Date: Mon, 27 Jun 2011 00:54:39 +0300 From: NutipA <nnutipa@gmail.com> To: questions@FreeBSD.org Subject: Traffic ignore security policies for SA in IPSec site-to-site connection Message-ID: <4E07AA9F.90509@gmail.com>
next in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format.
--------------080205010603090104070605
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
First af all, I apologize if I chose the wrong mailing list. I need to
establish IPSec site-to-site connection between two offices as it shown
below:
LAN1 (192.168.1.0/24)
|
FreeBSD 8.2 (192.168.1.2) + ipfw NAT over PPTP(X.X.X.X)
|
|
internet
|
|
FreeBSD 8.2 (192.168.1.2) + ipfw NAT over PPPoE(X.X.X.X)
|
LAN2 (192.168.10.0/24)
The connection between two gatways has been successfully established.
All traffic between two VPN-gateways with global addresses X.X.X.X and
Y.Y.Y.Y has been sucessfully encapsulated and encrypted. I see this
traffic as packets with ESP headers in my sniffer. Then I added static
routes to each LAN. But when I ping any private address in LAN2 from my
computer (192.168.1.102) I see the next output in tcpdump on LAN1 gateway:
19:33:42.506971 IP X.X.X.X > Y.Y.Y.Y : IP 192.168.1.102 > 192.168.10.1:
ICMP echo request, id 13941, seq 4, length 64 (ipip-proto-4)
Traffic hasn't been encrypted and processed by ipsec! It has rather been
placed only in gif-interface and of course remote site is not
responding. So IP-packets ignore security policies for SA:
192.168.10.0/24[any] 192.168.1.0/24[any] any
in ipsec
esp/tunnel/Y.Y.Y.Y-X.X.X.X/use
spid=6 seq=1 pid=23533
refcnt=1
192.168.1.0/24[any] 192.168.10.0/24[any] any
out ipsec
esp/tunnel/X.X.X.X-Y.Y.Y.Y/use
spid=5 seq=0 pid=23533
refcnt=1
As I understand, the traffic from client machines in any direction
should look like this:
21:34:16.486698 IP Y.Y.Y.Y > X.X.X.X: ESP(spi=0x043488c2,seq=0x66),
length 116
Please help me to solve this strange problem. I have created a test
environment (5 virtual machines) and everything was ok! The only
difference was that the tests were run in a several private local
