freebsd vpn server behind nat dsl router

Robert Johannes info at plot.uz
Tue Mar 27 04:30:27 UTC 2007 

On Thu, 15 Mar 2007, Tom Judge wrote:

> Robert Johannes wrote:
>> 
>> On Wed, 7 Mar 2007, VANHULLEBUS Yvan wrote:
>> 
>> 
>> Ok, I have done quite a bit of work since my last email, but I still don't 
>> see visible progress.  I did rebuild world and the kernel with the NAT-T 
>> patches/support that you recommended.  I have been playing around with 
>> ipsec e.t.c.
>> 
>> I have created an esp tunnel between my two sites, and I am sending some 
>> ping traffic to the remote end, but the packets don't seem to get through. 
>> Here's a snippet of what I see on tcpdump:
>> 
>> 14:06:53.594241 IP 190.41.95.135 > client-201.240.165.191.speedy.net.pe: \
>> IP 192.168.1.254 > 192.168.0.254: ICMP echo request, id 5784, seq 1519,  \
>> length 64 (ipip-proto-4)
>> 14:06:54.595071 IP 190.41.95.135 > client-201.240.165.191.speedy.net.pe: \
>> IP 192.168.1.254 > 192.168.0.254: ICMP echo request, id 5784, seq 1520,  \
>> length 64 (ipip-proto-4)
>
> Firstly have you set your DSL routers up to nat the ipencap protocol back to 
> your FreeBSD box? (IPencap is a IP payload protocol, not a TCP or UDP 
> payload, so you will probably need a prity advanced router to do this).  The 
> packets you see here are not protected by IPSEC they are just plain old 
> IPENCAP packets.  If they where IPSEC packets I would expect to see ESP as 
> the protocol and not see the encapsulated packet header (Again when you get 
> IPSEC working you are going to need to NAT these packets to your freebsd 
> boxes.)

You are right that the dsl routers I have can't nat the ipencap protocol 
(or perhaps I just don't know how to configure them to.)  I have 
configured them to do port forwarding of the 4500 port(NAT-T) to the 
freebsd vpn servers, and that works because I can do a tcpdump on that 
port and see traffic coming in from the internet, by simply telneting to 
that port.

So, I don't have ipsec working.  How do I debug ipsec to see where I am 
failing?

>>> From what I can tell, the kernel knows that it is to send the ping request 
>> from 192.168.1.254 to 192.168.0.254 through the tunnel mouths 190.41.95.135 
>> and 201.240.165.191.  But, there's no request from the other end.  Doing a 
>> tcpdump on the other side (192.168.0.254), nothing is coming in.  I have 
>> also done a ping from the latter machine to the former, but with exactly 
>> the same problem.  Nothing seems to get to the other end.
>> 
>> The tunnel is not using racoon yet.  I figure that I should be able to see 
>> some traffic going back and forth before I use racoon to manage keys.  The 
>> tunnel was created by the following lines on one host, and reversed on the 
>> other:
>> 
>> spdadd 192.168.1.0/24 192.168.0.0/24 any -P in ipsec 
>> esp/tunnel/190.41.95.135-201.240.151.15/require;
>> spdadd 192.168.0.0/24 192.168.1.0/24 any -P out ipsec 
>> esp/tunnel/201.240.151.15-190.41.95.135/require;
>> 
>> If any one can shed some more light on this, I would appreciate it.
>> 
>
> From what I can see your /etc/ipsec.conf should look like this:
>
> spdadd 190.41.95.135/32 201.240.151.15/32 ipencap -P in ipsec
> 	esp/tunnel/190.41.95.135-201.240.151.15/require;
> spdadd 201.240.151.15/32 190.41.95.135/32 ipencap -P out ipsec
> 	esp/tunnel/201.240.151.15-190.41.95.135/require;
>
> These rules may be wrong but your tunnel seems to be an IP protocol 4 payload 
> which is ipencap (see /etc/protocols).
>
> Hope this helps.

Yes, this helps me know where I am at.  I don't have ipsec working, just 
plain-old ipencap, which is what I am trying to by-pass to begin with 
because my routers can't handle nating ipencap.

So, in order to get ipsec and NAT-T working, which I did all the patch 
work to get NAT-T support, it is not enough to have the above entries in 
/etc/ipsec.conf?  What else do I need to do?  Must I configure racoon as 
well, otherwise ipsec doesn't work?  And if I do get ipsec working, how do 
I know, because I have not seen any log entries related to ipsec, except 
for the ones at bootup {WARNING: debug.mpsafenet forced to 0 as ipsec 
requires Giant IPsec: Initialized Security Association Processing.}

Thanks for your responses.

robert

>
> Tom
>
>
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"
>
>

More information about the freebsd-security mailing list