Traffic ignore security policies for SA in IPSec site-to-site
connection
NutipA
nnutipa at gmail.com
Sun Jun 26 22:21:48 UTC 2011
First af all, I apologize if I chose the wrong mailing list. I need to
establish IPSec site-to-site connection between two offices as it shown
below:
LAN1 (192.168.1.0/24)
|
FreeBSD 8.2 (192.168.1.2) + ipfw NAT over PPTP(X.X.X.X)
|
|
internet
|
|
FreeBSD 8.2 (192.168.1.2) + ipfw NAT over PPPoE(X.X.X.X)
|
LAN2 (192.168.10.0/24)
The connection between two gatways has been successfully established.
All traffic between two VPN-gateways with global addresses X.X.X.X and
Y.Y.Y.Y has been sucessfully encapsulated and encrypted. I see this
traffic as packets with ESP headers in my sniffer. Then I added static
routes to each LAN. But when I ping any private address in LAN2 from my
computer (192.168.1.102) I see the next output in tcpdump on LAN1 gateway:
19:33:42.506971 IP X.X.X.X > Y.Y.Y.Y : IP 192.168.1.102 > 192.168.10.1:
ICMP echo request, id 13941, seq 4, length 64 (ipip-proto-4)
Traffic hasn't been encrypted and processed by ipsec! It has rather been
placed only in gif-interface and of course remote site is not
responding. So IP-packets ignore security policies for SA:
192.168.10.0/24[any] 192.168.1.0/24[any] any
in ipsec
esp/tunnel/Y.Y.Y.Y-X.X.X.X/use
spid=6 seq=1 pid=23533
refcnt=1
192.168.1.0/24[any] 192.168.10.0/24[any] any
out ipsec
esp/tunnel/X.X.X.X-Y.Y.Y.Y/use
spid=5 seq=0 pid=23533
refcnt=1
As I understand, the traffic from client machines in any direction
should look like this:
21:34:16.486698 IP Y.Y.Y.Y > X.X.X.X: ESP(spi=0x043488c2,seq=0x66),
length 116
Please help me to solve this strange problem. I have created a test
environment (5 virtual machines) and everything was ok! The only
difference was that the tests were run in a several private local
networks, without ISP and pptp/pppoe-interfaces. Also, on the advice of
other people I need to try it without gif-interface, but all my tests
was made according by handbook article.
P.S. I have attached my configs and output of any commands, because my
message is too big.
-------------- next part --------------
[19:00]root at beta:/home/NutipA# cat /usr/local/etc/racoon/setkey.conf
flush;
spdflush;
# To the second office network
spdadd 192.168.1.0/24 192.168.10.0/24 any -P out ipsec esp/tunnel/X.X.X.X-Y.Y.Y.Y/require;
spdadd 192.168.10.0/24 192.168.1.0/24 any -P in ipsec esp/tunnel/Y.Y.Y.Y-X.X.X.X/require;
---------------------------------------------------------------------------
[19:02]root at beta:/home/NutipA# cat /usr/local/etc/racoon/racoon.conf
path pre_shared_key "/usr/local/etc/racoon/psk.txt"; #location of pre-shared key file
log debug; #log verbosity setting: set to 'notify' when testing and debugging is complete
padding # options are not to be changed
{
maximum_length 20;
randomize off;
strict_check off;
exclusive_tail off;
}
timer # timing options. change as needed
{
counter 5;
interval 20 sec;
persend 1;
# natt_keepalive 15 sec;
phase1 30 sec;
phase2 15 sec;
}
listen # address [port] that racoon will listening on
{
isakmp X.X.X.X [500];
isakmp_natt X.X.X.X [4500];
}
remote Y.Y.Y.Y [500]
{
exchange_mode main,aggressive;
doi ipsec_doi;
situation identity_only;
my_identifier address X.X.X.X;
peers_identifier address Y.Y.Y.Y;
lifetime time 8 hour;
passive off;
proposal_check obey;
# nat_traversal off;
generate_policy off;
proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method pre_shared_key;
lifetime time 30 sec;
dh_group 1;
}
}
sainfo (address 192.168.1.0/24 any address 192.168.10.0/24 any) # address $network/$netmask $type address $network/$netmas
{ # $network must be the two internal networks you are joining.