networks, without ISP and pptp/pppoe-interfaces. Also, on the advice of
other people I need to try it without gif-interface, but all my tests
was made according by handbook article.
P.S. I have attached my configs and output of any commands, because my
message is too big.
--------------080205010603090104070605
Content-Type: text/plain;
name="ipsec_configs.txt"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="ipsec_configs.txt"
WzE5OjAwXXJvb3RAYmV0YTovaG9tZS9OdXRpcEEjIGNhdCAvdXNyL2xvY2FsL2V0Yy9yYWNv
b24vc2V0a2V5LmNvbmYKZmx1c2g7CnNwZGZsdXNoOwojIFRvIHRoZSBzZWNvbmQgb2ZmaWNl
IG5ldHdvcmsKc3BkYWRkIDE5Mi4xNjguMS4wLzI0IDE5Mi4xNjguMTAuMC8yNCBhbnkgLVAg
b3V0IGlwc2VjIGVzcC90dW5uZWwvWC5YLlguWC1ZLlkuWS5ZL3JlcXVpcmU7CnNwZGFkZCAx
OTIuMTY4LjEwLjAvMjQgMTkyLjE2OC4xLjAvMjQgYW55IC1QIGluIGlwc2VjIGVzcC90dW5u
ZWwvWS5ZLlkuWS1YLlguWC5YL3JlcXVpcmU7CgotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0KClsx
OTowMl1yb290QGJldGE6L2hvbWUvTnV0aXBBIyBjYXQgL3Vzci9sb2NhbC9ldGMvcmFjb29u
L3JhY29vbi5jb25mCnBhdGggICAgcHJlX3NoYXJlZF9rZXkgICIvdXNyL2xvY2FsL2V0Yy9y
YWNvb24vcHNrLnR4dCI7ICNsb2NhdGlvbiBvZiBwcmUtc2hhcmVkIGtleSBmaWxlCmxvZyAg
ICAgZGVidWc7ICAjbG9nIHZlcmJvc2l0eSBzZXR0aW5nOiBzZXQgdG8gJ25vdGlmeScgd2hl
biB0ZXN0aW5nIGFuZCBkZWJ1Z2dpbmcgaXMgY29tcGxldGUKCnBhZGRpbmcgIyBvcHRpb25z
IGFyZSBub3QgdG8gYmUgY2hhbmdlZAp7CiAgICAgICAgbWF4aW11bV9sZW5ndGggIDIwOwog
ICAgICAgIHJhbmRvbWl6ZSAgICAgICBvZmY7CiAgICAgICAgc3RyaWN0X2NoZWNrICAgIG9m
ZjsKICAgICAgICBleGNsdXNpdmVfdGFpbCAgb2ZmOwp9Cgp0aW1lciAgICMgdGltaW5nIG9w
dGlvbnMuIGNoYW5nZSBhcyBuZWVkZWQKewogICAgICAgIGNvdW50ZXIgICAgICAgICA1Owog
ICAgICAgIGludGVydmFsICAgICAgICAyMCBzZWM7CiAgICAgICAgcGVyc2VuZCAgICAgICAg
IDE7CiMgICAgICAgbmF0dF9rZWVwYWxpdmUgIDE1IHNlYzsKICAgICAgICBwaGFzZTEgICAg
ICAgICAgMzAgc2VjOwogICAgICAgIHBoYXNlMiAgICAgICAgICAxNSBzZWM7Cn0KCmxpc3Rl
biAgIyBhZGRyZXNzIFtwb3J0XSB0aGF0IHJhY29vbiB3aWxsIGxpc3RlbmluZyBvbgp7CiAg
ICAgICAgaXNha21wICAgICAgICAgIFguWC5YLlggWzUwMF07CiAgICAgICAgaXNha21wX25h
dHQgICAgIFguWC5YLlggWzQ1MDBdOwp9CgpyZW1vdGUgIFkuWS5ZLlkgWzUwMF0KewogICAg
ICAgIGV4Y2hhbmdlX21vZGUgICBtYWluLGFnZ3Jlc3NpdmU7CiAgICAgICAgZG9pICAgICAg
ICAgICAgIGlwc2VjX2RvaTsKICAgICAgICBzaXR1YXRpb24gICAgICAgaWRlbnRpdHlfb25s
