Date: Sat, 16 Nov 2002 00:25:39 -0500 From: Scott Ullrich <sullrich@CRE8.COM> To: "'greg.panula@dolaninformation.com'" <greg.panula@dolaninformation.com>, David Kelly <dkelly@hiwaay.net> Cc: FreeBSD-stable@FreeBSD.ORG Subject: RE: IPsec/gif VPN tunnel packets on wrong NIC in ipfw? Message-ID: <2F6DCE1EFAB3BC418B5C324F13934C9601D23C0F@exchange.corp.cre8.com>
next in thread | raw e-mail | index | archive | help
I am also having this same problem. If I revert back to 4.7 RELEASE the
problem goes away.
Anyone have an idea of what changed the default behavior between 4.7 RELEASE
and STABLE or if there is a better workaround other than adding a rule
before the divert statement allowing the internal networks to talk?
Thanks,
Scott
-----Original Message-----
From: Greg Panula [mailto:greg.panula@dolaninformation.com]
Sent: Friday, November 15, 2002 10:47 AM
To: David Kelly
Cc: FreeBSD-stable@FreeBSD.ORG
Subject: Re: IPsec/gif VPN tunnel packets on wrong NIC in ipfw?
David Kelly wrote:
>
> On Fri, Nov 15, 2002 at 07:21:21AM -0600, Greg Panula wrote:
>
> > If you are using gif tunnels for passing your ipsec traffic thru you
> > might want to try not using them. I ran into some similar funkyness
> > a while back. Packets traverse the gif tunnel, get decrypted and
> > then get rejected by the firewall rules for the external interface.
> >
> > If you would like a quickie example of ipsec tunnel setup between
> > two freebsd boxes, let me know.
>
> Have a suspicion I'm not really using gif altho I've configured the
> interfaces. Earlier yesterday found I had not updated an IP address in
> the gif0 device which changed a month or to prior. Yet things were
> still working.
>
> So yes, please, I'd like to see your notes on how to IPsec tunnel
> without gif.
>
Quickie how-to for ipsec tunnel between two freebsd gateways. Assumes
racoon is installed & gateways use automatic key exchange. Usable sample
racoon.conf included.
Network A: 10.1.1.0/24
Gateway A: int nic=10.1.1.1 ext nic=1.1.1.1
Network B: 10.2.2.0/24
Gateway B: int nic=10.2.2.1 ext nic=2.2.2.1
SPD setup on Gateway A:
setkey -c < EOF
spdadd 10.1.1.0/24 10.2.2.0/24 any -P out ipsec
esp/tunnel/1.1.1.1-2.2.2.1/unique;
spdadd 10.2.2.0/24 10.1.1.0/24 any -P in ipsec
esp/tunnel/2.2.2.1-1.1.1.1/unique;
EOF
SPD setup on Gateway B:
setkey -c < EOF
spdadd 10.1.1.0/24 10.2.2.0/24 any -P in ipsec
esp/tunnel/1.1.1.1-2.2.2.1/unique;
spdadd 10.2.2.0/24 10.1.1.0/24 any -P out ipsec
esp/tunnel/2.2.2.1-1.1.1.1/unique;
EOF
**The above 'spdadd' commands are *one* line each. Adding the spdadd lines
to /etc/ipsec.conf will get the spds added in at boot-time.
Next is either adding a pre-shared secret to /usr/local/etc/racoon/psk.txt
or setting up certificates. Sorry haven't done certs, yet. Format of
psk.txt is <hostname/ip
address><tab><pre-shared secret>.
Here is a fairly generic /usr/local/etc/racoon/racoon.conf configuration.
It should be usable on both gateways. (works for me<grin>).
### begin ###
# "path" must be placed before it should be used.
# You can overwrite which you defined, but it should not use due to
confusing. path include "/usr/local/etc/racoon" ; #include "remote.conf" ;
# search this file for pre_shared_key with various ID key.
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
# racoon will look for certificate file in the directory,
# if the certificate/certificate request payload is received. path
certificate "/usr/local/etc/cert" ;
# "log" specifies logging level.
# It is followed by either "notify", "debug"
# or "debug2".
#log debug;
log notify;
# "padding" defines some parameter of padding.
# You should not touch these.
padding
{
maximum_length 20; # maximum padding length.
randomize on; # enable randomize length.
randomize_length on;
strict_check off; # enable strict check.
exclusive_tail on; # extract last one octet.
}
# if no listen directive is specified, racoon will listen to all # available
interface addresses. listen {
#isakmp ::1 [7000];
#isakmp 202.249.11.124 [500];
#admin [7002]; # administrative's port by kmpstat.
#strict_address; # required all addresses must be bound.
}
# Specification of default various timer.
timer
{
# These value can be changed per remote node.
counter 5; # maximum trying count to send.
interval 40 sec; # maximum interval to resend.
persend 1; # the number of packets per a send.
# timer for waiting to complete each phase.
phase1 300 sec;
phase2 300 sec;
}
remote anonymous
{
#exchange_mode main,aggressive;
exchange_mode main,aggressive,base;
doi ipsec_doi;
#situation identity_only;
verify_identifier off;
send_cert off;
send_cr off;
nonce_size 16;
lifetime time 15 min; # sec,min,hour
#lifetime byte 5 MB; # B,KB,GB
initial_contact on;
support_mip6 off;
proposal_check claim; # obey, strict or claim
# If clients are connecting from dynamic addresses
# set generate_policy to "on"
generate_policy off;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key ;
dh_group 2 ;
}
}
sainfo anonymous
{
#pfs_group 1;
# commented out pfs_group so that any pfs_group would be accepted
lifetime time 3600 sec;
#lifetime byte 50 MB;
encryption_algorithm blowfish,3des,des,cast128 ;
authentication_algorithm hmac_md5,hmac_sha1;
compression_algorithm deflate;
}
### end ###
If connecting your freebsd ipsec gateway to other equipment, e.g. linksys
vpn router, you might want to set net.key.prefered_oldsa to zero.
Let me know if you have questions or problems. I might be able to help.
greg
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2F6DCE1EFAB3BC418B5C324F13934C9601D23C0F>