Date: Thu, 21 Dec 2006 16:33:38 -0500 From: "Byron Pezan" <byron.pezan@gmail.com> To: freebsd-questions@freebsd.org Subject: ISAKMPD between FreeBSD 6.1 and OpenBSD 3.9 Message-ID: <51b6baf0612211333i38ac81b7ob114830d72dfa9ba@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Does anyone have experience configuring ISAKMPD on FreeBSD? I'm trying to
get a tunnel built between FreeBSD 6.1 and OpenBSD 3.9, but am having
problems convincing the FreeBSD box to route traffic through the tunnel.
Here are the details:
Tunnel Mode Transport
A.B.C.D OpenBSD box external IP
D.C.B.A OpenBSD box internal IP
D.C.0.0/16 Private net behind OpenBSD box
W.X.Y.Z FreeBSD box external IP
Z.Y.X.W FreeBSD box internal IP
Z.Y.0.0/16 Private net behind FreeBSD box
Here is the out put of `isakmpd -d -L -DA=10` as seen from the OpenBSD box:
15:46:30.514054 A.B.C.D.isakmp > W.X.Y.Z.isakmp: [udp sum ok] isakmp
v1.0exchange ID_PROT
cookie: 286174efc077306b->0000000000000000 msgid: 00000000 len: 228
payload: SA len: 120 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 108 proposal: 1 proto: ISAKMP spisz: 0
xforms: 3
payload: TRANSFORM len: 36
transform: 0 ID: ISAKMP
attribute ENCRYPTION_ALGORITHM = BLOWFISH_CBC
attribute HASH_ALGORITHM = SHA
attribute AUTHENTICATION_METHOD = PRE_SHARED
attribute GROUP_DESCRIPTION = MODP_1024
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 600
attribute KEY_LENGTH = 128
payload: TRANSFORM len: 32
transform: 1 ID: ISAKMP
attribute ENCRYPTION_ALGORITHM = 3DES_CBC
attribute HASH_ALGORITHM = SHA
attribute AUTHENTICATION_METHOD = PRE_SHARED
attribute GROUP_DESCRIPTION = MODP_1024
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 600
payload: TRANSFORM len: 32
transform: 2 ID: ISAKMP
attribute ENCRYPTION_ALGORITHM = 3DES_CBC
attribute HASH_ALGORITHM = MD5
attribute AUTHENTICATION_METHOD = PRE_SHARED
attribute GROUP_DESCRIPTION = MODP_1024
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 600
payload: VENDOR len: 20 (supports v2 NAT-T,
draft-ietf-ipsec-nat-t-ike-02)
payload: VENDOR len: 20 (supports v3 NAT-T,
draft-ietf-ipsec-nat-t-ike-03)
payload: VENDOR len: 20 (supports NAT-T, RFC 3947)
payload: VENDOR len: 20 (supports DPD v1.0) [ttl 0] (id 1, len 256)
15:46:30.839197 W.X.Y.Z.isakmp > A.B.C.D.isakmp: [udp sum ok] isakmp
v1.0exchange ID_PROT
cookie: 286174efc077306b->69ca5432aa5e90a2 msgid: 00000000 len: 84
payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 44 proposal: 1 proto: ISAKMP spisz: 0
xforms: 1
payload: TRANSFORM len: 36
transform: 0 ID: ISAKMP
attribute ENCRYPTION_ALGORITHM = BLOWFISH_CBC
attribute HASH_ALGORITHM = SHA
attribute AUTHENTICATION_METHOD = PRE_SHARED
attribute GROUP_DESCRIPTION = MODP_1024
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 600
attribute KEY_LENGTH = 128 [ttl 0] (id 1, len 112)
15:46:30.851759 A.B.C.D.isakmp > W.X.Y.Z.isakmp: [udp sum ok] isakmp
v1.0exchange ID_PROT
cookie: 286174efc077306b->69ca5432aa5e90a2 msgid: 00000000 len: 180
payload: KEY_EXCH len: 132
payload: NONCE len: 20 [ttl 0] (id 1, len 208)
15:46:31.175037 W.X.Y.Z.isakmp > A.B.C.D.isakmp: [udp sum ok] isakmp
v1.0exchange ID_PROT
cookie: 286174efc077306b->69ca5432aa5e90a2 msgid: 00000000 len: 180
payload: KEY_EXCH len: 132
payload: NONCE len: 20 [ttl 0] (id 1, len 208)
15:46:31.188053 A.B.C.D.isakmp > W.X.Y.Z.isakmp: [udp sum ok] isakmp
v1.0exchange ID_PROT
cookie: 286174efc077306b->69ca5432aa5e90a2 msgid: 00000000 len: 92
payload: ID len: 12 type: IPV4_ADDR = 208.178.12.2
payload: HASH len: 24
payload: NOTIFICATION len: 28
notification: INITIAL CONTACT
(286174efc077306b->69ca5432aa5e90a2) [ttl 0] (id 1, len 120)
15:46:31.494160 W.X.Y.Z.isakmp > A.B.C.D.isakmp: [udp sum ok] isakmp
v1.0exchange ID_PROT
cookie: 286174efc077306b->69ca5432aa5e90a2 msgid: 00000000 len: 68
payload: ID len: 12 type: IPV4_ADDR = 58.71.34.142
payload: HASH len: 24 [ttl 0] (id 1, len 96)
15:46:31.507354 A.B.C.D.isakmp > W.X.Y.Z.isakmp: [udp sum ok] isakmp
v1.0exchange QUICK_MODE