eTsKICAgICAgICBteV9pZGVudGlmaWVyICAgYWRkcmVzcyBYLlguWC5YOwogICAgICAgIHBl
ZXJzX2lkZW50aWZpZXIgICAgICAgIGFkZHJlc3MgWS5ZLlkuWTsKICAgICAgICBsaWZldGlt
ZSAgICAgICAgdGltZSA4IGhvdXI7CiAgICAgICAgcGFzc2l2ZSAgICAgICAgIG9mZjsKICAg
ICAgICBwcm9wb3NhbF9jaGVjayAgb2JleTsKIyAgICAgICBuYXRfdHJhdmVyc2FsICAgb2Zm
OwogICAgICAgIGdlbmVyYXRlX3BvbGljeSBvZmY7CgogICAgICAgICAgICAgICAgICAgICAg
ICBwcm9wb3NhbCB7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZW5jcnlwdGlv
bl9hbGdvcml0aG0gICAgM2RlczsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBo
YXNoX2FsZ29yaXRobSAgICAgICAgICBtZDU7CiAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgYXV0aGVudGljYXRpb25fbWV0aG9kICAgcHJlX3NoYXJlZF9rZXk7CiAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgbGlmZXRpbWUgdGltZSAgICAgICAgICAgMzAgc2Vj
OwogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGRoX2dyb3VwICAgICAgICAgICAg
ICAgIDE7CiAgICAgICAgICAgICAgICAgICAgICAgIH0KfQoKc2FpbmZvICAoYWRkcmVzcyAx
OTIuMTY4LjEuMC8yNCBhbnkgYWRkcmVzcyAxOTIuMTY4LjEwLjAvMjQgYW55KSAgICAjIGFk
ZHJlc3MgJG5ldHdvcmsvJG5ldG1hc2sgJHR5cGUgYWRkcmVzcyAkbmV0d29yay8kbmV0bWFz
CnsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIyAkbmV0d29yayBtdXN0IGJlIHRo
ZSB0d28gaW50ZXJuYWwgbmV0d29ya3MgeW91IGFyZSBqb2luaW5nLgogICAgICAgIHBmc19n
cm91cCAgICAgICAxOwogICAgICAgIGxpZmV0aW1lICAgICAgICB0aW1lICAgIDM2MDAwIHNl
YzsKICAgICAgICBlbmNyeXB0aW9uX2FsZ29yaXRobSAgICAzZGVzLGRlczsKICAgICAgICBh
dXRoZW50aWNhdGlvbl9hbGdvcml0aG0gICAgICAgIGhtYWNfbWQ1LGhtYWNfc2hhMTsKICAg
ICAgICBjb21wcmVzc2lvbl9hbGdvcml0aG0gICBkZWZsYXRlOwp9CgotLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0KClsxODo1M11yb290QGJldGE6L2hvbWUvTnV0aXBBIyBpZmNvbmZpZwplbTA6
IGZsYWdzPTg4NDM8VVAsQlJPQURDQVNULFJVTk5JTkcsU0lNUExFWCxNVUxUSUNBU1Q+IG1l
dHJpYyAwIG10dSAxNTAwCiAgICAgICAgb3B0aW9ucz0yMDk4PFZMQU5fTVRVLFZMQU5fSFdU
QUdHSU5HLFZMQU5fSFdDU1VNLFdPTF9NQUdJQz4KICAgICAgICBldGhlciAwMDoxNzozMTo1
NTphNjowNwogICAgICAgIGluZXQgMTkyLjE2OC4xLjIgbmV0bWFzayAweGZmZmZmZjAwIGJy
b2FkY2FzdCAxOTIuMTY4LjEuMjU1CiAgICAgICAgbWVkaWE6IEV0aGVybmV0IGF1dG9zZWxl
Y3QgKDEwMDBiYXNlVCA8ZnVsbC1kdXBsZXg+KQogICAgICAgIHN0YXR1czogYWN0aXZlCjxv