pfs_group 1;
lifetime time 36000 sec;
encryption_algorithm 3des,des;
authentication_algorithm hmac_md5,hmac_sha1;
compression_algorithm deflate;
}
---------------------------------------------------------------------------
[18:53]root at beta:/home/NutipA# ifconfig
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=2098<VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC>
ether 00:17:31:55:a6:07
inet 192.168.1.2 netmask 0xffffff00 broadcast 192.168.1.255
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
<output ommitted>
tun0: flags=8151<UP,POINTOPOINT,RUNNING,PROMISC,MULTICAST> metric 0 mtu 1400
options=80000<LINKSTATE>
inet X.X.X.X --> 81.25.33.1 netmask 0xffffffff
Opened by PID 32338
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1280
tunnel inet X.X.X.X --> Y.Y.Y.Y
inet 192.168.1.2 --> 192.168.10.1 netmask 0xffffff00
options=1<ACCEPT_REV_ETHIP_VER>
---------------------------------------------------------------------------
[18:52]root at beta:/home/NutipA# setkey -D
X.X.X.X Y.Y.Y.Y
esp mode=tunnel spi=233892651(0x0df0eb2b) reqid=0(0x00000000)
E: 3des acc5fbb3 7e6cb546 b389e45c b853ee22
A: hmac-md5 5cf27121 a867cbb1 450d4c6c 6966d0d7
seq=0x00000056 replay=4 flags=0x00000000 state=mature
created: Jun 6 21:18:52 2011 current: Jun 6 21:21:18 2011
diff: 146(s) hard: 36000(s) soft: 28800(s)
last: Jun 6 21:21:01 2011 hard: 0(s) soft: 0(s)
current: 11624(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 86 hard: 0 soft: 0
sadb_seq=3 pid=1453 refcnt=2
Y.Y.Y.Y X.X.X.X
esp mode=tunnel spi=102867574(0x0621a276) reqid=0(0x00000000)
E: 3des 05d8dfff dddd8099 dbc32c1b c3ea8e59
A: hmac-md5 eccc1e7b b97e36c3 6ad68c2e 33d135ac
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Jun 6 21:18:52 2011 current: Jun 6 21:21:18 2011
diff: 146(s) hard: 36000(s) soft: 28800(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=1 pid=1453 refcnt=1
---------------------------------------------------------------------------
[18:51]root at beta:/home/NutipA# setkey -DP
192.168.10.0/24[any] 192.168.1.0/24[any] any
in ipsec
esp/tunnel/Y.Y.Y.Y-X.X.X.X/use
spid=6 seq=1 pid=23533
refcnt=1
192.168.1.0/24[any] 192.168.10.0/24[any] any
out ipsec
esp/tunnel/X.X.X.X-Y.Y.Y.Y/use
spid=5 seq=0 pid=23533
refcnt=1
---------------------------------------------------------------------------
[19:03]root at beta:/home/NutipA# netstat -rn
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
default Z.Z.Z.Z UGS 0 74261 tun0
<output ommitted>
192.168.1.0/24 link#1 U 2 1097106 em0
192.168.1.2 link#1 UHS 0 0 lo0
192.168.10.0/24 192.168.10.1 UGS 0 549 gif0
192.168.10.1 link#8 UH 0 4230 gif0
---------------------------------------------------------------------------
[18:57]root at beta:/home/NutipA# cat /etc/rc.conf
zfs_enable="YES"
hostname="beta"
ifconfig_em0="inet 192.168.1.2 netmask 255.255.255.0 -rxcsum -txcsum -tso"
sshd_enable="YES"
ifconfig_vr0="DHCP"
gateway_enable="YES"
firewall_enable="YES"
firewall_nat_enable="YES"
dummynet_enable="YES"
firewall_type="/etc/firewall"
---------------------------------------------------------------------------
More information about the freebsd-questions
mailing list