Date: Mon, 27 Jun 2011 00:54:39 +0300 From: NutipA <nnutipa@gmail.com> To: questions@FreeBSD.org Subject: Traffic ignore security policies for SA in IPSec site-to-site connection Message-ID: <4E07AA9F.90509@gmail.com>
next in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format. --------------080205010603090104070605 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit First af all, I apologize if I chose the wrong mailing list. I need to establish IPSec site-to-site connection between two offices as it shown below: LAN1 (192.168.1.0/24) | FreeBSD 8.2 (192.168.1.2) + ipfw NAT over PPTP(X.X.X.X) | | internet | | FreeBSD 8.2 (192.168.1.2) + ipfw NAT over PPPoE(X.X.X.X) | LAN2 (192.168.10.0/24) The connection between two gatways has been successfully established. All traffic between two VPN-gateways with global addresses X.X.X.X and Y.Y.Y.Y has been sucessfully encapsulated and encrypted. I see this traffic as packets with ESP headers in my sniffer. Then I added static routes to each LAN. But when I ping any private address in LAN2 from my computer (192.168.1.102) I see the next output in tcpdump on LAN1 gateway: 19:33:42.506971 IP X.X.X.X > Y.Y.Y.Y : IP 192.168.1.102 > 192.168.10.1: ICMP echo request, id 13941, seq 4, length 64 (ipip-proto-4) Traffic hasn't been encrypted and processed by ipsec! It has rather been placed only in gif-interface and of course remote site is not responding. So IP-packets ignore security policies for SA: 192.168.10.0/24[any] 192.168.1.0/24[any] any in ipsec esp/tunnel/Y.Y.Y.Y-X.X.X.X/use spid=6 seq=1 pid=23533 refcnt=1 192.168.1.0/24[any] 192.168.10.0/24[any] any out ipsec esp/tunnel/X.X.X.X-Y.Y.Y.Y/use spid=5 seq=0 pid=23533 refcnt=1 As I understand, the traffic from client machines in any direction should look like this: 21:34:16.486698 IP Y.Y.Y.Y > X.X.X.X: ESP(spi=0x043488c2,seq=0x66), length 116 Please help me to solve this strange problem. I have created a test environment (5 virtual machines) and everything was ok! The only difference was that the tests were run in a several private local networks, without ISP and