dXRwdXQgb21taXR0ZWQ+CnR1bjA6IGZsYWdzPTgxNTE8VVAsUE9JTlRPUE9JTlQsUlVOTklO
RyxQUk9NSVNDLE1VTFRJQ0FTVD4gbWV0cmljIDAgbXR1IDE0MDAKICAgICAgICBvcHRpb25z
PTgwMDAwPExJTktTVEFURT4KICAgICAgICBpbmV0IFguWC5YLlggLS0+IDgxLjI1LjMzLjEg
bmV0bWFzayAweGZmZmZmZmZmIAogICAgICAgIE9wZW5lZCBieSBQSUQgMzIzMzgKZ2lmMDog
ZmxhZ3M9ODA1MTxVUCxQT0lOVE9QT0lOVCxSVU5OSU5HLE1VTFRJQ0FTVD4gbWV0cmljIDAg
bXR1IDEyODAKICAgICAgICB0dW5uZWwgaW5ldCBYLlguWC5YIC0tPiBZLlkuWS5ZCiAgICAg
ICAgaW5ldCAxOTIuMTY4LjEuMiAtLT4gMTkyLjE2OC4xMC4xIG5ldG1hc2sgMHhmZmZmZmYw
MCAKICAgICAgICBvcHRpb25zPTE8QUNDRVBUX1JFVl9FVEhJUF9WRVI+CgotLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0KClsxODo1Ml1yb290QGJldGE6L2hvbWUvTnV0aXBBIyBzZXRrZXkgLUQK
WC5YLlguWCBZLlkuWS5ZCiAgICAgICAgZXNwIG1vZGU9dHVubmVsIHNwaT0yMzM4OTI2NTEo
MHgwZGYwZWIyYikgcmVxaWQ9MCgweDAwMDAwMDAwKQogICAgICAgIEU6IDNkZXMgIGFjYzVm
YmIzIDdlNmNiNTQ2IGIzODllNDVjIGI4NTNlZTIyCiAgICAgICAgQTogaG1hYy1tZDUgIDVj
ZjI3MTIxIGE4NjdjYmIxIDQ1MGQ0YzZjIDY5NjZkMGQ3CiAgICAgICAgc2VxPTB4MDAwMDAw
NTYgcmVwbGF5PTQgZmxhZ3M9MHgwMDAwMDAwMCBzdGF0ZT1tYXR1cmUgCiAgICAgICAgY3Jl
YXRlZDogSnVuICA2IDIxOjE4OjUyIDIwMTEgICBjdXJyZW50OiBKdW4gIDYgMjE6MjE6MTgg
MjAxMQogICAgICAgIGRpZmY6IDE0NihzKSAgICBoYXJkOiAzNjAwMChzKSAgc29mdDogMjg4
MDAocykKICAgICAgICBsYXN0OiBKdW4gIDYgMjE6MjE6MDEgMjAxMSAgICAgIGhhcmQ6IDAo
cykgICAgICBzb2Z0OiAwKHMpCiAgICAgICAgY3VycmVudDogMTE2MjQoYnl0ZXMpICAgaGFy
ZDogMChieXRlcykgIHNvZnQ6IDAoYnl0ZXMpCiAgICAgICAgYWxsb2NhdGVkOiA4NiAgIGhh
cmQ6IDAgc29mdDogMAogICAgICAgIHNhZGJfc2VxPTMgcGlkPTE0NTMgcmVmY250PTIKWS5Z
LlkuWSBYLlguWC5YCiAgICAgICAgZXNwIG1vZGU9dHVubmVsIHNwaT0xMDI4Njc1NzQoMHgw
NjIxYTI3NikgcmVxaWQ9MCgweDAwMDAwMDAwKQogICAgICAgIEU6IDNkZXMgIDA1ZDhkZmZm
IGRkZGQ4MDk5IGRiYzMyYzFiIGMzZWE4ZTU5CiAgICAgICAgQTogaG1hYy1tZDUgIGVjY2Mx
ZTdiIGI5N2UzNmMzIDZhZDY4YzJlIDMzZDEzNWFjCiAgICAgICAgc2VxPTB4MDAwMDAwMDAg
cmVwbGF5PTQgZmxhZ3M9MHgwMDAwMDAwMCBzdGF0ZT1tYXR1cmUgCiAgICAgICAgY3JlYXRl
ZDogSnVuICA2IDIxOjE4OjUyIDIwMTEgICBjdXJyZW50OiBKdW4gIDYgMjE6MjE6MTggMjAx
MQogICAgICAgIGRpZmY6IDE0NihzKSAgICBoYXJkOiAzNjAwMChzKSAgc29mdDogMjg4MDAo
cykKICAgICAgICBsYXN0OiAgICAgICAgICAgICAgICAgICAgICAgICAgIGhhcmQ6IDAocykg
