Date: Fri, 25 Oct 2013 15:35:18 +0200 From: VANHULLEBUS Yvan <vanhu@FreeBSD.org> To: freebsd-net@freebsd.org Subject: Re: Can't configure a simple IPSec (manual SA/SP) Message-ID: <20131025133517.GA5588@zeninc.net> In-Reply-To: <CA%2Bq%2BTcqJwNXPOEWeh_FcnLu5KE7cyU7e1h2Q4dc==8D441nRWA@mail.gmail.com> References: <CA%2Bq%2BTcqJwNXPOEWeh_FcnLu5KE7cyU7e1h2Q4dc==8D441nRWA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Oct 25, 2013 at 11:20:11AM +0200, Olivier Cochard-Labb? wrote: > Hi all, Hi. > I'm trying to configure simple static IPSec SA/SP in tunnel mode on my > FreeBSD 9.2-RELEASE (crypto + ipsec added to the kernel) but the IPSec > configuration seems to be ignored. > > local private net (em0): 10.0.12.0/24 > local end-point IP (em1): 10.0.23.2 > remote private net: 10.0.45.0/24 > remote end-point IP: 10.0.34.4 > > I'm configuring the static SA/SP entries like that: > > flush; > spdflush; > spdadd 10.0.12.0/24 10.0.45.0/24 any -P out ipsec > esp/tunnel/10.0.23.2-10.0.34.4/require; > spdadd 10.0.45.0/24 10.0.12.0/24 any -P in ipsec > esp/tunnel/10.0.34.4-10.0.23.2/require; > add 10.0.23.2 10.0.34.4 esp 0x1000 -E 3des-cbc "3des_compliant_password1"; > add 10.0.34.4 10.0.23.2 esp 0x1001 -E 3des-cbc "3des_compliant_password2"; > > This configuration seems correctly applied: [seems good] > But when a machine in local_private_net try to ping a > remote_private_net, the traffic is not tunnel/encrypted: > > [root@R2]~# tcpdump -pni em1 > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes > 10:35:21.284571 IP 10.0.12.1 > 10.0.45.5: ICMP echo request, id 48913, > seq 0, length 64 > 10:35:22.288836 IP 10.0.12.1 > 10.0.45.5: ICMP echo request, id 48913, > seq 1, length 64 > 10:35:23.298386 IP 10.0.12.1 > 10.0.45.5: ICMP echo request, id 48913, > seq 2, length 64 > > I've try to enable IPSEC_DEBUG on my kernel: I've got nothing in my log. > > How can I get a more verbose IPsec log for spotting my problem ? I'm not sure your problem is directly related to your IPsec configuration: your packet may just not reach the IPsec stack for some reason to be understood. Do you use some bridging configuration ? Do you have some kind of filtering/NAT rules ? Some complex routing tables ? Can you send the output (on your IPsec gate) of: sysctl -a net.inet.ip.fastforwarding Have also a look at the output of "netstat -s", and check all sections related to IPsec (pfkey, ipsec, esp). Yvan.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20131025133517.GA5588>