pptp/pppoe-interfaces. Also, on the advice of other people I need to try it without gif-interface, but all my tests was made according by handbook article. P.S. I have attached my configs and output of any commands, because my message is too big. --------------080205010603090104070605 Content-Type: text/plain; name="ipsec_configs.txt" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="ipsec_configs.txt" WzE5OjAwXXJvb3RAYmV0YTovaG9tZS9OdXRpcEEjIGNhdCAvdXNyL2xvY2FsL2V0Yy9yYWNv b24vc2V0a2V5LmNvbmYKZmx1c2g7CnNwZGZsdXNoOwojIFRvIHRoZSBzZWNvbmQgb2ZmaWNl IG5ldHdvcmsKc3BkYWRkIDE5Mi4xNjguMS4wLzI0IDE5Mi4xNjguMTAuMC8yNCBhbnkgLVAg b3V0IGlwc2VjIGVzcC90dW5uZWwvWC5YLlguWC1ZLlkuWS5ZL3JlcXVpcmU7CnNwZGFkZCAx OTIuMTY4LjEwLjAvMjQgMTkyLjE2OC4xLjAvMjQgYW55IC1QIGluIGlwc2VjIGVzcC90dW5u ZWwvWS5ZLlkuWS1YLlguWC5YL3JlcXVpcmU7CgotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0KClsx OTowMl1yb290QGJldGE6L2hvbWUvTnV0aXBBIyBjYXQgL3Vzci9sb2NhbC9ldGMvcmFjb29u L3JhY29vbi5jb25mCnBhdGggICAgcHJlX3NoYXJlZF9rZXkgICIvdXNyL2xvY2FsL2V0Yy9y YWNvb24vcHNrLnR4dCI7ICNsb2NhdGlvbiBvZiBwcmUtc2hhcmVkIGtleSBmaWxlCmxvZyAg ICAgZGVidWc7ICAjbG9nIHZlcmJvc2l0eSBzZXR0aW5nOiBzZXQgdG8gJ25vdGlmeScgd2hl biB0ZXN0aW5nIGFuZCBkZWJ1Z2dpbmcgaXMgY29tcGxldGUKCnBhZGRpbmcgIyBvcHRpb25z IGFyZSBub3QgdG8gYmUgY2hhbmdlZAp7CiAgICAgICAgbWF4aW11bV9sZW5ndGggIDIwOwog ICAgICAgIHJhbmRvbWl6ZSAgICAgICBvZmY7CiAgICAgICAgc3RyaWN0X2NoZWNrICAgIG9m ZjsKICAgICAgICBleGNsdXNpdmVfdGFpbCAgb2ZmOwp9Cgp0aW1lciAgICMgdGltaW5nIG9w dGlvbnMuIGNoYW5nZSBhcyBuZWVkZWQKewogICAgICAgIGNvdW50ZXIgICAgICAgICA1Owog ICAgICAgIGludGVydmFsICAgICAgICAyMCBzZWM7CiAgICAgICAgcGVyc2VuZCAgICAgICAg IDE7CiMgICAgICAgbmF0dF9rZWVwYWxpdmUgIDE1IHNlYzsKICAgICAgICBwaGFzZTEgICAg ICAgICAgMzAgc2VjOwogICAgICAgIHBoYXNlMiAgICAgICAgICAxNSBzZWM7Cn0KCmxpc3Rl biAgIyBhZGRyZXNzIFtwb3J0XSB0aGF0IHJhY29vbiB3aWxsIGxpc3RlbmluZyBvbgp7CiAg ICAgICAgaXNha21wICAgICAgICAgIFguWC5YLlggWzUwMF07CiAgICAgICAgaXNha21wX25h dHQgICAgIFguWC5YLlggWzQ1MDBdOwp9CgpyZW1vdGUgIFkuWS5ZLlkgWzUwMF0KewogICAg ICAgIGV4Y2hhbmdlX21vZGUgICBtYWluLGFnZ3Jlc3NpdmU7CiAgICAgICAgZG9pICAgICAg ICAgICAgIGlwc2VjX2RvaTsKICAgICAgICBzaXR1YXRpb24gICAgICAgaWRlbnRpdHlfb25s