ICAgICBzb2Z0OiAwKHMpCiAgICAgICAgY3VycmVudDogMChieXRlcykgICAgICAgaGFyZDog
MChieXRlcykgIHNvZnQ6IDAoYnl0ZXMpCiAgICAgICAgYWxsb2NhdGVkOiAwICAgIGhhcmQ6
IDAgc29mdDogMAogICAgICAgIHNhZGJfc2VxPTEgcGlkPTE0NTMgcmVmY250PTEKCi0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLQoKWzE4OjUxXXJvb3RAYmV0YTovaG9tZS9OdXRpcEEjIHNldGtl
eSAtRFAKMTkyLjE2OC4xMC4wLzI0W2FueV0gMTkyLjE2OC4xLjAvMjRbYW55XSBhbnkKICAg
ICAgICBpbiBpcHNlYwogICAgICAgIGVzcC90dW5uZWwvWS5ZLlkuWS1YLlguWC5YL3VzZQog
ICAgICAgIHNwaWQ9NiBzZXE9MSBwaWQ9MjM1MzMKICAgICAgICByZWZjbnQ9MQoxOTIuMTY4
LjEuMC8yNFthbnldIDE5Mi4xNjguMTAuMC8yNFthbnldIGFueQogICAgICAgIG91dCBpcHNl
YwogICAgICAgIGVzcC90dW5uZWwvWC5YLlguWC1ZLlkuWS5ZL3VzZQogICAgICAgIHNwaWQ9
NSBzZXE9MCBwaWQ9MjM1MzMKICAgICAgICByZWZjbnQ9MQoKLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tCgpbMTk6MDNdcm9vdEBiZXRhOi9ob21lL051dGlwQSMgbmV0c3RhdCAtcm4KUm91dGlu
ZyB0YWJsZXMKCkludGVybmV0OgpEZXN0aW5hdGlvbiAgICAgICAgR2F0ZXdheSAgICAgICAg
ICAgIEZsYWdzICAgIFJlZnMgICAgICBVc2UgIE5ldGlmIEV4cGlyZQpkZWZhdWx0ICAgICAg
ICAgICAgWi5aLlouWiAgICAgICAgIFVHUyAgICAgICAgIDAgICAgNzQyNjEgICB0dW4wCjxv
dXRwdXQgb21taXR0ZWQ+CjE5Mi4xNjguMS4wLzI0ICAgICBsaW5rIzEgICAgICAgICAgICAg
VSAgICAgICAgICAgMiAgMTA5NzEwNiAgICBlbTAKMTkyLjE2OC4xLjIgICAgICAgIGxpbmsj
MSAgICAgICAgICAgICBVSFMgICAgICAgICAwICAgICAgICAwICAgIGxvMAoxOTIuMTY4LjEw
LjAvMjQgICAgMTkyLjE2OC4xMC4xICAgICAgIFVHUyAgICAgICAgIDAgICAgICA1NDkgICBn
aWYwCjE5Mi4xNjguMTAuMSAgICAgICBsaW5rIzggICAgICAgICAgICAgVUggICAgICAgICAg
MCAgICAgNDIzMCAgIGdpZjAKCi0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQoKWzE4OjU3XXJvb3RA
YmV0YTovaG9tZS9OdXRpcEEjIGNhdCAvZXRjL3JjLmNvbmYgCnpmc19lbmFibGU9IllFUyIK
aG9zdG5hbWU9ImJldGEiCmlmY29uZmlnX2VtMD0iaW5ldCAxOTIuMTY4LjEuMiBuZXRtYXNr
IDI1NS4yNTUuMjU1LjAgLXJ4Y3N1bSAtdHhjc3VtIC10c28iCnNzaGRfZW5hYmxlPSJZRVMi
CmlmY29uZmlnX3ZyMD0iREhDUCIKZ2F0ZXdheV9lbmFibGU9IllFUyIKZmlyZXdhbGxfZW5h
YmxlPSJZRVMiCmZpcmV3YWxsX25hdF9lbmFibGU9IllFUyIKZHVtbXluZXRfZW5hYmxlPSJZ
RVMiCmZpcmV3YWxsX3R5cGU9Ii9ldGMvZmlyZXdhbGwiCgotLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0KCg==
--------------080205010603090104070605--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4E07AA9F.90509>