From owner-freebsd-isp@FreeBSD.ORG Thu Jan 31 16:25:13 2013 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id D2B9315E for ; Thu, 31 Jan 2013 16:25:13 +0000 (UTC) (envelope-from jack@crepinc.com) Received: from mail-wi0-f176.google.com (mail-wi0-f176.google.com [209.85.212.176]) by mx1.freebsd.org (Postfix) with ESMTP id 45ACF150 for ; Thu, 31 Jan 2013 16:25:12 +0000 (UTC) Received: by mail-wi0-f176.google.com with SMTP id hm14so3955485wib.9 for ; Thu, 31 Jan 2013 08:25:11 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-received:date:message-id:subject:from:to:cc :content-type:x-gm-message-state; bh=xI60iKKq6Pv6enR9uQWae5lWBEJzYFLU61omTDHWsY0=; b=leNPN1hHiIINRgud8Y4w3eeskGsoRPVPHWzGh6XxBfqNSyc3bMnoAfuOVO1rMvXLsd YkmMILrwUN1cHLZ1QJ81q15wZZ8oXczq55RQ+3/07VUPjU0UlnSAS9SwJ8hng8SujK+j ujBDulVFJ5+QbNdzKCHXIaZMv2B7y3m0nrgntI5xSEbmedvFxoaZBxLr+rrlyEiuVV80 FNrv5RIvghfCCrVU2+IHiYSXLc2k0v48G6HuPGTkU013gO2rNu3ddQVFPK8N62OCLu5Y DwWpKKYb4Tg82sAfPjkasW7/rjOetpjNKYKtK/5sgNvaspSErpr1jCM3P9gbuDG3Mmlt a3ow== MIME-Version: 1.0 X-Received: by 10.194.172.197 with SMTP id be5mr16643125wjc.20.1359649511328; Thu, 31 Jan 2013 08:25:11 -0800 (PST) Received: by 10.194.56.228 with HTTP; Thu, 31 Jan 2013 08:25:10 -0800 (PST) Date: Thu, 31 Jan 2013 11:25:10 -0500 Message-ID: Subject: IPsec dynamic client config From: Jack Carrozzo To: freebsd-isp@freebsd.org X-Gm-Message-State: ALoCoQmLKO0YFN4SWoonJez8JxJ5x5C8Vuw6rOVj/OjHad9inik8tRy2Q4AxgSKZg0nEqiFiOaaI Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: Alexander Grant X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 31 Jan 2013 16:25:13 -0000 Hi, I'm running 9.1-RELEASE. I began by following this tutorial to get IPsec working with iPhones and laptops: http://wiki.polymorf.fr/index.php?title=Howto:FreeBSD_Roadwarrior_IPSec In short, racoon is happy and the clients connect successfully and ipsec tunnels come up. However packets mysteriously disappear: - route -rn doesn't show any additional routes when the client is connected - arp -an doesn't list the private IPs - pings to the client ip (10.10.0.1 in this case) simply disappear... tcpdump on the external interface don't show the ICMPs themselves nor any ipsec packets (though lots of ipsec traffic is seen during a connection) while ICMP to any other IP behaves as expected Since I'm running ipsec in tunnel mode (ie not transport), do I need to configure a local gif interface to tie the private IPs to? I can't find anything in racoon's conf that allows you to set the local private IP, only the IP pool and netmask. Configs: racoon.conf: http://pastebin.com/VUC0gDMM # cat setkey.conf flush; spdflush; # cat psk.txt * moose # grep -e ipsec -e racoon /etc/rc.conf ipsec_enable="YES" ipsec_program="/usr/local/sbin/setkey" ipsec_file="/usr/local/etc/racoon/setkey.conf" racoon_enable="YES" racoon_flags="-l /var/log/racoon.log" # ipfw show 65535 236592 53425760 allow ip from any to any Kernel options: options IPDIVERT options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_DEFAULT_TO_ACCEPT options IPFORWARD options IPSEC_ESP options IPSEC_DEBUG Logs: IPsec tunnels: http://pastebin.com/X3ymAaUT and http://pastebin.com/EJ9Y6hXV racoon.log (with DEBUGs, 2185 lines): http://pastebin.com/pibMc53k racoon.log (just INFOs, 38 lines): http://pastebin.com/K9cyUe5t Thanks, -Jack