eTsKICAgICAgICBteV9pZGVudGlmaWVyICAgYWRkcmVzcyBYLlguWC5YOwogICAgICAgIHBl ZXJzX2lkZW50aWZpZXIgICAgICAgIGFkZHJlc3MgWS5ZLlkuWTsKICAgICAgICBsaWZldGlt ZSAgICAgICAgdGltZSA4IGhvdXI7CiAgICAgICAgcGFzc2l2ZSAgICAgICAgIG9mZjsKICAg ICAgICBwcm9wb3NhbF9jaGVjayAgb2JleTsKIyAgICAgICBuYXRfdHJhdmVyc2FsICAgb2Zm OwogICAgICAgIGdlbmVyYXRlX3BvbGljeSBvZmY7CgogICAgICAgICAgICAgICAgICAgICAg ICBwcm9wb3NhbCB7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZW5jcnlwdGlv bl9hbGdvcml0aG0gICAgM2RlczsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBo YXNoX2FsZ29yaXRobSAgICAgICAgICBtZDU7CiAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgYXV0aGVudGljYXRpb25fbWV0aG9kICAgcHJlX3NoYXJlZF9rZXk7CiAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgbGlmZXRpbWUgdGltZSAgICAgICAgICAgMzAgc2Vj OwogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGRoX2dyb3VwICAgICAgICAgICAg ICAgIDE7CiAgICAgICAgICAgICAgICAgICAgICAgIH0KfQoKc2FpbmZvICAoYWRkcmVzcyAx OTIuMTY4LjEuMC8yNCBhbnkgYWRkcmVzcyAxOTIuMTY4LjEwLjAvMjQgYW55KSAgICAjIGFk ZHJlc3MgJG5ldHdvcmsvJG5ldG1hc2sgJHR5cGUgYWRkcmVzcyAkbmV0d29yay8kbmV0bWFz CnsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIyAkbmV0d29yayBtdXN0IGJlIHRo ZSB0d28gaW50ZXJuYWwgbmV0d29ya3MgeW91IGFyZSBqb2luaW5nLgogICAgICAgIHBmc19n cm91cCAgICAgICAxOwogICAgICAgIGxpZmV0aW1lICAgICAgICB0aW1lICAgIDM2MDAwIHNl YzsKICAgICAgICBlbmNyeXB0aW9uX2FsZ29yaXRobSAgICAzZGVzLGRlczsKICAgICAgICBh dXRoZW50aWNhdGlvbl9hbGdvcml0aG0gICAgICAgIGhtYWNfbWQ1LGhtYWNfc2hhMTsKICAg ICAgICBjb21wcmVzc2lvbl9hbGdvcml0aG0gICBkZWZsYXRlOwp9CgotLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0KClsxODo1M11yb290QGJldGE6L2hvbWUvTnV0aXBBIyBpZmNvbmZpZwplbTA6 IGZsYWdzPTg4NDM8VVAsQlJPQURDQVNULFJVTk5JTkcsU0lNUExFWCxNVUxUSUNBU1Q+IG1l dHJpYyAwIG10dSAxNTAwCiAgICAgICAgb3B0aW9ucz0yMDk4PFZMQU5fTVRVLFZMQU5fSFdU QUdHSU5HLFZMQU5fSFdDU1VNLFdPTF9NQUdJQz4KICAgICAgICBldGhlciAwMDoxNzozMTo1 NTphNjowNwogICAgICAgIGluZXQgMTkyLjE2OC4xLjIgbmV0bWFzayAweGZmZmZmZjAwIGJy b2FkY2FzdCAxOTIuMTY4LjEuMjU1CiAgICAgICAgbWVkaWE6IEV0aGVybmV0IGF1dG9zZWxl Y3QgKDEwMDBiYXNlVCA8ZnVsbC1kdXBsZXg+KQogICAgICAgIHN0YXR1czogYWN0aXZlCjxv