cookie: 286174efc077306b->69ca5432aa5e90a2 msgid: 208a3b76 len: 332
payload: HASH len: 24
payload: SA len: 96 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 44 proposal: 1 proto: IPSEC_ESP spisz: 4
xforms: 1 SPI: 0xcfca4c50
payload: TRANSFORM len: 32
transform: 1 ID: BLOWFISH
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 600
attribute ENCAPSULATION_MODE = TUNNEL
attribute AUTHENTICATION_ALGORITHM = HMAC_SHA
attribute GROUP_DESCRIPTION = 2
attribute KEY_LENGTH = 128
payload: PROPOSAL len: 40 proposal: 2 proto: IPSEC_ESP spisz: 4
xforms: 1 SPI: 0xc40e7bc6
payload: TRANSFORM len: 28
transform: 1 ID: 3DES
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 600
attribute ENCAPSULATION_MODE = TUNNEL
attribute AUTHENTICATION_ALGORITHM = HMAC_SHA
attribute GROUP_DESCRIPTION = 2
payload: NONCE len: 20
payload: KEY_EXCH len: 132
payload: ID len: 16 type: IPV4_ADDR_SUBNET = 10.50.0.0/255.255.0.0
payload: ID len: 16 type: IPV4_ADDR_SUBNET =
10.1.0.0/255.255.0.0[ttl 0] (id 1, len 360)
15:46:31.835213 W.X.Y.Z.isakmp > A.B.C.D.isakmp: [udp sum ok] isakmp
v1.0exchange QUICK_MODE
cookie: 286174efc077306b->69ca5432aa5e90a2 msgid: 208a3b76 len: 292
payload: HASH len: 24
payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 44 proposal: 1 proto: IPSEC_ESP spisz: 4
xforms: 1 SPI: 0x7dc9a0bc
payload: TRANSFORM len: 32
transform: 1 ID: BLOWFISH
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 600
attribute ENCAPSULATION_MODE = TUNNEL
attribute AUTHENTICATION_ALGORITHM = HMAC_SHA
attribute GROUP_DESCRIPTION = 2
attribute KEY_LENGTH = 128
payload: NONCE len: 20
payload: KEY_EXCH len: 132
payload: ID len: 16 type: IPV4_ADDR_SUBNET = 10.50.0.0/255.255.0.0
payload: ID len: 16 type: IPV4_ADDR_SUBNET =
10.1.0.0/255.255.0.0[ttl 0] (id 1, len 320)
15:46:31.835527 A.B.C.D.isakmp > W.X.Y.Z.isakmp: [udp sum ok] isakmp
v1.0exchange QUICK_MODE
cookie: 286174efc077306b->69ca5432aa5e90a2 msgid: 208a3b76 len: 52
payload: HASH len: 24 [ttl 0] (id 1, len 80)
15:47:37.592455 A.B.C.D.isakmp > W.X.Y.Z.isakmp: [udp sum ok] isakmp
v1.0exchange INFO
cookie: 286174efc077306b->69ca5432aa5e90a2 msgid: 63a13831 len: 68
payload: HASH len: 24
payload: DELETE len: 16 DOI: 1(IPSEC) proto: IPSEC_ESP nspis: 1
SPI: 0xcfca4c50 [ttl 0] (id 1, len 96)
15:47:37.593129 A.B.C.D.isakmp > W.X.Y.Z.isakmp: [udp sum ok] isakmp
v1.0exchange INFO
cookie: 286174efc077306b->69ca5432aa5e90a2 msgid: eb2ce295 len: 80
payload: HASH len: 24
payload: DELETE len: 28 DOI: 1(IPSEC) proto: ISAKMP nspis: 1
cookie: 286174efc077306b->69ca5432aa5e90a2 [ttl 0] (id 1, len
108)
I'm pretty sure the tunnel is coming up as I can run `tcpdump -i rl0 host
[external ip of remote gateway] and esp` and see esp packets corresponding
to pings from the OpenBSD box to the FreeBSD box on both gateways. But I
can never see any esp packets originating from the FreeBSD box.
Here is the output of `tcpdump -i rl0 host W.X.Y.Z and esp` as seen from the
OpenBSD box while pinging Z.Y.X.W:
15:47:21.652369 esp A.B.C.D > W.X.Y.Z spi 0x7DC9A0BC seq 1 len 116
15:47:22.653005 esp A.B.C.D > W.X.Y.Z spi 0x7DC9A0BC seq 2 len 116
15:47:23.662991 esp A.B.C.D > W.X.Y.Z spi 0x7DC9A0BC seq 3 len 116
15:47:24.672973 esp A.B.C.D > W.X.Y.Z spi 0x7DC9A0BC seq 4 len 116
We've tried adding a route to the FreeBSD box like so:
route add D.C.0.0/16 Z.Y.X.W
Which only creates a loop with ICMP re-directs.
We've also tried creating gif tunnels like you would with Racoon on FreeBSD
without any luck.
ifconfig gif1 create
ifconfig gif1 tunnel A.B.C.D W.X.Y.Z
ifconfig gif1 inet D.C.B.A Z.Y.X.W netmask 255.255.255.255
route add Z.Y.0.0/16 Z.Y.X.W netmask 255.255.0.0
ifconfig gif1 create
ifconfig gif1 tunnel W.X.Y.Z A.B.C.D
ifconfig gif1 inet Z.Y.X.W D.C.B.A netmask 255.255.255.255
route add D.C.0.0/16 D.C.B.A netmask 255.255.0.0
What does one have to do to get a FreeBSD box to route traffic through the
tunnel?
TIA
Byron Pezan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?51b6baf0612211333i38ac81b7ob114830d72dfa9ba>