMA (`nat before vpn' as i believe):
--------------

+-> a.a.0.1/16 LAN
|
+-> a.a.a.2/24 FreeBSD b.b.b.1 <-> c.c.c.1/24 IPSEC PEER PIX
             	  |		    	      |
             	  + x.x.x.x <-------> y.y.y.y +


CONFIGURATION:
--------------
> uname -a
FreeBSD 8.2-STABLE #3: Tue Aug  2 15:39:33 EEST 2011 i386


> cat /etc/rc.conf
...
gateway_enable="YES"
cloned_interfaces="gif0"
ifconfig_bge0="inet x.x.x.x/25"
ifconfig_bge1="inet a.a.a.2/24"
ifconfig_gif0="inet b.b.b.1 c.c.c.1 tunnel x.x.x.x y.y.y.y"
ipsec_enable="YES"
ipsec_program="/usr/local/sbin/setkey"
ipsec_file="/usr/local/etc/racoon/setkey.conf"
racoon_enable="YES"
ipfw_enable="YES"
ipfw_nat_enable="YES"
...

in kernel i have:
options         IPSEC
options         IPSEC_DEBUG
device          crypto

options         IPFIREWALL
options         IPFIREWALL_FORWARD
options         IPFIREWALL_NAT
options         IPFIREWALL_VERBOSE
options         IPFIREWALL_VERBOSE_LIMIT=200
options         IPDIVERT
options         LIBALIAS



> cat /usr/local/etc/racoon/setkey.conf
flush;
spdflush;

spdadd b.b.b.1  c.c.c.0/24 any -P out ipsec \
       esp/tunnel/x.x.x.x-y.y.y.y/require;

spdadd  c.c.c.0/24 b.b.b.1 any -P  in ipsec \
       esp/tunnel/y.y.y.y-x.x.x.x/require;



> cat /etc/ipfw.conf
...

add 000401 allow udp from x.x.x.x to y.y.y.y isakmp
add 000402 allow udp from y.y.y.y to x.x.x.x isakmp
add 000403 allow { esp or ipencap } from x.x.x.x to y.y.y.y
add 000404 allow { esp or ipencap } from y.y.y.y to x.x.x.x

add 00502 nat 100 all from { a.a.1.0/24 or a.a.2.0/24 } to c.c.c.0/24
nat 100 config log if bge1 ip b.b.b.1 reverse



WHAT I DO:
--------------
1)
trying to ping IPSEC PEER from LAN

user at a.a.a.20> ping c.c.c.1

c.c.c.1 reply packets are coming in and are decrypted but replies doesn't reach
ping initiator a.a.a.20

box a.a.a.20 reports ping statistics:
450 packets transmitted, 0 packets received, 100.0% packet loss


at FreeBSD box i see:
user at FreeBSD> tcpdump -n -i gif0 host c.c.c.1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on gif0, link-type NULL (BSD loopback), capture size 96 bytes
...
13:27:18.122542 IP c.c.c.1 > b.b.b.1: ICMP echo request, id 39050, seq 2903, length 64
13:27:19.123275 IP c.c.c.1 > b.b.b.1: ICMP echo request, id 39050, seq 2904, length 64
13:27:20.124517 IP c.c.c.1 > b.b.b.1: ICMP echo request, id 39050, seq 2905, length 64
13:27:21.125568 IP c.c.c.1 > b.b.b.1: ICMP echo request, id 39050, seq 2906, length 64

on WAN i see this
user at FreeBSD> tcpdump -n -i bge0 esp
...
00:00:00.635862 ethertype IPv4 (0x0800), length 166: x.x.x.x > y.y.y.y: ESP(spi=0xad597f86,seq=0x7), length 132
00:00:00.024467 ethertype IPv4 (0x0800), length 166: y.y.y.y > x.x.x.x: ESP(spi=0x060bc3e3,seq=0x7), length 132
00:00:00.635567 ethertype IPv4 (0x0800), length 166: x.x.x.x > y.y.y.y: ESP(spi=0xad597f86,seq=0x8), length 132
00:00:00.024689 ethertype IPv4 (0x0800), length 166: y.y.y.y > x.x.x.x: ESP(spi=0x060bc3e3,seq=0x8), length 132
00:00:00.636724 ethertype IPv4 (0x0800), length 166: x.x.x.x > y.y.y.y: ESP(spi=0xad597f86,seq=0x9), length 132
00:00:00.024286 ethertype IPv4 (0x0800), length 166: y.y.y.y > x.x.x.x: ESP(spi=0x060bc3e3,seq=0x9), length 132

so, ipsec and ipfw_nat out works, but where are reply packets disappearing to after coming to gif0 interface?
why no backward divert occures? 

2)
  trying to ping IPSEC PEER from FreeBSD box
  user at b.b.b.1> ping c.c.c.1
  everything works since no nat occures ...

  user at b.b.b.1> tcpdump -n -i gif0 host  c.c.c.1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on gif0, link-type NULL (BSD loopback), capture size 96 bytes
13:45:56.759567 IP  c.c.c.1 > b.b.b.1: ICMP echo reply, id 53484, seq 213, length 64
13:45:57.760745 IP  c.c.c.1 > b.b.b.1: ICMP echo reply, id 53484, seq 214, length 64
13:45:58.762787 IP  c.c.c.1 > b.b.b.1: ICMP echo reply, id 53484, seq 215, length 64
13:45:59.765493 IP  c.c.c.1 > b.b.b.1: ICMP echo reply, id 53484, seq 216, length 64
13:46:00.764619 IP  c.c.c.1 > b.b.b.1: ICMP echo reply, id 53484, seq 217, length 64
13:46:01.765676 IP  c.c.c.1 > b.b.b.1: ICMP echo reply, id 53484, seq 218, length 64

  user at b.b.b.1> tcpdump -n -ettt -s0 -i bge0 host y.y.y.y
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vlan11, link-type EN10MB (Ethernet), capture size 65535 bytes
00:00:00.635862 ethertype IPv4 (0x0800), length 166: x.x.x.x > y.y.y.y: ESP(spi=0xad597f86,seq=0x7), length 132
00:00:00.024467 ethertype IPv4 (0x0800), length 166: y.y.y.y > x.x.x.x: ESP(spi=0x060bc3e3,seq=0x7), length 132
00:00:00.635567 ethertype IPv4 (0x0800), length 166: x.x.x.x > y.y.y.y: ESP(spi=0xad597f86,seq=0x8), length 132
00:00:00.024689 ethertype IPv4 (0x0800), length 166: y.y.y.y > x.x.x.x: ESP(spi=0x060bc3e3,seq=0x8), length 132
00:00:00.636724 ethertype IPv4 (0x0800), length 166: x.x.x.x > y.y.y.y: ESP(spi=0xad597f86,seq=0x9), length 132
00:00:00.024286 ethertype IPv4 (0x0800), length 166: y.y.y.y > x.x.x.x: ESP(spi=0x060bc3e3,seq=0x9), length 132



so, is it possible to get it working? 
if yes, where is my mistake, please?

-- 
Zeus V. Panchenko
JID:zeus at gnu.org.ua			      	        GMT+2 (EET)

More information about the freebsd-net mailing list