dXRwdXQgb21taXR0ZWQ+CnR1bjA6IGZsYWdzPTgxNTE8VVAsUE9JTlRPUE9JTlQsUlVOTklO RyxQUk9NSVNDLE1VTFRJQ0FTVD4gbWV0cmljIDAgbXR1IDE0MDAKICAgICAgICBvcHRpb25z PTgwMDAwPExJTktTVEFURT4KICAgICAgICBpbmV0IFguWC5YLlggLS0+IDgxLjI1LjMzLjEg bmV0bWFzayAweGZmZmZmZmZmIAogICAgICAgIE9wZW5lZCBieSBQSUQgMzIzMzgKZ2lmMDog ZmxhZ3M9ODA1MTxVUCxQT0lOVE9QT0lOVCxSVU5OSU5HLE1VTFRJQ0FTVD4gbWV0cmljIDAg bXR1IDEyODAKICAgICAgICB0dW5uZWwgaW5ldCBYLlguWC5YIC0tPiBZLlkuWS5ZCiAgICAg ICAgaW5ldCAxOTIuMTY4LjEuMiAtLT4gMTkyLjE2OC4xMC4xIG5ldG1hc2sgMHhmZmZmZmYw MCAKICAgICAgICBvcHRpb25zPTE8QUNDRVBUX1JFVl9FVEhJUF9WRVI+CgotLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0KClsxODo1Ml1yb290QGJldGE6L2hvbWUvTnV0aXBBIyBzZXRrZXkgLUQK WC5YLlguWCBZLlkuWS5ZCiAgICAgICAgZXNwIG1vZGU9dHVubmVsIHNwaT0yMzM4OTI2NTEo MHgwZGYwZWIyYikgcmVxaWQ9MCgweDAwMDAwMDAwKQogICAgICAgIEU6IDNkZXMgIGFjYzVm YmIzIDdlNmNiNTQ2IGIzODllNDVjIGI4NTNlZTIyCiAgICAgICAgQTogaG1hYy1tZDUgIDVj ZjI3MTIxIGE4NjdjYmIxIDQ1MGQ0YzZjIDY5NjZkMGQ3CiAgICAgICAgc2VxPTB4MDAwMDAw NTYgcmVwbGF5PTQgZmxhZ3M9MHgwMDAwMDAwMCBzdGF0ZT1tYXR1cmUgCiAgICAgICAgY3Jl YXRlZDogSnVuICA2IDIxOjE4OjUyIDIwMTEgICBjdXJyZW50OiBKdW4gIDYgMjE6MjE6MTgg MjAxMQogICAgICAgIGRpZmY6IDE0NihzKSAgICBoYXJkOiAzNjAwMChzKSAgc29mdDogMjg4 MDAocykKICAgICAgICBsYXN0OiBKdW4gIDYgMjE6MjE6MDEgMjAxMSAgICAgIGhhcmQ6IDAo cykgICAgICBzb2Z0OiAwKHMpCiAgICAgICAgY3VycmVudDogMTE2MjQoYnl0ZXMpICAgaGFy ZDogMChieXRlcykgIHNvZnQ6IDAoYnl0ZXMpCiAgICAgICAgYWxsb2NhdGVkOiA4NiAgIGhh cmQ6IDAgc29mdDogMAogICAgICAgIHNhZGJfc2VxPTMgcGlkPTE0NTMgcmVmY250PTIKWS5Z LlkuWSBYLlguWC5YCiAgICAgICAgZXNwIG1vZGU9dHVubmVsIHNwaT0xMDI4Njc1NzQoMHgw NjIxYTI3NikgcmVxaWQ9MCgweDAwMDAwMDAwKQogICAgICAgIEU6IDNkZXMgIDA1ZDhkZmZm IGRkZGQ4MDk5IGRiYzMyYzFiIGMzZWE4ZTU5CiAgICAgICAgQTogaG1hYy1tZDUgIGVjY2Mx ZTdiIGI5N2UzNmMzIDZhZDY4YzJlIDMzZDEzNWFjCiAgICAgICAgc2VxPTB4MDAwMDAwMDAg cmVwbGF5PTQgZmxhZ3M9MHgwMDAwMDAwMCBzdGF0ZT1tYXR1cmUgCiAgICAgICAgY3JlYXRl ZDogSnVuICA2IDIxOjE4OjUyIDIwMTEgICBjdXJyZW50OiBKdW4gIDYgMjE6MjE6MTggMjAx MQogICAgICAgIGRpZmY6IDE0NihzKSAgICBoYXJkOiAzNjAwMChzKSAgc29mdDogMjg4MDAo cykKICAgICAgICBsYXN0OiAgICAgICAgICAgICAgICAgICAgICAgICAgIGhhcmQ6IDAocykg ICAgICBzb2Z0OiAwKHMpCiAgICAgICAgY3VycmVudDogMChieXRlcykgICAgICAgaGFyZDog MChieXRlcykgIHNvZnQ6IDAoYnl0ZXMpCiAgICAgICAgYWxsb2NhdGVkOiAwICAgIGhhcmQ6 IDAgc29mdDogMAogICAgICAgIHNhZGJfc2VxPTEgcGlkPTE0NTMgcmVmY250PTEKCi0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLQoKWzE4OjUxXXJvb3RAYmV0YTovaG9tZS9OdXRpcEEjIHNldGtl eSAtRFAKMTkyLjE2OC4xMC4wLzI0W2FueV0gMTkyLjE2OC4xLjAvMjRbYW55XSBhbnkKICAg ICAgICBpbiBpcHNlYwogICAgICAgIGVzcC90dW5uZWwvWS5ZLlkuWS1YLlguWC5YL3VzZQog ICAgICAgIHNwaWQ9NiBzZXE9MSBwaWQ9MjM1MzMKICAgICAgICByZWZjbnQ9MQoxOTIuMTY4 LjEuMC8yNFthbnldIDE5Mi4xNjguMTAuMC8yNFthbnldIGFueQogICAgICAgIG91dCBpcHNl YwogICAgICAgIGVzcC90dW5uZWwvWC5YLlguWC1ZLlkuWS5ZL3VzZQogICAgICAgIHNwaWQ9 NSBzZXE9MCBwaWQ9MjM1MzMKICAgICAgICByZWZjbnQ9MQoKLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tCgpbMTk6MDNdcm9vdEBiZXRhOi9ob21lL051dGlwQSMgbmV0c3RhdCAtcm4KUm91dGlu ZyB0YWJsZXMKCkludGVybmV0OgpEZXN0aW5hdGlvbiAgICAgICAgR2F0ZXdheSAgICAgICAg ICAgIEZsYWdzICAgIFJlZnMgICAgICBVc2UgIE5ldGlmIEV4cGlyZQpkZWZhdWx0ICAgICAg ICAgICAgWi5aLlouWiAgICAgICAgIFVHUyAgICAgICAgIDAgICAgNzQyNjEgICB0dW4wCjxv dXRwdXQgb21taXR0ZWQ+CjE5Mi4xNjguMS4wLzI0ICAgICBsaW5rIzEgICAgICAgICAgICAg VSAgICAgICAgICAgMiAgMTA5NzEwNiAgICBlbTAKMTkyLjE2OC4xLjIgICAgICAgIGxpbmsj MSAgICAgICAgICAgICBVSFMgICAgICAgICAwICAgICAgICAwICAgIGxvMAoxOTIuMTY4LjEw LjAvMjQgICAgMTkyLjE2OC4xMC4xICAgICAgIFVHUyAgICAgICAgIDAgICAgICA1NDkgICBn aWYwCjE5Mi4xNjguMTAuMSAgICAgICBsaW5rIzggICAgICAgICAgICAgVUggICAgICAgICAg MCAgICAgNDIzMCAgIGdpZjAKCi0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQoKWzE4OjU3XXJvb3RA YmV0YTovaG9tZS9OdXRpcEEjIGNhdCAvZXRjL3JjLmNvbmYgCnpmc19lbmFibGU9IllFUyIK aG9zdG5hbWU9ImJldGEiCmlmY29uZmlnX2VtMD0iaW5ldCAxOTIuMTY4LjEuMiBuZXRtYXNr IDI1NS4yNTUuMjU1LjAgLXJ4Y3N1bSAtdHhjc3VtIC10c28iCnNzaGRfZW5hYmxlPSJZRVMi CmlmY29uZmlnX3ZyMD0iREhDUCIKZ2F0ZXdheV9lbmFibGU9IllFUyIKZmlyZXdhbGxfZW5h YmxlPSJZRVMiCmZpcmV3YWxsX25hdF9lbmFibGU9IllFUyIKZHVtbXluZXRfZW5hYmxlPSJZ RVMiCmZpcmV3YWxsX3R5cGU9Ii9ldGMvZmlyZXdhbGwiCgotLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0KCg== --------------080205010603090104070605--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4E07AA9F.90509>